ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSC

Palo Alto Networks PCNSC Practice Test - Questions Answers, Page 6

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A customer's Palo Alto Networks NGFW currently has only one security policy allowing all traffic They have identified that this is a substantial security risk and have heard that the Expedition tool can help them extract security policies from an 'allow any' rule What should the consultant say about Expedition?
How can you verify that a new security policy is correctly blocking traffic without disrupting the network?
An existing customer who has deployed several Palo Alto Networks Next-Generation Firewalls would like to start using Device-ID to obtain policy rule recommendations They have also purchased a Support license, a Threat license a URL Filtering license, and a WildFire license for each firewall What additional license do they need to purchase'?
You are hosting a public-facing web server on your DMZ and access to that server is through a Palo Alto Networks firewall Both internal clients and internet clients access this web server using the FQDN public webserver acme com which resolves to the public address of 99.99 99.2 Which combination of NAT policies is necessary to enable access to the web server for both internal and internet clients? A) B) C) D)
Which two log types are necessary to fully investigate a network intrusion? (Choose two)
Instead of disabling App-IDs regularly, a security policy rule is going to be configured to temporarily allow new App-IDs. In which two circumstances is it valid to disable App-IDs as part of content update-? (Choose two)
In Panorama, what is the correct order of precedence for security policies?
What is the maximum number of virtual systems supported by a Palo Alto Networks VM-300 firewall?
Which GlobalProtect feature ensures that only trusted endpoints can connect to the network?
Which CLI command should you use to verify whether all SFP SFP*, or QSFP modules are installed in a firewall?

Question 51

Report
Export
Collapse

Which Palo Alto Networks feature allows you to create dynamic security policies based on the behavior of the devices in your network?

A.
Behavioral Threat Detection
A.
Behavioral Threat Detection
Answers
B.
Cortex XDR
B.
Cortex XDR
Answers
C.
App-ID
C.
App-ID
Answers
D.
Dynamic Address Groups
D.
Dynamic Address Groups
Answers
Suggested answer: D

Question 52

Report
Export
Collapse

Which touting configuration should you recommend lo a customer who wishes lo actively use multiple pathways to the same destination?

A.
OSPF
A.
OSPF
Answers
B.
ECMP
B.
ECMP
Answers
C.
BGP
C.
BGP
Answers
D.
RlPv2
D.
RlPv2
Answers
Suggested answer: B

Explanation:

For a customer who wishes to actively use multiple pathways to the same destination, the recommended routing configuration is:

B . ECMP (Equal-Cost Multi-Path)

ECMP allows the use of multiple paths to the same destination with equal cost metrics, enabling load balancing and redundancy. It is suitable for scenarios where multiple pathways are desired for traffic distribution and fault tolerance.

Palo Alto Networks - ECMP Overview: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-networking-admin/ecmp

Palo Alto Networks - Configuring ECMP: https://knowledgebase.paloaltonetworks.com

Question 53

Report
Export
Collapse

DRAG DROP

Match the task for server settings in group mapping with its order in the process.


Question 53
Correct answer: Question 53

Explanation:

Palo Alto Networks - Configuring Group Mapping: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/map-users-to-groups

Palo Alto Networks - User-ID Agent and Group Mapping Configuration: https://knowledgebase.paloaltonetworks.com

Question 54

Report
Export
Collapse

Which firewall interface type allows you to non-disruptively monitor traffic coming from a port operating in promiscuous mode?

A.
V-Wire
A.
V-Wire
Answers
B.
Layer 3
B.
Layer 3
Answers
C.
Layer
C.
Layer
Answers
D.
TAP
D.
TAP
Answers
Suggested answer: D

Explanation:

To non-disruptively monitor traffic coming from a port operating in promiscuous mode, the appropriate firewall interface type is:

D . TAP

A TAP (Test Access Point) interface allows the firewall to passively monitor network traffic without interfering with the actual flow of traffic. It is used to capture and analyze traffic for inspection, logging, and threat detection.

Palo Alto Networks - TAP Mode: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/network-interface-configurations/tap-mode

Question 55

Report
Export
Collapse

You are hosting a public-facing web server on your DMZ and access to that server is through a Palo Alto Networks firewall Both internal clients and internet clients access this web server using the FQDN public webserver acme com which resolves to the public address of 99.99 99.2

Which combination of NAT policies is necessary to enable access to the web server for both internal and internet clients?

A)

B)

C)

D)

A.
Option A
A.
Option A
Answers
B.
Option B
B.
Option B
Answers
C.
Option C
C.
Option C
Answers
D.
Option D
D.
Option D
Answers
Suggested answer: C

Explanation:

To enable access to a public-facing web server for both internal and internet clients using the FQDN public.webserver.acme.com, which resolves to the public address 99.99.99.2, the necessary combination of NAT policies is:

C . Option C

Policy 11: DMZ to Untrust

Source Zone: DMZ

Destination Zone: Untrust

Destination Address: Web_Server_Public_99.99.99.2

Destination Translation: address: Web_Server_Private_172.16.1.2

Policy 12: Untrust to Untrust

Source Zone: Untrust

Destination Zone: Untrust

Destination Address: Web_Server_Public_99.99.99.2

Destination Translation: address: Web_Server_Private_172.16.1.2

These policies ensure that traffic destined for the public IP address 99.99.99.2 from both the DMZ and Untrust zones is properly translated to the internal web server's private IP address 172.16.1.2.

Palo Alto Networks - NAT Configuration: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/nat/nat-policy-rules

Question 56

Report
Export
Collapse

An existing customer who has deployed several Palo Alto Networks Next-Generation Firewalls would like to start using Device-ID to obtain policy rule recommendations They have also purchased a Support license, a Threat license a URL Filtering license, and a WildFire license for each firewall

What additional license do they need to purchase'?

A.
a Cortex Data Lake license
A.
a Cortex Data Lake license
Answers
B.
an Enterprise Data Loss Prevention (DLP) license
B.
an Enterprise Data Loss Prevention (DLP) license
Answers
C.
an loT Security license (or the perimeter firewall
C.
an loT Security license (or the perimeter firewall
Answers
D.
an loT Security license for each deployed firewall
D.
an loT Security license for each deployed firewall
Answers
Suggested answer: A

Explanation:

To start using Device-ID to obtain policy rule recommendations, the customer needs to purchase:

A . a Cortex Data Lake license

The Cortex Data Lake is a cloud-based logging service that aggregates data from all Palo Alto Networks products and services. Device-ID uses this data to provide insights and recommendations for policy rules based on the identities of devices on the network.

Palo Alto Networks - Cortex Data Lake: https://docs.paloaltonetworks.com/cortex/cortex-data-lake

Palo Alto Networks - Device-ID Overview: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/use-device-id-to-enforce-policy

Question 57

Report
Export
Collapse

Which of the following WildFire action settings will ensure that a malicious file is quarantined and prevented from spreading?

A.
Alert
A.
Alert
Answers
B.
Allow
B.
Allow
Answers
C.
Block
C.
Block
Answers
D.
Reset-Both
D.
Reset-Both
Answers
Suggested answer: C

Question 58

Report
Export
Collapse

Which log type would you consult to diagnose why a specific URL is being blocked?

A.
Threat log
A.
Threat log
Answers
B.
URL Filtering log
B.
URL Filtering log
Answers
C.
Traffic log
C.
Traffic log
Answers
D.
Data Filtering log
D.
Data Filtering log
Answers
Suggested answer: B

Question 59

Report
Export
Collapse

What is the maximum number of virtual systems supported by a Palo Alto Networks VM-300 firewall?

A.
10
A.
10
Answers
B.
5
B.
5
Answers
C.
2
C.
2
Answers
D.
8
D.
8
Answers
Suggested answer: B

Question 60

Report
Export
Collapse

How can you verify that a new security policy is correctly blocking traffic without disrupting the network?

A.
Enable logging on the rule and monitor the logs
A.
Enable logging on the rule and monitor the logs
Answers
B.
Disable all other rules temporarily
B.
Disable all other rules temporarily
Answers
C.
Use the test security-policy-match CLI command
C.
Use the test security-policy-match CLI command
Answers
D.
Implement the policy in a lab environment first
D.
Implement the policy in a lab environment first
Answers
Suggested answer: C
Total 60 questions
Go to page: of 6
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms