ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 13

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?

Question 121

Report
Export
Collapse

A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.

Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?

A.
Syslog listener
A.
Syslog listener
Answers
B.
agentless User-ID with redistribution
B.
agentless User-ID with redistribution
Answers
C.
standalone User-ID agent
C.
standalone User-ID agent
Answers
D.
captive portal
D.
captive portal
Answers
Suggested answer: C

Explanation:

A syslog listener is a User-ID agent that listens for syslog messages from network devices that contain user mapping information, such as network access control systems, domain controllers, or MDM solutions. By configuring a syslog listener on the firewall or Panorama and specifying the syslog format and filters, User-ID can parse the syslog messages and extract user mapping information from multiple sources. Agentless User-ID with redistribution is a method of using an existing firewall as a User-ID agent that redistributes user mappings to other firewalls or Panorama. This method does not involve syslog messages. A standalone User-ID agent is a software application that runs on a Windows server and collects user mappings from Active Directory servers or other sources. This method requires installing and managing a separate agent software. A captive portal is a web page that prompts users to authenticate before accessing certain network resources. This method does not involve syslog messages. Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to- users/syslog-monitoring.html https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to- users/user-id-agents.html

Question 122

Report
Export
Collapse

Refer to the diagram. Users at an internal system want to ssh to the SSH server The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.

In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?

A.
A.
Answers
B.
B.
Answers
C.
C.
Answers
D.
D.
Answers
Suggested answer: C

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and- destination-nat/source-nat

Question 123

Report
Export
Collapse

Which Panorama feature protects logs against data loss if a Panorama server fails?

A.
Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.
A.
Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.
Answers
B.
Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.
B.
Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.
Answers
C.
Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.
C.
Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.
Answers
D.
Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group
D.
Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group
Answers
Suggested answer: B

Explanation:

A Panorama Collector Group is a group of dedicated log collectors that receive logs from firewalls and Panorama management servers. By enabling log redundancy in a collector group, Panorama can ensure that each log is written to two log collectors in the group, providing backup in case one log collector fails. Panorama HA does not automatically ensure that no logs are lost if a server fails inside the HA cluster, as HA only provides redundancy for configuration and device management, not for logging. Panorama HA with log redundancy is not a valid option, as log redundancy is configured at the collector group level, not at the HA level. Panorama Collector Group does not automatically ensure that no logs are lost if a server fails inside the Collector Group, as log redundancy needs to be enabled explicitly in the collector group settings. Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/configure-log-collection- and-forwarding/configure-log-collection-on-panorama https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/configure-log-collection- and-forwarding/configure-log-redundancy

Question 124

Report
Export
Collapse

An administrator is seeing one of the firewalls in a HA active/passive pair moved to 'suspended" state due to Non-functional loop. Which three actions will help the administrator troubleshool this issue? (Choose three.)

A.
Use the CLI command show high-availability flap-statistics
A.
Use the CLI command show high-availability flap-statistics
Answers
B.
Check the HA Link Monitoring interface cables.
B.
Check the HA Link Monitoring interface cables.
Answers
C.
Check the High Availability > Link and Path Monitoring settings.
C.
Check the High Availability > Link and Path Monitoring settings.
Answers
D.
Check High Availability > Active/Passive Settings > Passive Link State
D.
Check High Availability > Active/Passive Settings > Passive Link State
Answers
E.
Check the High Availability > HA Communications > Packet Forwarding settings.
E.
Check the High Availability > HA Communications > Packet Forwarding settings.
Answers
Suggested answer: A, B, C

Explanation:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhJCAS&lang=ja&r efURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Question 125

Report
Export
Collapse

Which User-ID mapping method should be used in a high-security environment where all IP addressto- user mappings should always be explicitly known?

A.
PAN-OS integrated User-ID agent
A.
PAN-OS integrated User-ID agent
Answers
B.
GlobalProtect
B.
GlobalProtect
Answers
C.
Windows-based User-ID agent
C.
Windows-based User-ID agent
Answers
D.
LDAP Server Profile configuration
D.
LDAP Server Profile configuration
Answers
Suggested answer: B

Explanation:

Because GlobalProtect users must authenticate to gain access to the network, the IP address-to- username mapping is explicitly known. This is the best solution in sensitive environments where you must be certain of who a user is in order to allow access to an application or service.https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user- mapping/globalprotect.html

Question 126

Report
Export
Collapse

What can be used to create dynamic address groups?

A.
dynamic address
A.
dynamic address
Answers
B.
region objects
B.
region objects
Answers
C.
tags
C.
tags
Answers
D.
FODN addresses
D.
FODN addresses
Answers
Suggested answer: C

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/monitor-changes-in-the- virtual-environment/use-dynamic-address-groups-in-policy

Question 127

Report
Export
Collapse

A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time. How can they achieve this?

A.
Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices.
A.
Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices.
Answers
B.
Use the Scheduled Config Push to schedule Push lo Devices and separately schedule an API call to commit all Panorama changes.
B.
Use the Scheduled Config Push to schedule Push lo Devices and separately schedule an API call to commit all Panorama changes.
Answers
C.
Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to commit all Panorama changes.
C.
Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to commit all Panorama changes.
Answers
D.
Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices.
D.
Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices.
Answers
Suggested answer: D

Explanation:

https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/schedule-a- configuration-push-to-managed-firewalls Log in to the Panorama Web Interface. Create a scheduled configuration push. Select PanoramaScheduled Config Push and Add a new scheduled configuration push. You can also schedule a configuration push to managed firewalls when you push to devices (CommitPush to Devices).

Question 128

Report
Export
Collapse

Which statement accurately describes service routes and virtual systems?

A.
Virtual systems that do not have specific service routes configured inherit the global service and service route settings for the firewall.
A.
Virtual systems that do not have specific service routes configured inherit the global service and service route settings for the firewall.
Answers
B.
Virtual systems can only use one interface for all global service and service routes of the firewall.
B.
Virtual systems can only use one interface for all global service and service routes of the firewall.
Answers
C.
Virtual systems cannot have dedicated service routes configured; and virtual systems always use the global service and service route settings for the firewall.
C.
Virtual systems cannot have dedicated service routes configured; and virtual systems always use the global service and service route settings for the firewall.
Answers
D.
The interface must be used for traffic to the required external services.
D.
The interface must be used for traffic to the required external services.
Answers
Suggested answer: A

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/virtual-systems/customize-service- routes-for-a-virtual-system "When a firewall is enabled for multiple virtual systems, the virtual systems inherit the global service and service route settings. For example, the firewall can use a shared email server to originate email alerts to all virtual systems. In some scenarios, you'd want to create different service routes for each virtual system."

Question 129

Report
Export
Collapse

You have upgraded Panorama to 10.2 and need to upgrade six Log Collectors. When upgrading Log Collectors to 10.2, you must do what?

A.
Upgrade the Log Collectors one at a time.
A.
Upgrade the Log Collectors one at a time.
Answers
B.
Add Panorama Administrators to each Managed Collector.
B.
Add Panorama Administrators to each Managed Collector.
Answers
C.
Add a Global Authentication Profile to each Managed Collector.
C.
Add a Global Authentication Profile to each Managed Collector.
Answers
D.
Upgrade all the Log Collectors at the same time.
D.
Upgrade all the Log Collectors at the same time.
Answers
Suggested answer: D

Explanation:

You must upgrade all Log Collectors in a collector group at the same time to avoid losing log data https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-panorama/deploy- updates-to-firewalls-log-collectors-and-wildfire-appliances-using-panorama/deploy-an-update-to- log-collectors-when-panorama-is-internet-connected

Question 130

Report
Export
Collapse

Which configuration is backed up using the Scheduled Config Export feature in Panorama?

A.
Panorama running configuration
A.
Panorama running configuration
Answers
B.
Panorama candidate configuration
B.
Panorama candidate configuration
Answers
C.
Panorama candidate configuration and candidate configuration of all managed devices
C.
Panorama candidate configuration and candidate configuration of all managed devices
Answers
D.
Panorama running configuration and running configuration of all managed devices
D.
Panorama running configuration and running configuration of all managed devices
Answers
Suggested answer: D

Explanation:

https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/administer- panorama/manage-panorama-and-firewall-configuration-backups

Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms