ExamGecko
Ask Question

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 15

Question list
Search

List of questions

Search

Related questions











Question 141

Report
Export
Collapse

An administrator wants multiple web servers In the DMZ to receive connections initiated from the internet. Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22.

Based on the image, which NAT rule will forward web-browsing traffic correctly?

Palo Alto Networks PCNSE image Question 141 54378 09232024001219000000

Suggested answer: B

Explanation:

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-configuration- examples/destination-nat-exampleone-to-one-mapping.html

asked 23/09/2024
Markus Hechtl
35 questions

Question 142

Report
Export
Collapse

An engineer is tasked with enabling SSL decryption across the environment. What are three valid parameters of an SSL Decryption policy? (Choose three.)

URL categories
URL categories
source users
source users
source and destination IP addresses
source and destination IP addresses
App-ID
App-ID
GlobalProtect HIP
GlobalProtect HIP
Suggested answer: A, B, C

Explanation:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0 https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/define-traffic-to- decrypt/create-a-decryption-policy-rule

asked 23/09/2024
Priyantha Perea
40 questions

Question 143

Report
Export
Collapse

A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward traffic logs to Panoram a. In which section is this configured?

Panorama > Managed Devices
Panorama > Managed Devices
Monitor > Logs > Traffic
Monitor > Logs > Traffic
Device Groups > Objects > Log Forwarding
Device Groups > Objects > Log Forwarding
Templates > Device > Log Settings
Templates > Device > Log Settings
Suggested answer: C

Explanation:

https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-log- collection/configure-log-forwarding-to-panorama

asked 23/09/2024
Mario Perez Hervas
34 questions

Question 144

Report
Export
Collapse

An administrator discovers that a file blocked by the WildFire inline ML feature on the firewall is a false-positive action. How can the administrator create an exception for this particular file?

Add partial hash and filename in the file section of the WildFire inline ML tab of the Antivirus profile.
Add partial hash and filename in the file section of the WildFire inline ML tab of the Antivirus profile.
Set the WildFire inline ML action to allow for that protocol on the Antivirus profile.
Set the WildFire inline ML action to allow for that protocol on the Antivirus profile.
Add the related Threat ID in the Signature exceptions tab of the Antivirus profile.
Add the related Threat ID in the Signature exceptions tab of the Antivirus profile.
Disable the WildFire profile on the related Security policy.
Disable the WildFire profile on the related Security policy.
Suggested answer: A

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/wildfire-inline- ml/configure-wildfire-inline-ml"The File Exceptions table allows you to define specific files that you do not want analyzed, such as false-positives.

To create a new file exception entry, Add a new entry and provide the partial hash, filename, and description of the file that you want to exclude from enforcement." https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/ objects/objects- security-profiles-antivirus

asked 23/09/2024
abdelhafid houssa
41 questions

Question 145

Report
Export
Collapse

A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443 A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.

Which combination of service and application, and order of Security policy rules, needs to be configured to allow cJeartext web-browsing traffic to this server on tcp/443?

Rule #1 application: web-browsing; service application-default; action: allow Rule #2- application: ssl; service: application-default; action: allow
Rule #1 application: web-browsing; service application-default; action: allow Rule #2- application: ssl; service: application-default; action: allow
Rule #1: application; web-browsing; service: service-https; action: allow Rule #2 application: ssl;service: application-default, action: allow
Rule #1: application; web-browsing; service: service-https; action: allow Rule #2 application: ssl;service: application-default, action: allow
Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl;service: application-default; action: allow
Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl;service: application-default; action: allow
Rule tf1 application: ssl; service: application-default; action: allow Rule #2 application; webbrowsing; service application-default; action: allow
Rule tf1 application: ssl; service: application-default; action: allow Rule #2 application; webbrowsing; service application-default; action: allow
Suggested answer: B

Explanation:

This combination of service and application, and order of Security policy rules, allows clear-text web- browsing traffic to the server on tcp/443. The first rule matches the web-browsing application on the service-https service, which is a predefined service object that includes tcp/443 as the default port.The second rule matches the ssl application on the application-default service, which is a dynamic service object that includes the default ports for each application. This rule is needed to allow the decrypted ssl traffic to pass through the firewall after the Forward Proxy rule. The order of the rules is important because the firewall evaluates the rules from top to bottom and applies the first matching rule. https://live.paloaltonetworks.com/t5/general-topics/web-browsing-default-port-application/td- p/228859

asked 23/09/2024
Dewi Fitriyani
52 questions

Question 146

Report
Export
Collapse

The firewall identifies a popular application as an unKnown-tcp.

Which two options are available to identify the application? (Choose two.)

Create a custom application.
Create a custom application.
Submit an App-ID request to Palo Alto Networks.
Submit an App-ID request to Palo Alto Networks.
Create a custom object for the application server.
Create a custom object for the application server.
Create a Security policy to identify the custom application.
Create a Security policy to identify the custom application.
Suggested answer: A, B

Explanation:

You can create a custom app: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app- id/use-application-objects-in-policy/create-a-custom-application or submit a request to PANhttps://www.paloaltonetworks.com/blog/submit-an-application/

asked 23/09/2024
Adetutu Ogunsowo
45 questions

Question 147

Report
Export
Collapse

An administrator is required to create an application-based Security policy rule to allow Evernote.

The Evernote application implicitly uses SSL and web browsing. What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?

Add the Evernote application to the Security policy rule, then add a second Security policy rule containing both HTTP and SSL.
Add the Evernote application to the Security policy rule, then add a second Security policy rule containing both HTTP and SSL.
Add the HTTP, SSL, and Evernote applications to the same Security policy
Add the HTTP, SSL, and Evernote applications to the same Security policy
Add only the Evernote application to the Security policy rule.
Add only the Evernote application to the Security policy rule.
Create an Application Override using TCP ports 443 and 80.
Create an Application Override using TCP ports 443 and 80.
Suggested answer: C

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/applications-with-implicit- supportion:

asked 23/09/2024
JAMIE JARAMILLO LOOR
37 questions

Question 148

Report
Export
Collapse

DRAG DROP

An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.


Palo Alto Networks PCNSE image Question 148 54385 09232024121219000
Correct answer: Palo Alto Networks PCNSE image answer Question 148 54385 09232024121219000
asked 23/09/2024
marcio Gomes lobo
26 questions

Question 149

Report
Export
Collapse

Your company occupies one floor in a single building. You have two Active Directory domain controllers on a single network. The firewall's management-plane resources are lightly utilized.

Given the size of this environment, which User-ID collection method is sufficient?

Citrix terminal server agent deployed on the network
Citrix terminal server agent deployed on the network
Windows-based agent deployed on each domain controller
Windows-based agent deployed on each domain controller
PAN-OS integrated agent deployed on the firewall
PAN-OS integrated agent deployed on the firewall
a syslog listener
a syslog listener
Suggested answer: C
asked 23/09/2024
Alex Tzibosnik
38 questions

Question 150

Report
Export
Collapse

An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 sub interface on a Palo Alto Networks firewall. However this network segment cannot access the dedicated management interface due to the Security policy Without changing the existing access to the management interface how can the engineer fulfill this request?

Enable HTTPS in an Interface Management profile on the sub interface
Enable HTTPS in an Interface Management profile on the sub interface
Add the network segment's IP range to the Permitted IP Addresses list
Add the network segment's IP range to the Permitted IP Addresses list
Specify the subinterface as a management interface in Setup > Device > Interfaces
Specify the subinterface as a management interface in Setup > Device > Interfaces
Cnfigure a service route for HTTP to use the subinterface
Cnfigure a service route for HTTP to use the subinterface
Suggested answer: A
asked 23/09/2024
Lyboth Ntsana
43 questions
Total 470 questions
Go to page: of 47