ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 19

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
A network security engineer must implement Quality of Service policies to ensure specific levels of delivery guarantees for various applications in the environment They want to ensure that they know as much as they can about QoS before deploying. Which statement about the QoS feature is correct?
Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)

Question 181

Report
Export
Collapse

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressingout of the internet edge firewall. Which certificate is the best choice to configure as an SSL ForwardTrust certificate?

A.
A self-signed Certificate Authority certificate generated by the firewall
A.
A self-signed Certificate Authority certificate generated by the firewall
Answers
B.
A Machine Certificate for the firewall signed by the organization's PKI
B.
A Machine Certificate for the firewall signed by the organization's PKI
Answers
C.
A web server certificate signed by the organization's PKI
C.
A web server certificate signed by the organization's PKI
Answers
D.
A subordinate Certificate Authority certificate signed by the organization's PKI
D.
A subordinate Certificate Authority certificate signed by the organization's PKI
Answers
Suggested answer: D

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward- proxy

Question 182

Report
Export
Collapse

During a laptop-replacement project, remote users must be able to establish a GlobalProtect VPN connection to the corporate network before logging in to their new Windows 10 endpoints.

The new laptops have the 5.2.10 GlobalProtect Agent installed, so the administrator chooses to use the Connect Before Logon feature to solve this issue.

What must be configured to enable the Connect Before Logon feature?

A.
The GlobalProtect Portal Agent App Settings Connect Method to Pre-logon then On-demand.
A.
The GlobalProtect Portal Agent App Settings Connect Method to Pre-logon then On-demand.
Answers
B.
Registry keys on the Windows system.
B.
Registry keys on the Windows system.
Answers
C.
X-Auth Support in the GlobalProtect Gateway Tunnel Settings.
C.
X-Auth Support in the GlobalProtect Gateway Tunnel Settings.
Answers
D.
The Certificate profile in the GlobalProtect Portal Authentication Settings.
D.
The Certificate profile in the GlobalProtect Portal Authentication Settings.
Answers
Suggested answer: B

Explanation:

https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-new-features/new- features-released-in-gp-app/connect-before-logon "To use Connect Before Logon, you must enable the settings in the Windows registry and choose the authentication method"

Question 183

Report
Export
Collapse

The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when trying to install.

When performing an upgrade on Panorama to PAN-OS 10.2, what is the potential cause of a failed install?

A.
Management only mode
A.
Management only mode
Answers
B.
Expired certificates
B.
Expired certificates
Answers
C.
Outdated plugins
C.
Outdated plugins
Answers
D.
GlobalProtect agent version
D.
GlobalProtect agent version
Answers
Suggested answer: C

Explanation:

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-upgrade/upgrade-panorama- plugins/panorama-plugins-upgrade-downgrade-considerations Before you upgrade to PAN-OS 11.0, you must download the Panorama plugin version supported on PAN-OS 11.0 for all plugins installed on Panorama. This is required to successfully upgrade to PAN-OS 11.0. See the Compatibility Matrixfor more information.

Question 184

Report
Export
Collapse

An engineer needs to collect User-ID mappings from the company's existing proxies.

What two methods can be used to pull this data from third party proxies? (Choose two.)

A.
Syslog
A.
Syslog
Answers
B.
XFF Headers
B.
XFF Headers
Answers
C.
Client probing
C.
Client probing
Answers
D.
Server Monitoring
D.
Server Monitoring
Answers
Suggested answer: A, B

Explanation:

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/user-id-concepts/user- mapping/xff-headers#idf60a278d-2285-4b19-9cc3-95a4b88d5c51 https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/user-id-concepts/user- mapping/syslog#idee459093-72c1-4ca5-9e44-2c4f359090bb

Question 185

Report
Export
Collapse

Refer to the exhibit.

Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?

A.
Click the hyperlink for the Zero Access.Gen threat.
A.
Click the hyperlink for the Zero Access.Gen threat.
Answers
B.
Click the left arrow beside the Zero Access.Gen threat.
B.
Click the left arrow beside the Zero Access.Gen threat.
Answers
C.
Click the source user with the highest threat count.
C.
Click the source user with the highest threat count.
Answers
D.
Click the hyperlink for the hotport threat Category.
D.
Click the hyperlink for the hotport threat Category.
Answers
Suggested answer: B

Explanation:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-the-application- command-center/interact-with-the-acc#id5cc39dae-04cf-4936-9916-1a4b0f3179b9

Question 186

Report
Export
Collapse

An administrator creates an application-based security policy rule and commits the change to the firewall. Which two methods should be used to identify the dependent applications for the respective rule? (Choose two.)

A.
Use the show predefined xpath <value> command and review the output.
A.
Use the show predefined xpath <value> command and review the output.
Answers
B.
Review the App Dependency application list from the Commit Status view.
B.
Review the App Dependency application list from the Commit Status view.
Answers
C.
Open the security policy rule and review the Depends On application list.
C.
Open the security policy rule and review the Depends On application list.
Answers
D.
Reference another application group containing similar applications.
D.
Reference another application group containing similar applications.
Answers
Suggested answer: B, C

Explanation:

These two methods allow the administrator to see the dependent applications for a security policy rule that uses application-based criteria. The App Dependency application list shows the applications that are required for the rule to function properly1. The Depends On application list shows the applications that are implicitly added to the rule based on the predefined dependencies2.Reference: 1: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/app-id-features/simplified-application-dependency-workflow 2: https://docs.paloaltonetworks.com/pan- os/10-1/pan-os-admin/app-id/use-application-objects-in-policy/resolve-application-dependencies

Question 187

Report
Export
Collapse

What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)?

A.
Phase 1 and Phase 2 SAs are synchronized over HA3 links.
A.
Phase 1 and Phase 2 SAs are synchronized over HA3 links.
Answers
B.
Phase 1 SAs are synchronized over HA1 links.
B.
Phase 1 SAs are synchronized over HA1 links.
Answers
C.
Phase 2 SAs are synchronized over HA2 links.
C.
Phase 2 SAs are synchronized over HA2 links.
Answers
D.
Phase 1 and Phase 2 SAs are synchronized over HA2 links.
D.
Phase 1 and Phase 2 SAs are synchronized over HA2 links.
Answers
Suggested answer: C

Explanation:

From the Palo Alto documentation below, "when a VPN is terminated on a Palo Alto firewall HA pair, not all IPSEC related information is synchronized between the firewalls... This is an expected behavior. IKE phase 1 SA information is NOT synchronized between the HA firewalls."And from the second link, "Data link (HA2) is used to sync sessions, forwarding tables, IPSec security associations, and ARP tables between firewalls in the HA pair. Data flow on the HA2 link is always unidirectional (except for the HA2 keep-alive). It flows from the active firewall to the passive firewall."https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAuZCAW&lang=e n_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDe tailhttps://help.aryaka.com/display/public/KNOW/Palo+Alto+Networks+NFV+Technical+Brief

Question 188

Report
Export
Collapse

An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?

A.
Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all its vsys in a single device group.
A.
Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all its vsys in a single device group.
Answers
B.
Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.
B.
Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.
Answers
C.
Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.
C.
Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.
Answers
D.
Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.
D.
Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.
Answers
Suggested answer: C

Explanation:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0

Question 189

Report
Export
Collapse

An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same firewall. The update contains an application that matches the same traffic signatures as the custom application.

Which application will be used to identify traffic traversing the firewall?

A.
Custom application
A.
Custom application
Answers
B.
Unknown application
B.
Unknown application
Answers
C.
Incomplete application
C.
Incomplete application
Answers
D.
Downloaded application
D.
Downloaded application
Answers
Suggested answer: A

Explanation:

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom- application-and-threat-signatures/about-custom-application-signatures.html

Question 190

Report
Export
Collapse

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?

A.
It stops the tunnel-establishment processing to the GlobalProtect gateway immediately.
A.
It stops the tunnel-establishment processing to the GlobalProtect gateway immediately.
Answers
B.
It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS.
B.
It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS.
Answers
C.
It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway.
C.
It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway.
Answers
D.
It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS.
D.
It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS.
Answers
Suggested answer: B

Explanation:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfoCAC "Should the IPSec connection fail, VPN will fall back to SSL protocol."

Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms