ExamGecko
Login
Home / Palo Alto Networks / PCNSC / List of questions
Ask Question

Palo Alto Networks PCNSC Practice Test - Questions Answers, Page 3

List of questions

Question 21

Report Export Collapse

Your customer believes that the Panorama appliance is being overwhelmed by the logs from deployed Palo Alto Networks Next-Generation Firewalls. What CLl command can you run to determine the number of logs per second sent by each firewall?

debug log-sender statistics
debug log-sender statistics
logging status
logging status
show log traffic
show log traffic
debug log-receiver statistics
debug log-receiver statistics
Suggested answer: D
Explanation:

To determine the number of logs per second sent by each firewall to a Panorama appliance, the appropriate CLI command to use is:

D . debug log-receiver statistics

This command provides detailed statistics about the logs being received by the Panorama, including the rate at which logs are being sent by each connected firewall. This information can help identify whether the Panorama is being overwhelmed by the volume of logs and which firewalls are contributing the most to the log traffic.

Palo Alto Networks - CLI Commands for Troubleshooting Panorama: https://docs.paloaltonetworks.com

Palo Alto Networks - Managing Logs and Log Forwarding: https://knowledgebase.paloaltonetworks.com

asked 23/09/2024
Stefan Duerr
32 questions

Question 22

Report Export Collapse

Where and how is Expedition installed^

On an Ubuntu server, by running an installation script that will automatically download all dependencies
On an Ubuntu server, by running an installation script that will automatically download all dependencies
On an Ubuntu server, by manually installing the application and all dependencies
On an Ubuntu server, by manually installing the application and all dependencies
On a Windows Server, by running an installation script that will automatically download all dependencies
On a Windows Server, by running an installation script that will automatically download all dependencies
On a Windows Server by manually installing the application and all dependencies
On a Windows Server by manually installing the application and all dependencies
Suggested answer: A
Explanation:

Expedition, the migration tool provided by Palo Alto Networks, is installed on an Ubuntu server. The installation process involves running a script that automatically downloads and installs all necessary dependencies.

A . On an Ubuntu server, by running an installation script that will automatically download all dependencies

This method simplifies the installation process by automating the download and configuration of all required components, ensuring that the installation is straightforward and minimizes the potential for errors related to missing dependencies.

Palo Alto Networks - Expedition Installation Guide: https://live.paloaltonetworks.com/t5/expedition-migration-tool/ct-p/migration_tool

Palo Alto Networks - Expedition User Guide: https://live.paloaltonetworks.com/t5/expedition-documentation/ct-p/migration_tool_docs

asked 23/09/2024
Charles Manser
52 questions

Question 23

Report Export Collapse

DRAG DROP

In Panorama the web interface displays the security rules in evaluation order Organize the security rules m the order in which they will be evaluated?


Palo Alto Networks PCNSC image Question 23 54200 09232024121206000
Correct answer: Palo Alto Networks PCNSC image answer Question 23 54200 09232024121206000
Explanation:

Palo Alto Networks - Panorama Admin Guide: https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/policy/policy-precedence-and-evaluation-order

Palo Alto Networks - Security Policy Evaluation: https://knowledgebase.paloaltonetworks.com

asked 23/09/2024
Test Test
30 questions

Question 24

Report Export Collapse

Which three steps must an administrator perform to load only address objects from a PAN-OS saved configuration file into a VM-3C0 firewall that is in production? (Choose three)

use the device configuration import in Panorama
use the device configuration import in Panorama
Import named configuration snapshot through the web interface
Import named configuration snapshot through the web interface
load the config in the web interface and commit
load the config in the web interface and commit
enter the configuration mode from the CLI
enter the configuration mode from the CLI
use load config partial command
use load config partial command
Suggested answer: C, D, E
Explanation:

To load only address objects from a PAN-OS saved configuration file into a VM-300 firewall that is in production, the administrator must follow these three steps:

C . Enter the configuration mode from the CLI: This step is necessary to prepare the firewall to accept the new configuration.

D . Use the load config partial command: This command allows the administrator to load only specific parts of the configuration, such as address objects, from a saved configuration file without overwriting the entire configuration. The command syntax typically looks like this: load config partial from <source-configuration> mode merge exclude everything but address objects.

E . Import named configuration snapshot through the web interface: This involves importing the configuration snapshot that contains the address objects through the web interface, but only after ensuring that the specific address objects are targeted and not the entire configuration.

Palo Alto Networks - PAN-OS CLI Quick Start: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-cli-quick-start

Palo Alto Networks - How to Use the Partial Configuration Load Feature: https://knowledgebase.paloaltonetworks.com

asked 23/09/2024
Lambert Shel Pablo
46 questions

Question 25

Report Export Collapse

SSL Forward Proxy decryption is enabled on (he firewall When clients use Chrome to browse to HTTPS sites, the firewall returns the Forward Trust certificate, even when accessing websites with invalid certificates The clients need to be presented with a browser warning error with the option to proceed to websites with invalid certificates

Which two options will satisfy this requirement? (Choose two.)

create a Decryption Profile with the Block sessions with expired certificates option enabled
create a Decryption Profile with the Block sessions with expired certificates option enabled
create a self-signed Forward Untrust enabled certificate
create a self-signed Forward Untrust enabled certificate
create a PKI signed Forward Unlrust enabled certificate
create a PKI signed Forward Unlrust enabled certificate
remove the Forward Untrust option from the Forward Trust certificate
remove the Forward Untrust option from the Forward Trust certificate
Suggested answer: A, B
Explanation:

When SSL Forward Proxy decryption is enabled, and clients using Chrome need to see browser warnings for websites with invalid certificates, the following options will satisfy the requirement:

A . Create a Decryption Profile with the Block sessions with expired certificates option enabled: This option ensures that sessions with expired certificates are blocked, which will present a warning to the user.

B . Create a self-signed Forward Untrust enabled certificate: This certificate will be used for websites with invalid or untrusted certificates, prompting the browser to display a warning.

These configurations ensure that users are properly warned when accessing sites with invalid certificates, allowing them to decide whether to proceed.

Palo Alto Networks - SSL Decryption Best Practices: https://docs.paloaltonetworks.com/best-practices

Palo Alto Networks - Configuring SSL Forward Proxy: https://knowledgebase.paloaltonetworks.com

asked 23/09/2024
Danyail Storey
31 questions

Question 26

Report Export Collapse

A customer has a pair of Panorama HA appliances tunning local log collectors and wants to have log redundancy on logs forwarded from firewalls Which two configuration options fulfill the customer's requirement for log redundancy? (Choose two)

Panorama operational mode needs to be Dedicated Log Collector
Panorama operational mode needs to be Dedicated Log Collector
Log redundancy must be enabled per Collector Group
Log redundancy must be enabled per Collector Group
A Collector Group must contain at least two Log Collectors
A Collector Group must contain at least two Log Collectors
Panorama configured in HA provides log redundancy
Panorama configured in HA provides log redundancy
Suggested answer: B, C
Explanation:

To fulfill the customer's requirement for log redundancy on logs forwarded from firewalls in a Panorama HA setup, the following configuration options are necessary:

B . Log redundancy must be enabled per Collector Group: This ensures that logs are redundantly stored across multiple log collectors within the same collector group.

C . A Collector Group must contain at least two Log Collectors: For log redundancy to work, there must be at least two log collectors in the collector group so that if one log collector fails, the other can continue to collect logs.

These configurations ensure that log data is replicated across multiple log collectors, providing redundancy and resilience in the event of a failure.

Palo Alto Networks - Configure Log Forwarding and Redundancy: https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-log-collection/configure-log-forwarding-and-redundancy

Palo Alto Networks - Panorama High Availability: https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama/set-up-high-availability

asked 23/09/2024
Adnan Safdar
38 questions

Question 27

Report Export Collapse

What happens when a packet from an existing session is received by a firewall that

The firewall requests the sender to resend the packet
The firewall requests the sender to resend the packet
The firewall drops the packet to prevent any L3 loops
The firewall drops the packet to prevent any L3 loops
The firewall forwards the packet lo the peer firewall over the HA3 link
The firewall forwards the packet lo the peer firewall over the HA3 link
The firewall lakes ownership of the session from the peer firewall
The firewall lakes ownership of the session from the peer firewall
Suggested answer: D
Explanation:

When a packet from an existing session is received by a firewall that is part of an HA (High Availability) pair:

D . The firewall takes ownership of the session from the peer firewall

In a high-availability configuration, if a firewall in an HA pair receives a packet for an existing session that it is not currently handling, it will take ownership of that session from the peer firewall. This ensures seamless continuity of the session and maintains the stateful nature of the firewall's session handling.

Palo Alto Networks - High Availability Concepts: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/high-availability/ha-concepts

asked 23/09/2024
Chang Weishin
32 questions

Question 28

Report Export Collapse

Which interface deployments support the Aggregate Ethernet Active configuration? (Choose three.)

LACP in TAP
LACP in TAP
LACP in Layer 3
LACP in Layer 3
LACP in Layer 2
LACP in Layer 2
LACP in Virtual Wire
LACP in Virtual Wire
LLDP in Layer 3
LLDP in Layer 3
Suggested answer: B, C, D
Explanation:

The interface deployments that support the Aggregate Ethernet (AE) Active configuration are:

B . LACP in Layer 3: Link Aggregation Control Protocol (LACP) can be used in Layer 3 interfaces to bundle multiple physical interfaces into a single logical interface for redundancy and increased bandwidth.

C . LACP in Layer 2: LACP can be used in Layer 2 interfaces to aggregate multiple Ethernet interfaces, enhancing throughput and providing failover capabilities within a Layer 2 network.

D . LACP in Virtual Wire: LACP can also be configured in Virtual Wire mode, which allows the firewall to aggregate interfaces while operating in a transparent mode, bridging traffic between interfaces without routing.

These configurations leverage LACP to improve network performance and reliability by combining multiple physical links into a single logical link.

Palo Alto Networks - Aggregate Interfaces: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/aggregate-ethernet/aggregate-ethernet-overview

Palo Alto Networks - LACP and LLDP Support: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/aggregate-ethernet/lacp-and-lldp-support

asked 23/09/2024
Aaron Case
49 questions

Question 29

Report Export Collapse

A customer has a five-year-old firewall in production in the time since the firewall was installed, the IT team deleted unused security policies on a regular basis but they did not remove the address objects and groups that were part of these security policies.

What is the best way to delete all of the unused address objects on the firewall?

Import the configuration in Expedition, remove unused address objects, and reimport the configuration.
Import the configuration in Expedition, remove unused address objects, and reimport the configuration.
Using CLI execute request configuration address-objects remove-unused-objects.
Using CLI execute request configuration address-objects remove-unused-objects.
Go to Address Objects under the Objects tab and click on Remove unused objects.
Go to Address Objects under the Objects tab and click on Remove unused objects.
Search each address object with Global Find and delete if it shows that the address object is not referenced.
Search each address object with Global Find and delete if it shows that the address object is not referenced.
Suggested answer: B
Explanation:

To delete all of the unused address objects on the firewall, the best method is:

B . Using CLI execute request configuration address-objects remove-unused-objects

This CLI command is designed to identify and remove all unused address objects in the firewall's configuration. It is the most efficient and accurate method for cleaning up unused objects without manually checking each one.

Palo Alto Networks - PAN-OS CLI Quick Start: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-cli-quick-start

Palo Alto Networks - Removing Unused Address Objects: https://knowledgebase.paloaltonetworks.com

asked 23/09/2024
Ivan Ramirez
44 questions

Question 30

Report Export Collapse

Which category of Vulnerability Signatures is most likely to trigger false positive alerts?

Become a Premium Member for full access
  Unlock Premium Member
Total 60 questions
Go to page: of 6
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

An existing customer who has deployed several Palo Alto Networks Next-Generation Firewalls would like to start using Device-ID to obtain policy rule recommendations They have also purchased a Support license, a Threat license a URL Filtering license, and a WildFire license for each firewall What additional license do they need to purchase'?
A customer is adding a new site-to-site tunnel from a Palo Alto Networks NGFW to a third party with a policy based VPN peer After the initial configuration is completed and the changes are committed, phase 2 fails to establish Which two changes may be required to fix the issue? (Choose two)
Which of the following WildFire action settings will ensure that a malicious file is quarantined and prevented from spreading?
How can you verify that a new security policy is correctly blocking traffic without disrupting the network?
A customer's Palo Alto Networks NGFW currently has only one security policy allowing all traffic They have identified that this is a substantial security risk and have heard that the Expedition tool can help them extract security policies from an 'allow any' rule What should the consultant say about Expedition?
What is the maximum number of virtual systems supported by a Palo Alto Networks VM-300 firewall?
Which firewall interface type allows you to non-disruptively monitor traffic coming from a port operating in promiscuous mode?
Which touting configuration should you recommend lo a customer who wishes lo actively use multiple pathways to the same destination?
In an HA (High Availability) setup, what is the purpose of the HA3 link?
Which of the following is NOT a benefit of using App-ID?