Palo Alto Networks PCNSC Practice Test - Questions Answers, Page 2
List of questions
Related questions
Question 11
Which of the following Palo Alto Networks features can help reduce the attack surface by limiting the number of applications allowed through the firewall?
Question 12
How can you enforce a security policy based on the device type?
Question 13
What is the purpose of the WildFire Analysis Profile in a security policy?
Question 14
A customer has deployed a GlobalProtect portal and gateway as its remote-access VPN solution for its fleet of Windows 10 laptops
The customer wants to use Host information Profile (HIP) data collected at the GlobalProtect gateway throughout its enterprise as an additional means of policy enforcement
What additional licensing must the customer purchase?
Explanation:
To utilize Host Information Profile (HIP) data collected at the GlobalProtect gateway for policy enforcement throughout the enterprise, the customer needs to purchase a GlobalProtect license for each firewall that will use HIP data to enforce policy. The GlobalProtect license enables the firewall to collect and use HIP data to create policies based on the security posture of the endpoints.
Palo Alto Networks - GlobalProtect Licensing: https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-licenses
Question 15
Your customer has asked you to set up tunnel monitoring on an IPsec VPN tunnel between two offices What three steps are needed to set up tunnel monitoring? (Choose three)
Explanation:
To set up tunnel monitoring on an IPsec VPN tunnel between two offices, the following steps are needed:
A . Create a monitoring profile: This profile defines the criteria for monitoring, such as the IP address to ping and the failure condition.
B . Add an IP address to each tunnel interface: Tunnel monitoring requires an IP address on each tunnel interface to send and receive monitoring pings.
E . Enable tunnel monitoring on each IPsec tunnel: This step activates the monitoring profile on the IPsec tunnel, ensuring that the tunnel is actively monitored and can trigger alerts or failover mechanisms if the tunnel goes down.
These steps ensure that the tunnel is properly monitored, allowing for proactive detection and response to connectivity issues.
Palo Alto Networks - Configuring IPsec Tunnel Monitoring: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/vpns/site-to-site-vpn/configure-ipsec-tunnel-monitoring
Question 16
DRAG DROP
Match the App-ID adoption task with its order in the process.
Explanation:
Palo Alto Networks - App-ID Best Practices: https://docs.paloaltonetworks.com/best-practices
Palo Alto Networks - Migration from Legacy Firewalls: https://docs.paloaltonetworks.com/migration
Question 17
In preparation for a cutover event, what two processes or procedures should be verified? (Choose two)
Explanation:
For any cutover event, especially when dealing with network security infrastructure like Palo Alto Networks firewalls, it is critical to ensure that:
Change Management Requirements (B): This involves verifying that all planned changes have been approved, documented, and communicated to all relevant stakeholders. The change management process ensures that any modifications are controlled, predictable, and include a rollback plan in case of issues.
Reference: Palo Alto Networks Best Practices for Change Management Documentation.
Roles and Responsibilities (C): Clearly defined roles and responsibilities ensure that everyone involved knows their specific tasks during the cutover. This reduces confusion, ensures accountability, and helps in the smooth execution of the cutover plan. It includes defining who is responsible for specific tasks, who needs to be notified, and who has the authority to make decisions. Reference: Palo Alto Networks Operational Best Practices Documentation.
Question 18
What is the default port used by the Terminal Services agent to communicate with a firewall?
Explanation:
The default port used by the Terminal Services agent to communicate with a Palo Alto Networks firewall is 5007. The Terminal Services agent (TS agent) integrates with Microsoft Terminal Services to associate user information with sessions, enabling User-ID to accurately map user identities to security policies.
Reference: Palo Alto Networks Terminal Services Agent Documentation.
Question 19
DRAG DROP
Identity the Stakeholder with their Role when planning a Firewall Panorama, and Cortex XDR Deployment
Explanation:
System Administrator - They are responsible for the deployment and maintenance of software, including the Cortex XDR client. This includes distributing the software across the organization and ensuring it is up to date.
Security Operations Analyst - Their primary responsibility is to monitor and analyze security events, manage alerts, and respond to threats. They play a critical role in incident detection and response.
Network Engineer - They ensure the network infrastructure is properly configured for routing, switching, and general device interconnectivity. This ensures that all components, including firewalls and endpoint security solutions, can communicate effectively.
Question 20
A customer is adding a new site-to-site tunnel from a Palo Alto Networks NGFW to a third party with a policy based VPN peer After the initial configuration is completed and the changes are committed, phase 2 fails to establish
Which two changes may be required to fix the issue? (Choose two)
Explanation:
When configuring a site-to-site VPN between a Palo Alto Networks Next-Generation Firewall (NGFW) and a third-party device with a policy-based VPN peer, Phase 2 failures can often be attributed to configuration mismatches or missing parameters. Here are the two changes that may be required to fix the issue:
B . Verify that PFS is enabled on both ends: Perfect Forward Secrecy (PFS) is a method that ensures the security of cryptographic keys. Both ends of the VPN tunnel need to agree on whether PFS is used. If PFS is enabled on one side but not the other, Phase 2 will fail. Verify the PFS settings and ensure they are matched on both the Palo Alto firewall and the third-party VPN device.
D . Add proxy IDs to the IPsec tunnel configuration: Proxy IDs (or traffic selectors) define the specific local and remote IP ranges that are allowed to communicate through the VPN tunnel. They are particularly crucial when dealing with policy-based VPNs. If the proxy IDs are not correctly configured, Phase 2 negotiations will fail. Add the appropriate proxy IDs to the IPsec tunnel configuration to match the policy-based VPN settings of the third-party device.
Palo Alto Networks - Configuring Site-to-Site VPN Between Palo Alto Networks and a Third-Party Firewall: https://docs.paloaltonetworks.com
Palo Alto Networks - VPN Configuration Guidelines: https://knowledgebase.paloaltonetworks.com
Question