ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 11

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?

Question 101

Report
Export
Collapse

A firewall administrator needs to be able to inspect inbound HTTPS traffic on servers hosted in theirDMZ to prevent the hosted service from being exploited. Which combination of features can allowPAN-OS to detect exploit traffic in a session with TLS encapsulation?

A.
Decryption policy and a Data Filtering profile
A.
Decryption policy and a Data Filtering profile
Answers
B.
a WildFire profile and a File Blocking profile
B.
a WildFire profile and a File Blocking profile
Answers
C.
Vulnerability Protection profile and a Decryption policy
C.
Vulnerability Protection profile and a Decryption policy
Answers
D.
a Vulnerability Protection profile and a QoS policy
D.
a Vulnerability Protection profile and a QoS policy
Answers
Suggested answer: C

Explanation:

A vulnerability protection profile enables the firewall to detect and prevent exploit attempts against known vulnerabilities in network protocols and applications. A decryption policy allows the firewall to decrypt and inspect inbound HTTPS traffic for potential threats. A data filtering profile is used for detecting and controlling the transfer of sensitive data such as credit card numbers or social security numbers. A WildFire profile is used for submitting unknown files or email links to the WildFire cloud for analysis and verdict. A file blocking profile is used for blocking or allowing the transfer of files based on their type, direction, or application. A QoS policy is used for managing the bandwidth allocation and priority of network traffic based on various criteria. Reference: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-concepts/ssl- inbound-inspection https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/threat-prevention/set-up- vulnerability-protection.html

Question 102

Report
Export
Collapse

Which two statements correctly describe Session 380280? (Choose two.)

A.
The session went through SSL decryption processing.
A.
The session went through SSL decryption processing.
Answers
B.
The session has ended with the end-reason unknown.
B.
The session has ended with the end-reason unknown.
Answers
C.
The application has been identified as web-browsing.
C.
The application has been identified as web-browsing.
Answers
D.
The session did not go through SSL decryption processing.
D.
The session did not go through SSL decryption processing.
Answers
Suggested answer: A, C

Explanation:

The session went through SSL decryption processing because the Decryption column shows a green check mark, indicating that the firewall decrypted the traffic and applied security policies. The application has been identified as web-browsing because the Application column shows web- browsing as the application name. The session has not ended yet because the Session End Reason column shows N/A, indicating that the session is still active. The session did go through SSL decryption processing, so option D is incorrect. Reference: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/monitor/monitor- network/monitor-sessions

Question 103

Report
Export
Collapse

While analyzing the Traffic log, you see that some entries show "unknown-tcp" in the Application column What best explains these occurrences?

A.
A handshake took place, but no data packets were sent prior to the timeout.
A.
A handshake took place, but no data packets were sent prior to the timeout.
Answers
B.
A handshake took place; however, there were not enough packets to identify the application.
B.
A handshake took place; however, there were not enough packets to identify the application.
Answers
C.
A handshake did take place, but the application could not be identified.
C.
A handshake did take place, but the application could not be identified.
Answers
D.
A handshake did not take place, and the application could not be identified.
D.
A handshake did not take place, and the application could not be identified.
Answers
Suggested answer: C

Explanation:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC#:~:text=un known%2Dtcp%3A,firewall%20does%20not%20have%20signatures.Unknown-tcp means the firewall captured the three-way TCP handshake, but the application was not identified. This may be due to the use of a custom application for which the firewall does not have signatures

Question 104

Report
Export
Collapse

A firewall should be advertising the static route 10.2.0.0/24 Into OSPF. The configuration on the neighbor is correct, but the route is not in the neighbor's routing table.

Which two configurations should you check on the firewall? (Choose two.)

A.
In the OSFP configuration, ensure that the correct redistribution profile is selected in the OSPF Export Rules section.
A.
In the OSFP configuration, ensure that the correct redistribution profile is selected in the OSPF Export Rules section.
Answers
B.
Within the redistribution profile ensure that Redist is selected.
B.
Within the redistribution profile ensure that Redist is selected.
Answers
C.
Ensure that the OSPF neighbor state Is "2-Way."
C.
Ensure that the OSPF neighbor state Is "2-Way."
Answers
D.
In the redistribution profile check that the source type is set to "ospf."
D.
In the redistribution profile check that the source type is set to "ospf."
Answers
Suggested answer: A, B

Explanation:

A redistribution profile defines which routes from one routing protocol are redistributed into another routing protocol. In the OSPF configuration, the OSPF Export Rules section allows you to select which redistribution profiles to apply for exporting routes into OSPF. Within the redistribution profile, you need to select Redist as the option to redistribute the routes that match the profile filter. If you select No Redist, the routes that match the profile filter will not be redistributed.

Ensuring that the OSPF neighbor state is "2-Way" is not relevant for advertising a static route into OSPF, as this state indicates that the neighbor relationship is established but not synchronized. In the redistribution profile, the source type should be set to "static" if you want to redistribute a static route into OSPF, not "ospf". Reference: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/route- redistribution/configure-route-redistribution https:// knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfnCAC

Question 105

Report
Export
Collapse

Which statement best describes the Automated Commit Recovery feature?

A.
It performs a connectivity check between the firewall and Panorama after every configuration commit on the firewall. It reverts the configuration changes on the firewall if the check fails.
A.
It performs a connectivity check between the firewall and Panorama after every configuration commit on the firewall. It reverts the configuration changes on the firewall if the check fails.
Answers
B.
It restores the running configuration on a firewall and Panorama if the last configuration commit fails.
B.
It restores the running configuration on a firewall and Panorama if the last configuration commit fails.
Answers
C.
It performs a connectivity check between the firewall and Panorama after every configuration commit on the firewall. It reverts the configuration changes on the firewall and on Panorama if the check fails.
C.
It performs a connectivity check between the firewall and Panorama after every configuration commit on the firewall. It reverts the configuration changes on the firewall and on Panorama if the check fails.
Answers
D.
It restores the running configuration on a firewall if the last configuration commit fails.
D.
It restores the running configuration on a firewall if the last configuration commit fails.
Answers
Suggested answer: A

Explanation:

https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/administer- panorama/enable-automated-commit-recoveryThe Automated Commit Recovery feature enables the firewall to automatically revert to a previous configuration if a commit operation causes connectivity loss between the firewall and Panorama. The feature performs a connectivity check between the firewall and Panorama after every configuration commit on the firewall. If the check fails, the firewall reverts to the last known good configuration and restores connectivity with Panorama. The feature does not restore the running configuration on a firewall or Panorama if the last commit fails, as this would require manual intervention. The feature does not revert the configuration changes on Panorama, as Panorama is not affected by the commit operation on the firewall. Reference: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/panorama- features/ automatic-panorama-connection-recovery https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/administer- panorama/enable-automated-commit-recovery

Question 106

Report
Export
Collapse

A firewall administrator wants to avoid overflowing the company syslog server with traffic logs.

What should the administrator do to prevent the forwarding of DNS traffic logs to syslog?

A.
Disable logging on security rules allowing DNS.
A.
Disable logging on security rules allowing DNS.
Answers
B.
Go to the Log Forwarding profile used to forward traffic logs to syslog. Then, under traffic logs match list, create a new filter with application not equal to DNS.
B.
Go to the Log Forwarding profile used to forward traffic logs to syslog. Then, under traffic logs match list, create a new filter with application not equal to DNS.
Answers
C.
Create a security rule to deny DNS traffic with the syslog server in the destination
C.
Create a security rule to deny DNS traffic with the syslog server in the destination
Answers
D.
Go to the Log Forwarding profile used to forward traffic logs to syslog. Then, under traffic logs match list, create a new filter with application equal to DNS.
D.
Go to the Log Forwarding profile used to forward traffic logs to syslog. Then, under traffic logs match list, create a new filter with application equal to DNS.
Answers
Suggested answer: B

Explanation:

A log forwarding profile defines which logs are forwarded to which destinations, such as syslog servers. By creating a filter with application not equal to DNS, the log forwarding profile will exclude DNS traffic logs from being forwarded to syslog. Disabling logging on security rules allowing DNS will prevent the firewall from generating any logs for DNS traffic, which may not be desirable. Creating a security rule to deny DNS traffic with the syslog server in the destination will block the communication between the firewall and the syslog server, which may affect other logs. Creating a filter with application equal to DNS will forward only DNS traffic logs to syslog, which is the opposite of what is required.

Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/configure-log-forwarding https://docs.paloaltonetworks.com/network-security/security-policy/objects/log-forwarding

Question 107

Report
Export
Collapse

An engineer is planning an SSL decryption implementation

Which of the following statements is a best practice for SSL decryption?

A.
Use the same Forward Trust certificate on all firewalls in the network.
A.
Use the same Forward Trust certificate on all firewalls in the network.
Answers
B.
Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate.
B.
Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate.
Answers
C.
Obtain an enterprise CA-signed certificate for the Forward Trust certificate.
C.
Obtain an enterprise CA-signed certificate for the Forward Trust certificate.
Answers
D.
Use an enterprise CA-signed certificate for the Forward Untrust certificate.
D.
Use an enterprise CA-signed certificate for the Forward Untrust certificate.
Answers
Suggested answer: C

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward- proxy(Best Practice) Enterprise CA-signed CertificatesóAn enterprise CA can issue a signing certificate that the firewall can use to sign the certificates for sites which require SSL decryption. When the firewall trusts the CA that signed the certificate of the destination server, the firewall can send a copy of the destination server certificate to the client, signed by the enterprise CA.

This is a best practice because usually all network devices already trust the Enterprise CA (it is usually already installed in the devices' CA Trust storage), so you don't need to deploy the certificate on the endpoints, so therollout process is smoother. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os- admin/decryption/configure-ssl-forward-proxy.html

Question 108

Report
Export
Collapse

An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications QoS natively integrates with which feature to provide service quality?

A.
certificate revocation
A.
certificate revocation
Answers
B.
Content-ID
B.
Content-ID
Answers
C.
App-ID
C.
App-ID
Answers
D.
port inspection
D.
port inspection
Answers
Suggested answer: C

Explanation:

QoS natively integrates with App-ID, which is a feature that identifies applications based on their unique characteristics and behaviors, regardless of port, protocol, encryption, or evasive tactics. By using App-ID, QoS can prioritize or limit traffic based on the application name, category, subcategory, technology, or risk level. Certificate revocation is a process of invalidating digital certificates that are no longer trusted or secure. Content-ID is a feature that scans content and data within allowed applications for threats and sensitive data. Port inspection is a method of identifying applications based on the TCP or UDP port numbers they use, which is not reliable or granular enough for QoS purposes. Reference:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/configure-qos https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id

Question 109

Report
Export
Collapse

What can an engineer use with GlobalProtect to distribute user-specific client certificates to each GlobalProtect user?

A.
Certificate profile
A.
Certificate profile
Answers
B.
SSL/TLS Service profile
B.
SSL/TLS Service profile
Answers
C.
OCSP Responder
C.
OCSP Responder
Answers
D.
SCEP
D.
SCEP
Answers
Suggested answer: D

Explanation:

If you have a Simple Certificate Enrollment Protocol (SCEP) server in your enterprise PKI, you can configure a SCEP profile to automate the generation and distribution of unique client certificates.https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/obtain- certificates/deploy-certificates-using-scep

Question 110

Report
Export
Collapse

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices?

(Choose three.)

A.
upload-only
A.
upload-only
Answers
B.
upload and install and reboot
B.
upload and install and reboot
Answers
C.
verify and install
C.
verify and install
Answers
D.
upload and install
D.
upload and install
Answers
E.
install and reboot
E.
install and reboot
Answers
Suggested answer: A, B, D

Explanation:

Panorama can perform three actions when deploying PAN-OS images to its managed devices: upload-only, upload and install, and upload and install and reboot. Upload-only transfers the PAN-OS image from Panorama to the managed device without installing it. Upload and install transfers the PAN-OS image from Panorama to the managed device and installs it, but does not reboot the device.Upload and install and reboot transfers the PAN-OS image from Panorama to the managed device, installs it, and reboots the device. Verify and install is not a valid action for deploying PAN-OS images from Panorama. Install and reboot is not a valid action for deploying PAN-OS images from Panorama, as the image needs to be uploaded first. Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/panorama/panorama-device- deployment/manage-software-and-content-updates https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cles

Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms