ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 2

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?

Question 11

Report
Export
Collapse

When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?

A.
Certificate profile
A.
Certificate profile
Answers
B.
Path Quality profile
B.
Path Quality profile
Answers
C.
SD-WAN Interface profile
C.
SD-WAN Interface profile
Answers
D.
Traffic Distribution profile
D.
Traffic Distribution profile
Answers
Suggested answer: C

Explanation:

To enable forward error correction (FEC) for PAN-OS SD-WAN, you need to create an SD-WAN Interface Profile that specifies Eligible for Error Correction Profile interface selection and apply the profile to one or more interfaces. Then you need to create an Error Correction Profile to implementFEC or packet duplication. Reference: https://docs.paloaltonetworks.com/sd-wan/2-0/sd-wan- admin/configure-sd-wan/create-an-error-correction-profile

Question 12

Report
Export
Collapse

What is the best description of the HA4 Keep-Alive Threshold (ms)?

A.
the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.
A.
the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.
Answers
B.
The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
B.
The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
Answers
C.
the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.
C.
the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.
Answers
D.
The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.
D.
The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.
Answers
Suggested answer: C

Question 13

Report
Export
Collapse

What happens when an A/P firewall cluster synchronies IPsec tunnel security associations (SAs)?

A.
Phase 2 SAs are synchronized over HA2 links
A.
Phase 2 SAs are synchronized over HA2 links
Answers
B.
Phase 1 and Phase 2 SAs are synchronized over HA2 links
B.
Phase 1 and Phase 2 SAs are synchronized over HA2 links
Answers
C.
Phase 1 SAs are synchronized over HA1 links
C.
Phase 1 SAs are synchronized over HA1 links
Answers
D.
Phase 1 and Phase 2 SAs are synchronized over HA3 links
D.
Phase 1 and Phase 2 SAs are synchronized over HA3 links
Answers
Suggested answer: A

Question 14

Report
Export
Collapse

A standalone firewall with local objects and policies needs to be migrated into Panoram a. What procedure should you use so Panorama is fully managing the firewall?

A.
Use the "import Panorama configuration snapshot" operation, then perform a device-group commit push with "include device and network templates"
A.
Use the "import Panorama configuration snapshot" operation, then perform a device-group commit push with "include device and network templates"
Answers
B.
Use the "import device configuration to Panorama" operation, then "export or push device config bundle" to push the configuration
B.
Use the "import device configuration to Panorama" operation, then "export or push device config bundle" to push the configuration
Answers
C.
Use the "import Panorama configuration snapshot" operation, then "export or push device config bundle" to push the configuration
C.
Use the "import Panorama configuration snapshot" operation, then "export or push device config bundle" to push the configuration
Answers
D.
Use the "import device configuration to Panorama" operation, then perform a device-group commit push with "include device and network templates"
D.
Use the "import device configuration to Panorama" operation, then perform a device-group commit push with "include device and network templates"
Answers
Suggested answer: B

Explanation:

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/transition-afirewall-to-panorama-management/migrate-a-firewall-to-panorama-management.html

Question 15

Report
Export
Collapse

Before you upgrade a Palo Alto Networks NGFW, what must you do?

A.
Make sure that the PAN-OS support contract is valid for at least another year
A.
Make sure that the PAN-OS support contract is valid for at least another year
Answers
B.
Export a device state of the firewall
B.
Export a device state of the firewall
Answers
C.
Make sure that the firewall is running a version of antivirus software and a version of WildFire that support the licensed subscriptions.
C.
Make sure that the firewall is running a version of antivirus software and a version of WildFire that support the licensed subscriptions.
Answers
D.
Make sure that the firewall is running a supported version of the app + threat update
D.
Make sure that the firewall is running a supported version of the app + threat update
Answers
Suggested answer: D

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-pan-os/pan-os-upgrade- checklist#id53a2bc2b-f86e-4ee5-93d7-b06aff837a00 "Verify the minimum content release version."Before you upgrade, make sure the firewall is running a version of app + threat (content version) that meets the minimum requirement of the new PAN-OShttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRrCAK

Question 16

Report
Export
Collapse

A prospect is eager to conduct a Security Lifecycle Review (SLR) with the aid of the Palo Alto Networks NGFW.

Which interface type is best suited to provide the raw data for an SLR from the network in a way that is minimally invasive?

A.
Layer 3
A.
Layer 3
Answers
B.
Virtual Wire
B.
Virtual Wire
Answers
C.
Tap
C.
Tap
Answers
D.
Layer 2
D.
Layer 2
Answers
Suggested answer: C

Explanation:

A tap interface is best suited to provide the raw data for an SLR from the network in a way that is minimally invasive. A tap interface allows the firewall to passively monitor network traffic without affecting the flow of traffic. The firewall can analyze the traffic and generate reports based on the application, user, content, and threat information. Reference:https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure- interfaces/configure-a-tap-interface

Question 17

Report
Export
Collapse

A remote administrator needs firewall access on an untrusted interface. Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul?

(Choose two)

A.
client certificate
A.
client certificate
Answers
B.
certificate profile
B.
certificate profile
Answers
C.
certificate authority (CA) certificate
C.
certificate authority (CA) certificate
Answers
D.
server certificate
D.
server certificate
Answers
Suggested answer: B, C

Explanation:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/managefirewall-administrators/configure-administrative-accounts-and-authentication/configure-certificatebased-administrator-authentication-to-the-web-interface.html

Question 18

Report
Export
Collapse

When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo Alto Networks best practices What should you recommend?

A.
Enable SSL decryption for known malicious source IP addresses
A.
Enable SSL decryption for known malicious source IP addresses
Answers
B.
Enable SSL decryption for source users and known malicious URL categories
B.
Enable SSL decryption for source users and known malicious URL categories
Answers
C.
Enable SSL decryption for malicious source users
C.
Enable SSL decryption for malicious source users
Answers
D.
Enable SSL decryption for known malicious destination IP addresses
D.
Enable SSL decryption for known malicious destination IP addresses
Answers
Suggested answer: B

Explanation:

According to the Palo Alto Networks best practices, one of the ways to implement SSL decryption using a phased approach is to enable SSL decryption for source users and known malicious URL categories. This will allow you to block or alert on traffic that is likely to be malicious or risky, while minimizing the impact on legitimate traffic and user privacy. Reference:https://docs.paloaltonetworks.com/best-practices/9-1/decryption-best-practices/decryption-best- practices/ deploy-ssl-decryption-using-a-phased-approach

Question 19

Report
Export
Collapse

What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain'?

A.
a Security policy with 'known-user" selected in the Source User field
A.
a Security policy with 'known-user" selected in the Source User field
Answers
B.
an Authentication policy with 'unknown' selected in the Source User field
B.
an Authentication policy with 'unknown' selected in the Source User field
Answers
C.
a Security policy with 'unknown' selected in the Source User field
C.
a Security policy with 'unknown' selected in the Source User field
Answers
D.
an Authentication policy with 'known-user' selected in the Source User field
D.
an Authentication policy with 'known-user' selected in the Source User field
Answers
Suggested answer: B

Explanation:

An Authentication policy with 'unknown' selected in the Source User field would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain. This policy would prompt the user to enter their credentials when they access a web-based application or service that requires authentication. The firewall would then use User-ID to map the user to the device and apply the appropriate security policies based on theuser identity. Reference: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os- admin/authentication/configure-an-authentication-policy

Question 20

Report
Export
Collapse

What are three valid qualifiers for a Decryption Policy Rule match? (Choose three.)

A.
Destination Zone
A.
Destination Zone
Answers
B.
App-ID
B.
App-ID
Answers
C.
Custom URL Category
C.
Custom URL Category
Answers
D.
User-ID
D.
User-ID
Answers
E.
Source Interface
E.
Source Interface
Answers
Suggested answer: A, C, D

Explanation:

The valid qualifiers for a Decryption Policy Rule match are: Source Zone Destination Zone Source Address Destination Address Source User Destination User Source Region Destination Region Service/URL Category Custom URL Category URL Filtering Profile Therefore, out of the options given, Destination Zone, Custom URL Category, and User-ID are valid qualifiers. Reference: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os- admin/decryption/configure-decryption-policies.html

Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms