ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?

Question 1

Report
Export
Collapse

DRAG DROP

Match each type of DoS attack to an example of that type of attack.


Question 1
Correct answer: Question 1

Explanation:

Reference: https://www.hackingarticles.in/dos-penetration-testing-part-1/#:~:text=Protocol%2DBased%20Attack%3A%20This%20kind,unresponsive%20to%20other%20legitimate%20requests

Question 2

Report
Export
Collapse

DRAG DROP

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration. Place the steps in order.


Question 2
Correct answer: Question 2

Explanation:

Step 1. In either the NGFW or in Panorama, on the Operations/Support tab, download the technical support file.

Step 2. Log in to the Customer Support Portal (CSP) and navigate to Tools > Best Practice Assessment.

Step 3. Upload or drag and drop the technical support file.

Step 4. Map the zone type and area of the architecture to each zone.

Step 5.Follow the steps to download the BPA report bundle.

Reference:

https://www.paloaltonetworks.com/resources/videos/how-to-run-a-bpa

Question 3

Report
Export
Collapse

When using certificate authentication for firewall administration, which method is used for authorization?

A.
Radius
A.
Radius
Answers
B.
LDAP
B.
LDAP
Answers
C.
Kerberos
C.
Kerberos
Answers
D.
Local
D.
Local
Answers
Suggested answer: D

Explanation:

Authentication: Certificates Authorization: Local The administrative accounts are local to the firewall, but authentication to the web interface is based on client certificates. You use the firewall to manage role assignments but access domains are not supported.

Question 4

Report
Export
Collapse

A network administrator wants to use a certificate for the SSL/TLS Service Profile.

Which type of certificate should the administrator use?

A.
certificate authority (CA) certificate
A.
certificate authority (CA) certificate
Answers
B.
client certificate
B.
client certificate
Answers
C.
machine certificate
C.
machine certificate
Answers
D.
server certificate
D.
server certificate
Answers
Suggested answer: D

Explanation:

Use only signed certificates, not CA certificates, in SSL/TLS service profiles.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/configurean-ssltls-service-profile.html

A server certificate is used for the SSL/TLS Service Profile. The server certificate identifies the firewall to clients that initiate SSL/TLS connections to it. Reference: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/certificates-and-keys/server-certificates

Question 5

Report
Export
Collapse

Using multiple templates in a stack to manage many firewalls provides which two advantages?

(Choose two.)

A.
inherit address-objects from templates
A.
inherit address-objects from templates
Answers
B.
define a common standard template configuration for firewalls
B.
define a common standard template configuration for firewalls
Answers
C.
standardize server profiles and authentication configuration across all stacks
C.
standardize server profiles and authentication configuration across all stacks
Answers
D.
standardize log-forwarding profiles for security polices across all stacks
D.
standardize log-forwarding profiles for security polices across all stacks
Answers
Suggested answer: B, C

Explanation:

Using multiple templates in a stack to manage many firewalls provides the advantages of defining a common standard template configuration for firewalls and standardizing server profiles and authentication configuration across all stacks.

A template stack is a container for multiple templates that you can assign to firewalls and firewall groups. The templates in a stack are prioritized so that the settings in a higher-priority template override the same settings in a lower-priority template.This allows you to create a hierarchy of templates that define common settings for all firewalls and specific settings for different groups of firewalls. Reference:https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/ manage-firewalls/manage- templates-and-template-stacks

Question 6

Report
Export
Collapse

A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing.

What command could the engineer run to see the current state of the BGP state between the two devices?

A.
show routing protocol bgp state
A.
show routing protocol bgp state
Answers
B.
show routing protocol bgp peer
B.
show routing protocol bgp peer
Answers
C.
show routing protocol bgp summary
C.
show routing protocol bgp summary
Answers
D.
show routing protocol bgp rib-out
D.
show routing protocol bgp rib-out
Answers
Suggested answer: C

Explanation:

The show routing protocol bgp summary command displays the current state of the BGP peer relationship between the firewall and other BGP routers. The output includes the peer IP address, AS number, uptime, prefix count, state, and status codes. Reference:https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-cli-quick-start/use-the-cli/show-the- routing-table-and-statistics

Question 7

Report
Export
Collapse

A network security engineer must implement Quality of Service policies to ensure specific levels of delivery guarantees for various applications in the environment They want to ensure that they know as much as they can about QoS before deploying.

Which statement about the QoS feature is correct?

A.
QoS is only supported on firewalls that have a single virtual system configured
A.
QoS is only supported on firewalls that have a single virtual system configured
Answers
B.
QoS can be used in conjunction with SSL decryption
B.
QoS can be used in conjunction with SSL decryption
Answers
C.
QoS is only supported on hardware firewalls
C.
QoS is only supported on hardware firewalls
Answers
D.
QoS can be used on firewalls with multiple virtual systems configured
D.
QoS can be used on firewalls with multiple virtual systems configured
Answers
Suggested answer: D

Explanation:

The correct answer is D - QoS can be used on firewalls with multiple virtual systems configured. QoS is a feature that enables network administrators to prioritize and manage network traffic to ensure that critical applications receive the necessary bandwidth and quality of service. This feature can be used on firewalls with multiple virtual systems, allowing administrators to configure policies on a per-Virtual System basis. Additionally, QoS can be used in conjunction with SSL decryption to ensure that applications running over SSL receive appropriate treatment.

Question 8

Report
Export
Collapse

Which statement regarding HA timer settings is true?

A.
Use the Recommended profile for typical failover timer settings
A.
Use the Recommended profile for typical failover timer settings
Answers
B.
Use the Moderate profile for typical failover timer settings
B.
Use the Moderate profile for typical failover timer settings
Answers
C.
Use the Aggressive profile for slower failover timer settings.
C.
Use the Aggressive profile for slower failover timer settings.
Answers
D.
Use the Critical profile for faster failover timer settings.
D.
Use the Critical profile for faster failover timer settings.
Answers
Suggested answer: A

Explanation:

The Recommended profile is the default profile that provides typical failover timer settings for most deployments. The other profiles are designed for specific scenarios where faster or slower failover isdesired. Reference: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high- availability/ha-concepts/ha-timers

Question 9

Report
Export
Collapse

When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )

A.
user-logon (always on)
A.
user-logon (always on)
Answers
B.
pre-logon then on-demand
B.
pre-logon then on-demand
Answers
C.
on-demand (manual user initiated connection)
C.
on-demand (manual user initiated connection)
Answers
D.
post-logon (always on)
D.
post-logon (always on)
Answers
E.
certificate-logon
E.
certificate-logon
Answers
Suggested answer: A, B, C

Explanation:

The Method section of the GlobalProtect portal configuration allows you to specify how users connect to the portal. The options are: user-logon (always on): The agent connects to the portal as soon as the user logs in to the endpoint. pre-logon then on-demand: The agent connects to the portal before the user logs in to the endpoint and then switches to on-demand mode after the user logs in. on-demand (manual user initiated connection): The agent connects to the portal only when the user initiates the connection manually. Reference: https://docs.paloaltonetworks.com/pan-os/10-1/pan- os-admin/globalprotect/configure-the-globalprotect-portal/configure-the-agent/configure-the-app- tab.html

Question 10

Report
Export
Collapse

An engineer must configure the Decryption Broker feature

Which Decryption Broker security chain supports bi-directional traffic flow?

A.
Layer 2 security chain
A.
Layer 2 security chain
Answers
B.
Layer 3 security chain
B.
Layer 3 security chain
Answers
C.
Transparent Bridge security chain
C.
Transparent Bridge security chain
Answers
D.
Transparent Proxy security chain
D.
Transparent Proxy security chain
Answers
Suggested answer: B

Explanation:

Together, the primary and secondary interfaces form a pair of decryption forwarding interfaces. Only interfaces that you have enabled to be Decrypt Forward interfaces are displayed here. Your security chain type (Layer 3 or Transparent Bridge) and the traffic flow direction (unidirectional or bidirectional) determine which of the two interfaces forwards allowed, clear text traffic to the security chain, and which interface receives the traffic back from the security chain after it has undergone additional enforcement.

Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms