ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 12

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?

Question 111

Report
Export
Collapse

During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.

Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

A.
Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.
A.
Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.
Answers
B.
Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.
B.
Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.
Answers
C.
Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust
C.
Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust
Answers
D.
Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.
D.
Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.
Answers
Suggested answer: B

Explanation:

Generate a CA certificate for Forward Trust (step 2) a self-signed CA for Forward Untrust (step 4)https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward- proxy

Question 112

Report
Export
Collapse

How would an administrator configure a Bidirectional Forwarding Detection profile for BGP after enabling the Advance Routing Engine run on PAN-OS 10.2?

A.
create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD profile under Network > Virtual Router > BGP > BFD
A.
create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD profile under Network > Virtual Router > BGP > BFD
Answers
B.
create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD profile under Network > Virtual Router > BGP > General > Global BFD Profile
B.
create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD profile under Network > Virtual Router > BGP > General > Global BFD Profile
Answers
C.
create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD profile under Network > Routing > Logical Routers > BGP > General > Global BFD Profile
C.
create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD profile under Network > Routing > Logical Routers > BGP > General > Global BFD Profile
Answers
D.
create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD profile under Network > Routing > Logical Routers > BGP > BFD
D.
create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD profile under Network > Routing > Logical Routers > BGP > BFD
Answers
Suggested answer: B

Explanation:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/advanced- routing/create-bfd-profiles#idf2ccda44-0678-4df3-ad1d-2ec8f47cec7b then https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/advanced- routing/configure-bgp-on-an-advanced-routing-engine

Question 113

Report
Export
Collapse

An administrator has configured a pair of firewalls using high availability in Active/Passive mode.

Path Monitoring has been enabled with a Failure Condition of "any." A path group is configured with Failure Condition of "all" and contains a destination IP of 8.8.8.8 and 4.2.2.2 with a Ping Interval of 500ms and a Ping count of 3.

Which scenario will cause the Active firewall to fail over?

A.
IP address 8.8.8.8 is unreachable for 1 second.
A.
IP address 8.8.8.8 is unreachable for 1 second.
Answers
B.
IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 1 second.
B.
IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 1 second.
Answers
C.
IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 2 seconds
C.
IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 2 seconds
Answers
D.
IP address 4.2.2.2 is unreachable for 2 seconds.
D.
IP address 4.2.2.2 is unreachable for 2 seconds.
Answers
Suggested answer: C

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/device/device-high- availability/ha-link-and-path-monitoring

Question 114

Report
Export
Collapse

With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?

A.
Incomplete
A.
Incomplete
Answers
B.
unknown-udp
B.
unknown-udp
Answers
C.
Insufficient-data
C.
Insufficient-data
Answers
D.
not-applicable
D.
not-applicable
Answers
Suggested answer: B

Explanation:

UDP connection on port 443. This would trigger unknown-udp. Incomplete is used in TCP connections only.https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC

Question 115

Report
Export
Collapse

Which profile generates a packet threat type found in threat logs?

A.
Zone Protection
A.
Zone Protection
Answers
B.
WildFire
B.
WildFire
Answers
C.
Anti-Spyware
C.
Anti-Spyware
Answers
D.
Antivirus
D.
Antivirus
Answers
Suggested answer: A

Explanation:

"Threat/Content Type (subtype) Subtype of threat log." "packetóPacket-based attack protectiontriggered by a Zone Protection profile." https://docs.paloaltonetworks.com/pan-os/10-2/pan-os- admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fieldshttps://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for- monitoring/syslog-field-descriptions/threat-log-fields packetóPacket-based attack protection triggered by a Zone Protection profile.

Question 116

Report
Export
Collapse

A client wants to detect the use of weak and manufacturer-default passwords for loT devices. Which option will help the customer?

A.
Configure a Data Filtering profile with alert mode.
A.
Configure a Data Filtering profile with alert mode.
Answers
B.
Configure an Antivirus profile with alert mode.
B.
Configure an Antivirus profile with alert mode.
Answers
C.
Configure a Vulnerability Protection profile with alert mode
C.
Configure a Vulnerability Protection profile with alert mode
Answers
D.
Configure an Anti-Spyware profile with alert mode.
D.
Configure an Anti-Spyware profile with alert mode.
Answers
Suggested answer: C

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/security-profiles

Question 117

Report
Export
Collapse

A firewall administrator notices that many Host Sweep scan attacks are being allowed through the firewall sourced from the outside zone. What should the firewall administrator do to mitigate this type of attack?

A.
Create a DOS Protection profile with SYN Flood protection enabled and apply it to all rules allowing traffic from the outside zone
A.
Create a DOS Protection profile with SYN Flood protection enabled and apply it to all rules allowing traffic from the outside zone
Answers
B.
Enable packet buffer protection in the outside zone.
B.
Enable packet buffer protection in the outside zone.
Answers
C.
Create a Security rule to deny all ICMP traffic from the outside zone.
C.
Create a Security rule to deny all ICMP traffic from the outside zone.
Answers
D.
Create a Zone Protection profile, enable reconnaissance protection, set action to Block, and apply it to the outside zone.
D.
Create a Zone Protection profile, enable reconnaissance protection, set action to Block, and apply it to the outside zone.
Answers
Suggested answer: D

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos- protection/configure-zone-protection-to-increase-network-security/configure-reconnaissance- protection

Question 118

Report
Export
Collapse

An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 subinterface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.

Without changing the existing access to the management interface, how can the engineer fulfill this request?

A.
Specify the subinterface as a management interface in Setup > Device > Interfaces.
A.
Specify the subinterface as a management interface in Setup > Device > Interfaces.
Answers
B.
Enable HTTPS in an Interface Management profile on the subinterface.
B.
Enable HTTPS in an Interface Management profile on the subinterface.
Answers
C.
Add the network segment's IP range to the Permitted IP Addresses list
C.
Add the network segment's IP range to the Permitted IP Addresses list
Answers
D.
Configure a service route for HTTP to use the subinterface
D.
Configure a service route for HTTP to use the subinterface
Answers
Suggested answer: B

Explanation:

An interface management profile defines which services are available on an interface, such as HTTPS, SSH, ping, or SNMP. By enabling HTTPS in an interface management profile on the subinterface, the engineer can allow XML API access to the firewall for automation on the network segment that is routed through the subinterface. Specifying the subinterface as a management interface in Setup > Device > Interfaces is not possible, as only physical interfaces can be designated as management interfaces. Adding the network segment's IP range to the Permitted IP Addresses list will not help, as this list only applies to the dedicated management interface. Configuring a service route for HTTP to use the subinterface will not help, as this will only affect the outbound traffic from the firewall to external services, not the inbound traffic to the firewall for XML API access. Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/ networking/configure- interfaces/configure-interface-management-profiles https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/enable-api-access

Question 119

Report
Export
Collapse

An engineer needs to see how many existing SSL decryption sessions are traversing a firewall What command should be used?

A.
show dataplane pool statistics I match proxy
A.
show dataplane pool statistics I match proxy
Answers
B.
debug dataplane pool statistics I match proxy
B.
debug dataplane pool statistics I match proxy
Answers
C.
debug sessions I match proxy
C.
debug sessions I match proxy
Answers
D.
show sessions all
D.
show sessions all
Answers
Suggested answer: B

Explanation:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhdCAC

Question 120

Report
Export
Collapse

Which steps should an engineer take to forward system logs to email?

A.
Create a new email profile under Device > server profiles; then navigate to Objects > Log Forwarding profile > set log type to system and the add email profile.
A.
Create a new email profile under Device > server profiles; then navigate to Objects > Log Forwarding profile > set log type to system and the add email profile.
Answers
B.
Enable log forwarding under the email profile in the Objects tab.
B.
Enable log forwarding under the email profile in the Objects tab.
Answers
C.
Create a new email profile under Device > server profiles: then navigate to Device > Log Settings > System and add the email profile under email.
C.
Create a new email profile under Device > server profiles: then navigate to Device > Log Settings > System and add the email profile under email.
Answers
D.
Enable log forwarding under the email profile in the Device tab.
D.
Enable log forwarding under the email profile in the Device tab.
Answers
Suggested answer: C

Explanation:

An email profile defines the email server and sender address for sending email notifications from the firewall or Panorama. To forward system logs to email, the engineer needs to create a new email profile under Device > Server Profiles > Email and configure the required settings, such as SMTP server, sender email address, and recipient email address. Then, the engineer needs to navigate to Device > Log Settings > System and select the email profile under Email for each severity level of system logs that need to be forwarded. Enabling log forwarding under the email profile in the Objects tab or in the Device tab is not possible, as log forwarding profiles are configured under Objects > Log Forwarding. Log forwarding profiles are used for forwarding threat, traffic, URL filtering, data filtering, HIP match, configuration, and correlation logs, not system logs. Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/configure-email-alerts https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/configure-log-forwarding

Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms