ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 17

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?

Question 161

Report
Export
Collapse

An administrator has left a firewall to use the default port for all management services. Which three functions are performed by the dataplane?

A.
NTP
A.
NTP
Answers
B.
Antivirus
B.
Antivirus
Answers
C.
Wildfire updates
C.
Wildfire updates
Answers
D.
NAT
D.
NAT
Answers
E.
File tracking
E.
File tracking
Answers
Suggested answer: A, C, D

Question 162

Report
Export
Collapse

Which two events trigger the operation of automatic commit recovery? (Choose two.)

A.
when an aggregate Ethernet interface component fails
A.
when an aggregate Ethernet interface component fails
Answers
B.
when Panorama pushes a configuration
B.
when Panorama pushes a configuration
Answers
C.
when a firewall HA pair fails over
C.
when a firewall HA pair fails over
Answers
D.
when a firewall performs a local commit
D.
when a firewall performs a local commit
Answers
Suggested answer: B, D

Explanation:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/panoramafeatures/automatic-panorama-connection-recovery.htmlAutomatic commit recovery allows you to configure the firewall to attempt a specified number ofconnectivity tests after:

1- you push a configuration from Panorama or

2- commit a configuration change locally on the firewall.

Additionally, the firewall checks connectivity to Panorama every hour to ensure consistent communication in the event unrelated network configuration changes have disrupted connectivity between the firewall and Panorama or if implications to a pushed committed configuration may have affected connectivity.

Question 163

Report
Export
Collapse

Panorama provides which two SD-WAN functions? (Choose two.)

A.
data plane
A.
data plane
Answers
B.
physical network links
B.
physical network links
Answers
C.
network monitoring
C.
network monitoring
Answers
D.
control plane
D.
control plane
Answers
Suggested answer: C, D

Explanation:

https://www.paloaltonetworks.com/resources/guides/sd-wan-architecture-guide

https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/about-sdwan.html

(Network Monitoring & Control Plane). Data plane & Physical Interfaces are directly taken care through Firewalls where SD WAN is enabled.

Question 164

Report
Export
Collapse

A users traffic traversing a Palo Alto networks NGFW sometimes can reach http //www company comAt other times the session times out. At other times the session times out The NGFW has beenconfigured with a PBF rule that the user traffic matches when it goes to http://www.company.comgoes to http://www company comHow can the firewall be configured to automatically disable the PBF rule if the next hop goes down?

A.
Create and add a monitor profile with an action of fail over in the PBF rule in question
A.
Create and add a monitor profile with an action of fail over in the PBF rule in question
Answers
B.
Create and add a monitor profile with an action of wait recover in the PBF rule in question
B.
Create and add a monitor profile with an action of wait recover in the PBF rule in question
Answers
C.
Configure path monitoring for the next hop gateway on the default route in the virtual router
C.
Configure path monitoring for the next hop gateway on the default route in the virtual router
Answers
D.
Enable and configure a link monitoring profile for the external interface of the firewall
D.
Enable and configure a link monitoring profile for the external interface of the firewall
Answers
Suggested answer: A

Question 165

Report
Export
Collapse

The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an active/passive HA pair. The HA Passive Link State is set to "Auto" under Device > High Availability > General > Active/Passive Settings. The AE interface is configured with LACP enabled and is up only on the active firewall.

Why is the AE interface showing down on the passive firewall?

A.
It does not perform pre-negotiation LACP unless "Enable in HA Passive State" is selected under the High Availability Options on the LACP tab of the AE Interface.
A.
It does not perform pre-negotiation LACP unless "Enable in HA Passive State" is selected under the High Availability Options on the LACP tab of the AE Interface.
Answers
B.
It does not participate in LACP negotiation unless Fast Failover is selected under the Enable LACP selection on the LACP tab of the AE Interface.
B.
It does not participate in LACP negotiation unless Fast Failover is selected under the Enable LACP selection on the LACP tab of the AE Interface.
Answers
C.
It participates in LACP negotiation when Fast is selected for Transmission Rate under the Enable LACP selection on the LACP tab of the AE Interface.
C.
It participates in LACP negotiation when Fast is selected for Transmission Rate under the Enable LACP selection on the LACP tab of the AE Interface.
Answers
D.
It performs pre-negotiation of LACP when the mode Passive is selected under the Enable LACP selection on the LACP tab of the AE Interface.
D.
It performs pre-negotiation of LACP when the mode Passive is selected under the Enable LACP selection on the LACP tab of the AE Interface.
Answers
Suggested answer: A

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up- activepassive-ha/configure-activepassive-ha

Question 166

Report
Export
Collapse

An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The engineer uses a forward trust certificate from the enterprise PKI that expires December 31, 2025. The validity date on the PA-generated certificate is taken from what?

A.
The trusted certificate
A.
The trusted certificate
Answers
B.
The server certificate
B.
The server certificate
Answers
C.
The untrusted certificate
C.
The untrusted certificate
Answers
D.
The root CA
D.
The root CA
Answers
Suggested answer: B

Explanation:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8wCA"The validity date on the Palo Alto Networks firewall generated certificate is taken from the validity date on the real server certificate."

Question 167

Report
Export
Collapse

Refer to the exhibit.

Based on the screenshots above what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

A.
shared pre-rulesDATACENTER DG pre rulesrules configured locally on the firewallshared post-rulesDATACENTER_DG post-rulesDATACENTER.DG default rules
A.
shared pre-rulesDATACENTER DG pre rulesrules configured locally on the firewallshared post-rulesDATACENTER_DG post-rulesDATACENTER.DG default rules
Answers
B.
shared pre-rulesDATACENTER_DG pre-rulesrules configured locally on the firewallshared post-rulesDATACENTER.DG post-rulesshared default rules
B.
shared pre-rulesDATACENTER_DG pre-rulesrules configured locally on the firewallshared post-rulesDATACENTER.DG post-rulesshared default rules
Answers
C.
shared pre-rulesDATACENTER_DG pre-rulesrules configured locally on the firewallDATACENTER_DG post-rulesshared post-rulesshared default rules
C.
shared pre-rulesDATACENTER_DG pre-rulesrules configured locally on the firewallDATACENTER_DG post-rulesshared post-rulesshared default rules
Answers
D.
shared pre-rulesDATACENTER_DG pre-rulesrules configured locally on the firewallDATACENTER_DG post-rulesshared post-rulesDATACENTER_DG default rules
D.
shared pre-rulesDATACENTER_DG pre-rulesrules configured locally on the firewallDATACENTER_DG post-rulesshared post-rulesDATACENTER_DG default rules
Answers
Suggested answer: A

Question 168

Report
Export
Collapse

How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?

A.
Firewalls send SNMP traps to Panorama when resource exhaustion is detected Panorama generates a system log and can send email alerts
A.
Firewalls send SNMP traps to Panorama when resource exhaustion is detected Panorama generates a system log and can send email alerts
Answers
B.
Panorama provides visibility into all the system and traffic logs received from firewalls it does not offer any ability to see or monitor resource utilization on managed firewalls
B.
Panorama provides visibility into all the system and traffic logs received from firewalls it does not offer any ability to see or monitor resource utilization on managed firewalls
Answers
C.
Panorama monitors all firewalls using SNMP It generates a system log and can send email alerts when resource exhaustion is detected on a managed firewall
C.
Panorama monitors all firewalls using SNMP It generates a system log and can send email alerts when resource exhaustion is detected on a managed firewall
Answers
D.
Panorama provides information about system resources of the managed devices in the Managed Devices > Health menu
D.
Panorama provides information about system resources of the managed devices in the Managed Devices > Health menu
Answers
Suggested answer: D

Explanation:

Panorama can help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall by providing information about system resources of the managed devices in the Managed Devices > Health menu. This is explained in the Palo Alto Networks PCNSE Study Guide in Chapter 13: Panorama, under the section "Monitoring Managed Firewalls with Panorama": "The Panorama web interface provides information about the system resources of the managed devices. In the Managed Devices > Health menu, you can view the CPU, memory, and disk usage of each managed device. This information can help you troubleshoot problems such as high CPU or resource exhaustion on a managed firewall."

Question 169

Report
Export
Collapse

Four configuration choices are listed, and each could be used to block access to a specific URL II you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL1?

A.
PAN-DB URL category in URL Filtering profile
A.
PAN-DB URL category in URL Filtering profile
Answers
B.
Custom URL category in Security policy rule
B.
Custom URL category in Security policy rule
Answers
C.
Custom URL category in URL Filtering profile
C.
Custom URL category in URL Filtering profile
Answers
D.
EDL in URL Filtering profile
D.
EDL in URL Filtering profile
Answers
Suggested answer: A

Explanation:


Question 170

Report
Export
Collapse

After configuring HA in Active/Passive mode on a pair of firewalls the administrator gets a failed commit with the following details.

What are two s for this type of issue? (Choose two)

A.
The peer IP is not included in the permit list on Management Interface Settings
A.
The peer IP is not included in the permit list on Management Interface Settings
Answers
B.
The Backup Peer HA1 IP Address was not configured when the commit was issued
B.
The Backup Peer HA1 IP Address was not configured when the commit was issued
Answers
C.
Either management or a data-plane interface is used as HA1-backup
C.
Either management or a data-plane interface is used as HA1-backup
Answers
D.
One of the firewalls has gone into the suspended state
D.
One of the firewalls has gone into the suspended state
Answers
Suggested answer: B, C

Explanation:

Cause The issue is seen when the HA1-backup is configured with either management (MGT) or an in- band interface. The "Backup Peer HA1 IP Address" is not configured : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?

id=kA14u0000008UmPCAU&lang=e n_US%E2%80%A9

Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms