ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSC

Palo Alto Networks PCNSC Practice Test - Questions Answers, Page 3

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A customer's Palo Alto Networks NGFW currently has only one security policy allowing all traffic They have identified that this is a substantial security risk and have heard that the Expedition tool can help them extract security policies from an 'allow any' rule What should the consultant say about Expedition?
An existing customer who has deployed several Palo Alto Networks Next-Generation Firewalls would like to start using Device-ID to obtain policy rule recommendations They have also purchased a Support license, a Threat license a URL Filtering license, and a WildFire license for each firewall What additional license do they need to purchase'?
How can you verify that a new security policy is correctly blocking traffic without disrupting the network?
What is the maximum number of virtual systems supported by a Palo Alto Networks VM-300 firewall?
You are hosting a public-facing web server on your DMZ and access to that server is through a Palo Alto Networks firewall Both internal clients and internet clients access this web server using the FQDN public webserver acme com which resolves to the public address of 99.99 99.2 Which combination of NAT policies is necessary to enable access to the web server for both internal and internet clients? A) B) C) D)
Which two log types are necessary to fully investigate a network intrusion? (Choose two)
Which GlobalProtect feature ensures that only trusted endpoints can connect to the network?
Which CLI command should you use to verify whether all SFP SFP*, or QSFP modules are installed in a firewall?
Instead of disabling App-IDs regularly, a security policy rule is going to be configured to temporarily allow new App-IDs. In which two circumstances is it valid to disable App-IDs as part of content update-? (Choose two)
A customer has a five-year-old firewall in production in the time since the firewall was installed, the IT team deleted unused security policies on a regular basis but they did not remove the address objects and groups that were part of these security policies. What is the best way to delete all of the unused address objects on the firewall?

Question 21

Report
Export
Collapse

Your customer believes that the Panorama appliance is being overwhelmed by the logs from deployed Palo Alto Networks Next-Generation Firewalls. What CLl command can you run to determine the number of logs per second sent by each firewall?

A.
debug log-sender statistics
A.
debug log-sender statistics
Answers
B.
logging status
B.
logging status
Answers
C.
show log traffic
C.
show log traffic
Answers
D.
debug log-receiver statistics
D.
debug log-receiver statistics
Answers
Suggested answer: D

Explanation:

To determine the number of logs per second sent by each firewall to a Panorama appliance, the appropriate CLI command to use is:

D . debug log-receiver statistics

This command provides detailed statistics about the logs being received by the Panorama, including the rate at which logs are being sent by each connected firewall. This information can help identify whether the Panorama is being overwhelmed by the volume of logs and which firewalls are contributing the most to the log traffic.

Palo Alto Networks - CLI Commands for Troubleshooting Panorama: https://docs.paloaltonetworks.com

Palo Alto Networks - Managing Logs and Log Forwarding: https://knowledgebase.paloaltonetworks.com

Question 22

Report
Export
Collapse

Where and how is Expedition installed^

A.
On an Ubuntu server, by running an installation script that will automatically download all dependencies
A.
On an Ubuntu server, by running an installation script that will automatically download all dependencies
Answers
B.
On an Ubuntu server, by manually installing the application and all dependencies
B.
On an Ubuntu server, by manually installing the application and all dependencies
Answers
C.
On a Windows Server, by running an installation script that will automatically download all dependencies
C.
On a Windows Server, by running an installation script that will automatically download all dependencies
Answers
D.
On a Windows Server by manually installing the application and all dependencies
D.
On a Windows Server by manually installing the application and all dependencies
Answers
Suggested answer: A

Explanation:

Expedition, the migration tool provided by Palo Alto Networks, is installed on an Ubuntu server. The installation process involves running a script that automatically downloads and installs all necessary dependencies.

A . On an Ubuntu server, by running an installation script that will automatically download all dependencies

This method simplifies the installation process by automating the download and configuration of all required components, ensuring that the installation is straightforward and minimizes the potential for errors related to missing dependencies.

Palo Alto Networks - Expedition Installation Guide: https://live.paloaltonetworks.com/t5/expedition-migration-tool/ct-p/migration_tool

Palo Alto Networks - Expedition User Guide: https://live.paloaltonetworks.com/t5/expedition-documentation/ct-p/migration_tool_docs

Question 23

Report
Export
Collapse

DRAG DROP

In Panorama the web interface displays the security rules in evaluation order Organize the security rules m the order in which they will be evaluated?


Question 23
Correct answer: Question 23

Explanation:

Palo Alto Networks - Panorama Admin Guide: https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/policy/policy-precedence-and-evaluation-order

Palo Alto Networks - Security Policy Evaluation: https://knowledgebase.paloaltonetworks.com

Question 24

Report
Export
Collapse

Which three steps must an administrator perform to load only address objects from a PAN-OS saved configuration file into a VM-3C0 firewall that is in production? (Choose three)

A.
use the device configuration import in Panorama
A.
use the device configuration import in Panorama
Answers
B.
Import named configuration snapshot through the web interface
B.
Import named configuration snapshot through the web interface
Answers
C.
load the config in the web interface and commit
C.
load the config in the web interface and commit
Answers
D.
enter the configuration mode from the CLI
D.
enter the configuration mode from the CLI
Answers
E.
use load config partial command
E.
use load config partial command
Answers
Suggested answer: C, D, E

Explanation:

To load only address objects from a PAN-OS saved configuration file into a VM-300 firewall that is in production, the administrator must follow these three steps:

C . Enter the configuration mode from the CLI: This step is necessary to prepare the firewall to accept the new configuration.

D . Use the load config partial command: This command allows the administrator to load only specific parts of the configuration, such as address objects, from a saved configuration file without overwriting the entire configuration. The command syntax typically looks like this: load config partial from <source-configuration> mode merge exclude everything but address objects.

E . Import named configuration snapshot through the web interface: This involves importing the configuration snapshot that contains the address objects through the web interface, but only after ensuring that the specific address objects are targeted and not the entire configuration.

Palo Alto Networks - PAN-OS CLI Quick Start: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-cli-quick-start

Palo Alto Networks - How to Use the Partial Configuration Load Feature: https://knowledgebase.paloaltonetworks.com

Question 25

Report
Export
Collapse

SSL Forward Proxy decryption is enabled on (he firewall When clients use Chrome to browse to HTTPS sites, the firewall returns the Forward Trust certificate, even when accessing websites with invalid certificates The clients need to be presented with a browser warning error with the option to proceed to websites with invalid certificates

Which two options will satisfy this requirement? (Choose two.)

A.
create a Decryption Profile with the Block sessions with expired certificates option enabled
A.
create a Decryption Profile with the Block sessions with expired certificates option enabled
Answers
B.
create a self-signed Forward Untrust enabled certificate
B.
create a self-signed Forward Untrust enabled certificate
Answers
C.
create a PKI signed Forward Unlrust enabled certificate
C.
create a PKI signed Forward Unlrust enabled certificate
Answers
D.
remove the Forward Untrust option from the Forward Trust certificate
D.
remove the Forward Untrust option from the Forward Trust certificate
Answers
Suggested answer: A, B

Explanation:

When SSL Forward Proxy decryption is enabled, and clients using Chrome need to see browser warnings for websites with invalid certificates, the following options will satisfy the requirement:

A . Create a Decryption Profile with the Block sessions with expired certificates option enabled: This option ensures that sessions with expired certificates are blocked, which will present a warning to the user.

B . Create a self-signed Forward Untrust enabled certificate: This certificate will be used for websites with invalid or untrusted certificates, prompting the browser to display a warning.

These configurations ensure that users are properly warned when accessing sites with invalid certificates, allowing them to decide whether to proceed.

Palo Alto Networks - SSL Decryption Best Practices: https://docs.paloaltonetworks.com/best-practices

Palo Alto Networks - Configuring SSL Forward Proxy: https://knowledgebase.paloaltonetworks.com

Question 26

Report
Export
Collapse

A customer has a pair of Panorama HA appliances tunning local log collectors and wants to have log redundancy on logs forwarded from firewalls Which two configuration options fulfill the customer's requirement for log redundancy? (Choose two)

A.
Panorama operational mode needs to be Dedicated Log Collector
A.
Panorama operational mode needs to be Dedicated Log Collector
Answers
B.
Log redundancy must be enabled per Collector Group
B.
Log redundancy must be enabled per Collector Group
Answers
C.
A Collector Group must contain at least two Log Collectors
C.
A Collector Group must contain at least two Log Collectors
Answers
D.
Panorama configured in HA provides log redundancy
D.
Panorama configured in HA provides log redundancy
Answers
Suggested answer: B, C

Explanation:

To fulfill the customer's requirement for log redundancy on logs forwarded from firewalls in a Panorama HA setup, the following configuration options are necessary:

B . Log redundancy must be enabled per Collector Group: This ensures that logs are redundantly stored across multiple log collectors within the same collector group.

C . A Collector Group must contain at least two Log Collectors: For log redundancy to work, there must be at least two log collectors in the collector group so that if one log collector fails, the other can continue to collect logs.

These configurations ensure that log data is replicated across multiple log collectors, providing redundancy and resilience in the event of a failure.

Palo Alto Networks - Configure Log Forwarding and Redundancy: https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-log-collection/configure-log-forwarding-and-redundancy

Palo Alto Networks - Panorama High Availability: https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama/set-up-high-availability

Question 27

Report
Export
Collapse

What happens when a packet from an existing session is received by a firewall that

A.
The firewall requests the sender to resend the packet
A.
The firewall requests the sender to resend the packet
Answers
B.
The firewall drops the packet to prevent any L3 loops
B.
The firewall drops the packet to prevent any L3 loops
Answers
C.
The firewall forwards the packet lo the peer firewall over the HA3 link
C.
The firewall forwards the packet lo the peer firewall over the HA3 link
Answers
D.
The firewall lakes ownership of the session from the peer firewall
D.
The firewall lakes ownership of the session from the peer firewall
Answers
Suggested answer: D

Explanation:

When a packet from an existing session is received by a firewall that is part of an HA (High Availability) pair:

D . The firewall takes ownership of the session from the peer firewall

In a high-availability configuration, if a firewall in an HA pair receives a packet for an existing session that it is not currently handling, it will take ownership of that session from the peer firewall. This ensures seamless continuity of the session and maintains the stateful nature of the firewall's session handling.

Palo Alto Networks - High Availability Concepts: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/high-availability/ha-concepts

Question 28

Report
Export
Collapse

Which interface deployments support the Aggregate Ethernet Active configuration? (Choose three.)

A.
LACP in TAP
A.
LACP in TAP
Answers
B.
LACP in Layer 3
B.
LACP in Layer 3
Answers
C.
LACP in Layer 2
C.
LACP in Layer 2
Answers
D.
LACP in Virtual Wire
D.
LACP in Virtual Wire
Answers
E.
LLDP in Layer 3
E.
LLDP in Layer 3
Answers
Suggested answer: B, C, D

Explanation:

The interface deployments that support the Aggregate Ethernet (AE) Active configuration are:

B . LACP in Layer 3: Link Aggregation Control Protocol (LACP) can be used in Layer 3 interfaces to bundle multiple physical interfaces into a single logical interface for redundancy and increased bandwidth.

C . LACP in Layer 2: LACP can be used in Layer 2 interfaces to aggregate multiple Ethernet interfaces, enhancing throughput and providing failover capabilities within a Layer 2 network.

D . LACP in Virtual Wire: LACP can also be configured in Virtual Wire mode, which allows the firewall to aggregate interfaces while operating in a transparent mode, bridging traffic between interfaces without routing.

These configurations leverage LACP to improve network performance and reliability by combining multiple physical links into a single logical link.

Palo Alto Networks - Aggregate Interfaces: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/aggregate-ethernet/aggregate-ethernet-overview

Palo Alto Networks - LACP and LLDP Support: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/aggregate-ethernet/lacp-and-lldp-support

Question 29

Report
Export
Collapse

A customer has a five-year-old firewall in production in the time since the firewall was installed, the IT team deleted unused security policies on a regular basis but they did not remove the address objects and groups that were part of these security policies.

What is the best way to delete all of the unused address objects on the firewall?

A.
Import the configuration in Expedition, remove unused address objects, and reimport the configuration.
A.
Import the configuration in Expedition, remove unused address objects, and reimport the configuration.
Answers
B.
Using CLI execute request configuration address-objects remove-unused-objects.
B.
Using CLI execute request configuration address-objects remove-unused-objects.
Answers
C.
Go to Address Objects under the Objects tab and click on Remove unused objects.
C.
Go to Address Objects under the Objects tab and click on Remove unused objects.
Answers
D.
Search each address object with Global Find and delete if it shows that the address object is not referenced.
D.
Search each address object with Global Find and delete if it shows that the address object is not referenced.
Answers
Suggested answer: B

Explanation:

To delete all of the unused address objects on the firewall, the best method is:

B . Using CLI execute request configuration address-objects remove-unused-objects

This CLI command is designed to identify and remove all unused address objects in the firewall's configuration. It is the most efficient and accurate method for cleaning up unused objects without manually checking each one.

Palo Alto Networks - PAN-OS CLI Quick Start: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-cli-quick-start

Palo Alto Networks - Removing Unused Address Objects: https://knowledgebase.paloaltonetworks.com

Question 30

Report
Export
Collapse

Which category of Vulnerability Signatures is most likely to trigger false positive alerts?

A.
code-execution
A.
code-execution
Answers
B.
phishing
B.
phishing
Answers
C.
info-leak
C.
info-leak
Answers
D.
brute-force
D.
brute-force
Answers
Suggested answer: C

Explanation:

The category of Vulnerability Signatures that is most likely to trigger false positive alerts is:

C . info-leak

Information leakage signatures are designed to detect attempts to access or disclose sensitive information. These signatures can be prone to false positives because benign activities or legitimate data transmissions can sometimes be mistakenly identified as information leaks.

Palo Alto Networks - Managing False Positives in Threat Prevention: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/manage-false-positives-in-threat-prevention

Palo Alto Networks - Vulnerability Protection: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/vulnerability-protection

Total 60 questions
Go to page: of 6
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms