Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 15
List of questions
Related questions
Question 141

An administrator wants multiple web servers In the DMZ to receive connections initiated from the internet. Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22.
Based on the image, which NAT rule will forward web-browsing traffic correctly?
Explanation:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-configuration- examples/destination-nat-exampleone-to-one-mapping.html
Question 142

An engineer is tasked with enabling SSL decryption across the environment. What are three valid parameters of an SSL Decryption policy? (Choose three.)
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0 https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/define-traffic-to- decrypt/create-a-decryption-policy-rule
Question 143

A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward traffic logs to Panoram a. In which section is this configured?
Explanation:
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-log- collection/configure-log-forwarding-to-panorama
Question 144

An administrator discovers that a file blocked by the WildFire inline ML feature on the firewall is a false-positive action. How can the administrator create an exception for this particular file?
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/wildfire-inline- ml/configure-wildfire-inline-ml"The File Exceptions table allows you to define specific files that you do not want analyzed, such as false-positives.
To create a new file exception entry, Add a new entry and provide the partial hash, filename, and description of the file that you want to exclude from enforcement." https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/ objects/objects- security-profiles-antivirus
Question 145

A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443 A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to allow cJeartext web-browsing traffic to this server on tcp/443?
Explanation:
This combination of service and application, and order of Security policy rules, allows clear-text web- browsing traffic to the server on tcp/443. The first rule matches the web-browsing application on the service-https service, which is a predefined service object that includes tcp/443 as the default port.The second rule matches the ssl application on the application-default service, which is a dynamic service object that includes the default ports for each application. This rule is needed to allow the decrypted ssl traffic to pass through the firewall after the Forward Proxy rule. The order of the rules is important because the firewall evaluates the rules from top to bottom and applies the first matching rule. https://live.paloaltonetworks.com/t5/general-topics/web-browsing-default-port-application/td- p/228859
Question 146

The firewall identifies a popular application as an unKnown-tcp.
Which two options are available to identify the application? (Choose two.)
Explanation:
You can create a custom app: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app- id/use-application-objects-in-policy/create-a-custom-application or submit a request to PANhttps://www.paloaltonetworks.com/blog/submit-an-application/
Question 147

An administrator is required to create an application-based Security policy rule to allow Evernote.
The Evernote application implicitly uses SSL and web browsing. What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/applications-with-implicit- supportion:
Question 148

DRAG DROP
An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
Question 149

Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall's management-plane resources are lightly utilized.
Given the size of this environment, which User-ID collection method is sufficient?
Question 150

An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 sub interface on a Palo Alto Networks firewall. However this network segment cannot access the dedicated management interface due to the Security policy Without changing the existing access to the management interface how can the engineer fulfill this request?
Question