ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSC

Palo Alto Networks PCNSC Practice Test - Questions Answers, Page 2

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A customer's Palo Alto Networks NGFW currently has only one security policy allowing all traffic They have identified that this is a substantial security risk and have heard that the Expedition tool can help them extract security policies from an 'allow any' rule What should the consultant say about Expedition?
An existing customer who has deployed several Palo Alto Networks Next-Generation Firewalls would like to start using Device-ID to obtain policy rule recommendations They have also purchased a Support license, a Threat license a URL Filtering license, and a WildFire license for each firewall What additional license do they need to purchase'?
Instead of disabling App-IDs regularly, a security policy rule is going to be configured to temporarily allow new App-IDs. In which two circumstances is it valid to disable App-IDs as part of content update-? (Choose two)
How can you verify that a new security policy is correctly blocking traffic without disrupting the network?
What is the maximum number of virtual systems supported by a Palo Alto Networks VM-300 firewall?
You are hosting a public-facing web server on your DMZ and access to that server is through a Palo Alto Networks firewall Both internal clients and internet clients access this web server using the FQDN public webserver acme com which resolves to the public address of 99.99 99.2 Which combination of NAT policies is necessary to enable access to the web server for both internal and internet clients? A) B) C) D)
Which two log types are necessary to fully investigate a network intrusion? (Choose two)
Which GlobalProtect feature ensures that only trusted endpoints can connect to the network?
Which CLI command should you use to verify whether all SFP SFP*, or QSFP modules are installed in a firewall?
A customer has a five-year-old firewall in production in the time since the firewall was installed, the IT team deleted unused security policies on a regular basis but they did not remove the address objects and groups that were part of these security policies. What is the best way to delete all of the unused address objects on the firewall?

Question 11

Report
Export
Collapse

Which of the following Palo Alto Networks features can help reduce the attack surface by limiting the number of applications allowed through the firewall?

A.
URL Filtering
A.
URL Filtering
Answers
B.
App-ID
B.
App-ID
Answers
C.
User-ID
C.
User-ID
Answers
D.
Content-ID
D.
Content-ID
Answers
Suggested answer: B

Question 12

Report
Export
Collapse

How can you enforce a security policy based on the device type?

A.
Use User-ID
A.
Use User-ID
Answers
B.
Use Device-ID
B.
Use Device-ID
Answers
C.
Use App-ID
C.
Use App-ID
Answers
D.
Use Content-ID
D.
Use Content-ID
Answers
Suggested answer: B

Question 13

Report
Export
Collapse

What is the purpose of the WildFire Analysis Profile in a security policy?

A.
To specify which files are sent to WildFire for analysis
A.
To specify which files are sent to WildFire for analysis
Answers
B.
To configure the WildFire subscription settings
B.
To configure the WildFire subscription settings
Answers
C.
To enable WildFire to analyze all network traffic
C.
To enable WildFire to analyze all network traffic
Answers
D.
To define the action to be taken on files analyzed by WildFire
D.
To define the action to be taken on files analyzed by WildFire
Answers
Suggested answer: A

Question 14

Report
Export
Collapse

A customer has deployed a GlobalProtect portal and gateway as its remote-access VPN solution for its fleet of Windows 10 laptops

The customer wants to use Host information Profile (HIP) data collected at the GlobalProtect gateway throughout its enterprise as an additional means of policy enforcement

What additional licensing must the customer purchase?

A.
DNS Security on the perimeter firewall
A.
DNS Security on the perimeter firewall
Answers
B.
GlobalProtect license for each firewall that will use HIP data to enforce policy
B.
GlobalProtect license for each firewall that will use HIP data to enforce policy
Answers
C.
WildFire license
C.
WildFire license
Answers
D.
GlobalProtect license for the gateway firewall
D.
GlobalProtect license for the gateway firewall
Answers
Suggested answer: B

Explanation:

To utilize Host Information Profile (HIP) data collected at the GlobalProtect gateway for policy enforcement throughout the enterprise, the customer needs to purchase a GlobalProtect license for each firewall that will use HIP data to enforce policy. The GlobalProtect license enables the firewall to collect and use HIP data to create policies based on the security posture of the endpoints.

Palo Alto Networks - GlobalProtect Licensing: https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-licenses

Question 15

Report
Export
Collapse

Your customer has asked you to set up tunnel monitoring on an IPsec VPN tunnel between two offices What three steps are needed to set up tunnel monitoring? (Choose three)

A.
Create a monitoring profile
A.
Create a monitoring profile
Answers
B.
Add an IP address to each tunnel interface
B.
Add an IP address to each tunnel interface
Answers
C.
Restart each IPsec tunnel
C.
Restart each IPsec tunnel
Answers
D.
Restart each IKE gateway
D.
Restart each IKE gateway
Answers
E.
Enable tunnel monitoring on each IPsec tunnel
E.
Enable tunnel monitoring on each IPsec tunnel
Answers
Suggested answer: A, B, E

Explanation:

To set up tunnel monitoring on an IPsec VPN tunnel between two offices, the following steps are needed:

A . Create a monitoring profile: This profile defines the criteria for monitoring, such as the IP address to ping and the failure condition.

B . Add an IP address to each tunnel interface: Tunnel monitoring requires an IP address on each tunnel interface to send and receive monitoring pings.

E . Enable tunnel monitoring on each IPsec tunnel: This step activates the monitoring profile on the IPsec tunnel, ensuring that the tunnel is actively monitored and can trigger alerts or failover mechanisms if the tunnel goes down.

These steps ensure that the tunnel is properly monitored, allowing for proactive detection and response to connectivity issues.

Palo Alto Networks - Configuring IPsec Tunnel Monitoring: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/vpns/site-to-site-vpn/configure-ipsec-tunnel-monitoring

Question 16

Report
Export
Collapse

DRAG DROP

Match the App-ID adoption task with its order in the process.


Question 16
Correct answer: Question 16

Explanation:

Palo Alto Networks - App-ID Best Practices: https://docs.paloaltonetworks.com/best-practices

Palo Alto Networks - Migration from Legacy Firewalls: https://docs.paloaltonetworks.com/migration

Question 17

Report
Export
Collapse

In preparation for a cutover event, what two processes or procedures should be verified? (Choose two)

A.
auditing
A.
auditing
Answers
B.
change management requirements
B.
change management requirements
Answers
C.
roles and responsibilities
C.
roles and responsibilities
Answers
D.
logging and reporting
D.
logging and reporting
Answers
Suggested answer: B, C

Explanation:

For any cutover event, especially when dealing with network security infrastructure like Palo Alto Networks firewalls, it is critical to ensure that:

Change Management Requirements (B): This involves verifying that all planned changes have been approved, documented, and communicated to all relevant stakeholders. The change management process ensures that any modifications are controlled, predictable, and include a rollback plan in case of issues.

Reference: Palo Alto Networks Best Practices for Change Management Documentation.

Roles and Responsibilities (C): Clearly defined roles and responsibilities ensure that everyone involved knows their specific tasks during the cutover. This reduces confusion, ensures accountability, and helps in the smooth execution of the cutover plan. It includes defining who is responsible for specific tasks, who needs to be notified, and who has the authority to make decisions. Reference: Palo Alto Networks Operational Best Practices Documentation.

Question 18

Report
Export
Collapse

What is the default port used by the Terminal Services agent to communicate with a firewall?

A.
5007
A.
5007
Answers
B.
5009
B.
5009
Answers
C.
443
C.
443
Answers
D.
636
D.
636
Answers
Suggested answer: A

Explanation:

The default port used by the Terminal Services agent to communicate with a Palo Alto Networks firewall is 5007. The Terminal Services agent (TS agent) integrates with Microsoft Terminal Services to associate user information with sessions, enabling User-ID to accurately map user identities to security policies.

Reference: Palo Alto Networks Terminal Services Agent Documentation.

Question 19

Report
Export
Collapse

DRAG DROP

Identity the Stakeholder with their Role when planning a Firewall Panorama, and Cortex XDR Deployment


Question 19
Correct answer: Question 19

Explanation:

System Administrator - They are responsible for the deployment and maintenance of software, including the Cortex XDR client. This includes distributing the software across the organization and ensuring it is up to date.

Security Operations Analyst - Their primary responsibility is to monitor and analyze security events, manage alerts, and respond to threats. They play a critical role in incident detection and response.

Network Engineer - They ensure the network infrastructure is properly configured for routing, switching, and general device interconnectivity. This ensures that all components, including firewalls and endpoint security solutions, can communicate effectively.

Question 20

Report
Export
Collapse

A customer is adding a new site-to-site tunnel from a Palo Alto Networks NGFW to a third party with a policy based VPN peer After the initial configuration is completed and the changes are committed, phase 2 fails to establish

Which two changes may be required to fix the issue? (Choose two)

A.
Verity that the certificate used tor authentication is installed.
A.
Verity that the certificate used tor authentication is installed.
Answers
B.
Verify that PFS is enabled on both ends
B.
Verify that PFS is enabled on both ends
Answers
C.
Enable the NAT Traversal advanced option.
C.
Enable the NAT Traversal advanced option.
Answers
D.
Add proxy IDs to the iPsec tunnel configuration
D.
Add proxy IDs to the iPsec tunnel configuration
Answers
Suggested answer: B, D

Explanation:

When configuring a site-to-site VPN between a Palo Alto Networks Next-Generation Firewall (NGFW) and a third-party device with a policy-based VPN peer, Phase 2 failures can often be attributed to configuration mismatches or missing parameters. Here are the two changes that may be required to fix the issue:

B . Verify that PFS is enabled on both ends: Perfect Forward Secrecy (PFS) is a method that ensures the security of cryptographic keys. Both ends of the VPN tunnel need to agree on whether PFS is used. If PFS is enabled on one side but not the other, Phase 2 will fail. Verify the PFS settings and ensure they are matched on both the Palo Alto firewall and the third-party VPN device.

D . Add proxy IDs to the IPsec tunnel configuration: Proxy IDs (or traffic selectors) define the specific local and remote IP ranges that are allowed to communicate through the VPN tunnel. They are particularly crucial when dealing with policy-based VPNs. If the proxy IDs are not correctly configured, Phase 2 negotiations will fail. Add the appropriate proxy IDs to the IPsec tunnel configuration to match the policy-based VPN settings of the third-party device.

Palo Alto Networks - Configuring Site-to-Site VPN Between Palo Alto Networks and a Third-Party Firewall: https://docs.paloaltonetworks.com

Palo Alto Networks - VPN Configuration Guidelines: https://knowledgebase.paloaltonetworks.com

Total 60 questions
Go to page: of 6
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms