ExamGecko
Login
Home / Palo Alto Networks / PCNSE / List of questions
Ask Question

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 19

List of questions

Question 181

Report Export Collapse

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressingout of the internet edge firewall. Which certificate is the best choice to configure as an SSL ForwardTrust certificate?

A self-signed Certificate Authority certificate generated by the firewall
A self-signed Certificate Authority certificate generated by the firewall
A Machine Certificate for the firewall signed by the organization's PKI
A Machine Certificate for the firewall signed by the organization's PKI
A web server certificate signed by the organization's PKI
A web server certificate signed by the organization's PKI
A subordinate Certificate Authority certificate signed by the organization's PKI
A subordinate Certificate Authority certificate signed by the organization's PKI
Suggested answer: D
Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward- proxy

asked 23/09/2024
luis lozano
47 questions

Question 182

Report Export Collapse

During a laptop-replacement project, remote users must be able to establish a GlobalProtect VPN connection to the corporate network before logging in to their new Windows 10 endpoints.

The new laptops have the 5.2.10 GlobalProtect Agent installed, so the administrator chooses to use the Connect Before Logon feature to solve this issue.

What must be configured to enable the Connect Before Logon feature?

The GlobalProtect Portal Agent App Settings Connect Method to Pre-logon then On-demand.
The GlobalProtect Portal Agent App Settings Connect Method to Pre-logon then On-demand.
Registry keys on the Windows system.
Registry keys on the Windows system.
X-Auth Support in the GlobalProtect Gateway Tunnel Settings.
X-Auth Support in the GlobalProtect Gateway Tunnel Settings.
The Certificate profile in the GlobalProtect Portal Authentication Settings.
The Certificate profile in the GlobalProtect Portal Authentication Settings.
Suggested answer: B
Explanation:

https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-new-features/new- features-released-in-gp-app/connect-before-logon "To use Connect Before Logon, you must enable the settings in the Windows registry and choose the authentication method"

asked 23/09/2024
Charly Ndedi Priso
38 questions

Question 183

Report Export Collapse

The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when trying to install.

When performing an upgrade on Panorama to PAN-OS 10.2, what is the potential cause of a failed install?

Management only mode
Management only mode
Expired certificates
Expired certificates
Outdated plugins
Outdated plugins
GlobalProtect agent version
GlobalProtect agent version
Suggested answer: C
Explanation:

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-upgrade/upgrade-panorama- plugins/panorama-plugins-upgrade-downgrade-considerations Before you upgrade to PAN-OS 11.0, you must download the Panorama plugin version supported on PAN-OS 11.0 for all plugins installed on Panorama. This is required to successfully upgrade to PAN-OS 11.0. See the Compatibility Matrixfor more information.

asked 23/09/2024
Aejaz Rab
31 questions

Question 184

Report Export Collapse

An engineer needs to collect User-ID mappings from the company's existing proxies.

What two methods can be used to pull this data from third party proxies? (Choose two.)

Syslog
Syslog
XFF Headers
XFF Headers
Client probing
Client probing
Server Monitoring
Server Monitoring
Suggested answer: A, B
Explanation:

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/user-id-concepts/user- mapping/xff-headers#idf60a278d-2285-4b19-9cc3-95a4b88d5c51 https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/user-id-concepts/user- mapping/syslog#idee459093-72c1-4ca5-9e44-2c4f359090bb

asked 23/09/2024
YASSIR GHAZY
40 questions

Question 185

Report Export Collapse

Refer to the exhibit.

Palo Alto Networks PCNSE image Question 185 54422 09232024001220000000

Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?

Click the hyperlink for the Zero Access.Gen threat.
Click the hyperlink for the Zero Access.Gen threat.
Click the left arrow beside the Zero Access.Gen threat.
Click the left arrow beside the Zero Access.Gen threat.
Click the source user with the highest threat count.
Click the source user with the highest threat count.
Click the hyperlink for the hotport threat Category.
Click the hyperlink for the hotport threat Category.
Suggested answer: B
Explanation:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-the-application- command-center/interact-with-the-acc#id5cc39dae-04cf-4936-9916-1a4b0f3179b9

asked 23/09/2024
Nader Pouri
34 questions

Question 186

Report Export Collapse

An administrator creates an application-based security policy rule and commits the change to the firewall. Which two methods should be used to identify the dependent applications for the respective rule? (Choose two.)

Use the show predefined xpath <value> command and review the output.
Use the show predefined xpath <value> command and review the output.
Review the App Dependency application list from the Commit Status view.
Review the App Dependency application list from the Commit Status view.
Open the security policy rule and review the Depends On application list.
Open the security policy rule and review the Depends On application list.
Reference another application group containing similar applications.
Reference another application group containing similar applications.
Suggested answer: B, C
Explanation:

These two methods allow the administrator to see the dependent applications for a security policy rule that uses application-based criteria. The App Dependency application list shows the applications that are required for the rule to function properly1. The Depends On application list shows the applications that are implicitly added to the rule based on the predefined dependencies2.Reference: 1: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/app-id-features/simplified-application-dependency-workflow 2: https://docs.paloaltonetworks.com/pan- os/10-1/pan-os-admin/app-id/use-application-objects-in-policy/resolve-application-dependencies

asked 23/09/2024
DOMINIC FERNANDEZ
45 questions

Question 187

Report Export Collapse

What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)?

Phase 1 and Phase 2 SAs are synchronized over HA3 links.
Phase 1 and Phase 2 SAs are synchronized over HA3 links.
Phase 1 SAs are synchronized over HA1 links.
Phase 1 SAs are synchronized over HA1 links.
Phase 2 SAs are synchronized over HA2 links.
Phase 2 SAs are synchronized over HA2 links.
Phase 1 and Phase 2 SAs are synchronized over HA2 links.
Phase 1 and Phase 2 SAs are synchronized over HA2 links.
Suggested answer: C
Explanation:

From the Palo Alto documentation below, "when a VPN is terminated on a Palo Alto firewall HA pair, not all IPSEC related information is synchronized between the firewalls... This is an expected behavior. IKE phase 1 SA information is NOT synchronized between the HA firewalls."And from the second link, "Data link (HA2) is used to sync sessions, forwarding tables, IPSec security associations, and ARP tables between firewalls in the HA pair. Data flow on the HA2 link is always unidirectional (except for the HA2 keep-alive). It flows from the active firewall to the passive firewall."https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAuZCAW&lang=e n_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDe tailhttps://help.aryaka.com/display/public/KNOW/Palo+Alto+Networks+NFV+Technical+Brief

asked 23/09/2024
Maxime ESSIS
43 questions

Question 188

Report Export Collapse

An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all its vsys in a single device group.
Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all its vsys in a single device group.
Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.
Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.
Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.
Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.
Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.
Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.
Suggested answer: C
Explanation:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0

asked 23/09/2024
Jeremiah Gem Galeon
48 questions

Question 189

Report Export Collapse

An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same firewall. The update contains an application that matches the same traffic signatures as the custom application.

Which application will be used to identify traffic traversing the firewall?

Custom application
Custom application
Unknown application
Unknown application
Incomplete application
Incomplete application
Downloaded application
Downloaded application
Suggested answer: A
Explanation:

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom- application-and-threat-signatures/about-custom-application-signatures.html

asked 23/09/2024
Shameez Mohammed
43 questions

Question 190

Report Export Collapse

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?

It stops the tunnel-establishment processing to the GlobalProtect gateway immediately.
It stops the tunnel-establishment processing to the GlobalProtect gateway immediately.
It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS.
It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS.
It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway.
It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway.
It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS.
It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS.
Suggested answer: B
Explanation:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfoCAC "Should the IPSec connection fail, VPN will fall back to SSL protocol."

asked 23/09/2024
christopher tenney
35 questions
Total 470 questions
Go to page: of 47
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?
Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration. What part of the configuration should the engineer verify'?
During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?
If a URL is in multiple custom URL categories with different actions, which action will take priority?
What is a correct statement regarding administrative authentication using external services with a local authorization method?
You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles. For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)
An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices. What should an administrator configure to route interesting traffic through the VPN tunnel?
A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?
When you navigate to Network: &gt; GlobalProtect &gt; Portals &gt; Method section, which three options are available? (Choose three )
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?