ExamGecko
Login
Home / Palo Alto Networks / PCNSE / List of questions
Ask Question

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 2

Add to Whishlist

List of questions

Question 11

Report Export Collapse

When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?

Certificate profile
Certificate profile
Path Quality profile
Path Quality profile
SD-WAN Interface profile
SD-WAN Interface profile
Traffic Distribution profile
Traffic Distribution profile
Suggested answer: C
Explanation:

To enable forward error correction (FEC) for PAN-OS SD-WAN, you need to create an SD-WAN Interface Profile that specifies Eligible for Error Correction Profile interface selection and apply the profile to one or more interfaces. Then you need to create an Error Correction Profile to implementFEC or packet duplication. Reference: https://docs.paloaltonetworks.com/sd-wan/2-0/sd-wan- admin/configure-sd-wan/create-an-error-correction-profile

asked 23/09/2024
Arvin Lee
43 questions

Question 12

Report Export Collapse

What is the best description of the HA4 Keep-Alive Threshold (ms)?

the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.
the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.
The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.
the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.
The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.
The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.
Suggested answer: C
asked 23/09/2024
Ali Diaz
34 questions

Question 13

Report Export Collapse

What happens when an A/P firewall cluster synchronies IPsec tunnel security associations (SAs)?

Phase 2 SAs are synchronized over HA2 links
Phase 2 SAs are synchronized over HA2 links
Phase 1 and Phase 2 SAs are synchronized over HA2 links
Phase 1 and Phase 2 SAs are synchronized over HA2 links
Phase 1 SAs are synchronized over HA1 links
Phase 1 SAs are synchronized over HA1 links
Phase 1 and Phase 2 SAs are synchronized over HA3 links
Phase 1 and Phase 2 SAs are synchronized over HA3 links
Suggested answer: A
asked 23/09/2024
Khuong Tang
34 questions

Question 14

Report Export Collapse

A standalone firewall with local objects and policies needs to be migrated into Panoram a. What procedure should you use so Panorama is fully managing the firewall?

Use the "import Panorama configuration snapshot" operation, then perform a device-group commit push with "include device and network templates"
Use the "import Panorama configuration snapshot" operation, then perform a device-group commit push with "include device and network templates"
Use the "import device configuration to Panorama" operation, then "export or push device config bundle" to push the configuration
Use the "import device configuration to Panorama" operation, then "export or push device config bundle" to push the configuration
Use the "import Panorama configuration snapshot" operation, then "export or push device config bundle" to push the configuration
Use the "import Panorama configuration snapshot" operation, then "export or push device config bundle" to push the configuration
Use the "import device configuration to Panorama" operation, then perform a device-group commit push with "include device and network templates"
Use the "import device configuration to Panorama" operation, then perform a device-group commit push with "include device and network templates"
Suggested answer: B
Explanation:

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/transition-afirewall-to-panorama-management/migrate-a-firewall-to-panorama-management.html

asked 23/09/2024
Rannie Dayapan
46 questions

Question 15

Report Export Collapse

Before you upgrade a Palo Alto Networks NGFW, what must you do?

Make sure that the PAN-OS support contract is valid for at least another year
Make sure that the PAN-OS support contract is valid for at least another year
Export a device state of the firewall
Export a device state of the firewall
Make sure that the firewall is running a version of antivirus software and a version of WildFire that support the licensed subscriptions.
Make sure that the firewall is running a version of antivirus software and a version of WildFire that support the licensed subscriptions.
Make sure that the firewall is running a supported version of the app + threat update
Make sure that the firewall is running a supported version of the app + threat update
Suggested answer: D
Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-pan-os/pan-os-upgrade- checklist#id53a2bc2b-f86e-4ee5-93d7-b06aff837a00 "Verify the minimum content release version."Before you upgrade, make sure the firewall is running a version of app + threat (content version) that meets the minimum requirement of the new PAN-OShttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRrCAK

asked 23/09/2024
Maurizio Budicin
37 questions

Question 16

Report Export Collapse

A prospect is eager to conduct a Security Lifecycle Review (SLR) with the aid of the Palo Alto Networks NGFW.

Which interface type is best suited to provide the raw data for an SLR from the network in a way that is minimally invasive?

Layer 3
Layer 3
Virtual Wire
Virtual Wire
Tap
Tap
Layer 2
Layer 2
Suggested answer: C
Explanation:

A tap interface is best suited to provide the raw data for an SLR from the network in a way that is minimally invasive. A tap interface allows the firewall to passively monitor network traffic without affecting the flow of traffic. The firewall can analyze the traffic and generate reports based on the application, user, content, and threat information. Reference:https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure- interfaces/configure-a-tap-interface

asked 23/09/2024
Krishan Randitha
50 questions

Question 17

Report Export Collapse

A remote administrator needs firewall access on an untrusted interface. Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul?

(Choose two)

client certificate
client certificate
certificate profile
certificate profile
certificate authority (CA) certificate
certificate authority (CA) certificate
server certificate
server certificate
Suggested answer: B, C
Explanation:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/managefirewall-administrators/configure-administrative-accounts-and-authentication/configure-certificatebased-administrator-authentication-to-the-web-interface.html

asked 23/09/2024
David LeBlanc
24 questions

Question 18

Report Export Collapse

When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo Alto Networks best practices What should you recommend?

Enable SSL decryption for known malicious source IP addresses
Enable SSL decryption for known malicious source IP addresses
Enable SSL decryption for source users and known malicious URL categories
Enable SSL decryption for source users and known malicious URL categories
Enable SSL decryption for malicious source users
Enable SSL decryption for malicious source users
Enable SSL decryption for known malicious destination IP addresses
Enable SSL decryption for known malicious destination IP addresses
Suggested answer: B
Explanation:

According to the Palo Alto Networks best practices, one of the ways to implement SSL decryption using a phased approach is to enable SSL decryption for source users and known malicious URL categories. This will allow you to block or alert on traffic that is likely to be malicious or risky, while minimizing the impact on legitimate traffic and user privacy. Reference:https://docs.paloaltonetworks.com/best-practices/9-1/decryption-best-practices/decryption-best- practices/ deploy-ssl-decryption-using-a-phased-approach

asked 23/09/2024
CRISTIAN FONSECA
44 questions

Question 19

Report Export Collapse

What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain'?

a Security policy with 'known-user" selected in the Source User field
a Security policy with 'known-user" selected in the Source User field
an Authentication policy with 'unknown' selected in the Source User field
an Authentication policy with 'unknown' selected in the Source User field
a Security policy with 'unknown' selected in the Source User field
a Security policy with 'unknown' selected in the Source User field
an Authentication policy with 'known-user' selected in the Source User field
an Authentication policy with 'known-user' selected in the Source User field
Suggested answer: B
Explanation:

An Authentication policy with 'unknown' selected in the Source User field would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain. This policy would prompt the user to enter their credentials when they access a web-based application or service that requires authentication. The firewall would then use User-ID to map the user to the device and apply the appropriate security policies based on theuser identity. Reference: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os- admin/authentication/configure-an-authentication-policy

asked 23/09/2024
nir avron
45 questions

Question 20

Report Export Collapse

What are three valid qualifiers for a Decryption Policy Rule match? (Choose three.)

Destination Zone
Destination Zone
App-ID
App-ID
Custom URL Category
Custom URL Category
User-ID
User-ID
Source Interface
Source Interface
Suggested answer: A, C, D
Explanation:

The valid qualifiers for a Decryption Policy Rule match are: Source Zone Destination Zone Source Address Destination Address Source User Destination User Source Region Destination Region Service/URL Category Custom URL Category URL Filtering Profile Therefore, out of the options given, Destination Zone, Custom URL Category, and User-ID are valid qualifiers. Reference: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os- admin/decryption/configure-decryption-policies.html

asked 23/09/2024
Andrew Staton
44 questions
Total 499 questions
Go to page: of 50
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?
Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration. What part of the configuration should the engineer verify'?
During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?
If a URL is in multiple custom URL categories with different actions, which action will take priority?
What is a correct statement regarding administrative authentication using external services with a local authorization method?
You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles. For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)
An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices. What should an administrator configure to route interesting traffic through the VPN tunnel?
A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?