ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 20

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
A network security engineer must implement Quality of Service policies to ensure specific levels of delivery guarantees for various applications in the environment They want to ensure that they know as much as they can about QoS before deploying. Which statement about the QoS feature is correct?
Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)

Question 191

Report
Export
Collapse

An engineer wants to configure aggregate interfaces to increase bandwidth and redundancy between the firewall and switch. Which statement is correct about the configuration of the interfaces assigned to an aggregate interface group?

A.
They can have a different bandwidth.
A.
They can have a different bandwidth.
Answers
B.
They can have a different interface type such as Layer 3 or Layer 2.
B.
They can have a different interface type such as Layer 3 or Layer 2.
Answers
C.
They can have a different interface type from an aggregate interface group.
C.
They can have a different interface type from an aggregate interface group.
Answers
D.
They can have different hardware media such as the ability to mix fiber optic and copper.
D.
They can have different hardware media such as the ability to mix fiber optic and copper.
Answers
Suggested answer: D

Explanation:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure- interfaces/configure-an-aggregate-interface-group

Question 192

Report
Export
Collapse

What is a key step in implementing WildFire best practices?

A.
In a mission-critical network, increase the WildFire size limits to the maximum value.
A.
In a mission-critical network, increase the WildFire size limits to the maximum value.
Answers
B.
Configure the firewall to retrieve content updates every minute.
B.
Configure the firewall to retrieve content updates every minute.
Answers
C.
In a security-first network, set the WildFire size limits to the minimum value.
C.
In a security-first network, set the WildFire size limits to the minimum value.
Answers
D.
Ensure that a Threat Prevention subscription is active.
D.
Ensure that a Threat Prevention subscription is active.
Answers
Suggested answer: D

Explanation:

In the WildFire best practices linked below, the first step is to "... make sure that you have an active Threat Prevention subscription. Together, WildFireÆ and Threat Prevention enable comprehensivethreat detection and prevention." https:// docs.paloaltonetworks.com/wildfire/10-1/wildfire- admin/wildfire-deployment-best-practices/wildfire-best-practices.html

Question 193

Report
Export
Collapse

An administrator is attempting to create policies for deployment of a device group and template stack. When creating the policies, the zone drop-down list does not include the required zone.

What can the administrator do to correct this issue?

A.
Enable "Share Unused Address and Service Objects with Devices" in Panorama settings.
A.
Enable "Share Unused Address and Service Objects with Devices" in Panorama settings.
Answers
B.
Add a firewall to both the device group and the template.
B.
Add a firewall to both the device group and the template.
Answers
C.
Specify the target device as the master device in the device group.
C.
Specify the target device as the master device in the device group.
Answers
D.
Add the template as a reference template in the device group.
D.
Add the template as a reference template in the device group.
Answers
Suggested answer: D

Explanation:

Short According to the Palo Alto Networks documentation, "To use a template stack for a device group, you must add the template stack as a reference template in the device group. This enables you to use zones and interfaces defined in the template stack when creating policies for the device group." Reference: https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-templates-and-template-stacks

Question 194

Report
Export
Collapse

Review the images.

A firewall policy that permits web traffic includes the What is the result of traffic that matches the "Alert - Threats" Profile Match List?

A.
The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.
A.
The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.
Answers
B.
The source address of traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.
B.
The source address of traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.
Answers
C.
The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.
C.
The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.
Answers
D.
The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.
D.
The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.
Answers
Suggested answer: C

Explanation:

The threat profile has the action set to "alert" which means that the traffic is allowed but logged. The profile also has the "Tag Source IP" option enabled with the tag name "BadGuys" and the timeout value of 180 minutes. This means that any source IP address that matches a threat signature will be tagged with "BadGuys" for 180 minutes. The tag can be used for dynamic address groups or external dynamic lists to enforce policy actions based on the tag. Reference: :https:// docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/set-up-antivirus- anti-spyware-and-vulnerability-protection/tag-source-ip-addresses-that-trigger-threat-signatures

Question 195

Report
Export
Collapse

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.

What should the administrator do to allow the tool to scan through the firewall?

A.
Remove the Zone Protection profile from the zone setting.
A.
Remove the Zone Protection profile from the zone setting.
Answers
B.
Add the tool IP address to the reconnaissance protection source address exclusion in the Zone Protection profile.
B.
Add the tool IP address to the reconnaissance protection source address exclusion in the Zone Protection profile.
Answers
C.
Add the tool IP address to the reconnaissance protection source address exclusion in the DoS Protection profile.
C.
Add the tool IP address to the reconnaissance protection source address exclusion in the DoS Protection profile.
Answers
D.
Change the TCP port scan action from Block to Alert in the Zone Protection profile.
D.
Change the TCP port scan action from Block to Alert in the Zone Protection profile.
Answers
Suggested answer: B

Explanation:

The administrator should add the tool IP address to the reconnaissance protection source address exclusion in the Zone Protection profile to allow the tool to scan through the firewall. Reconnaissance protection is a feature of Zone Protection profiles that allows the firewall to detect and block network reconnaissance attempts, such as port scans. The source address exclusion list allows theadministrator to whitelist up to 20 IP addresses or netmask address objects that are exempt fromreconnaissance protection1. Option A is incorrect because removing the Zone Protection profile from the zone setting would disable all the zone protection features, not just reconnaissance protection.This would reduce the security of the zone and expose it to other types of attacks. Option C is incorrect because adding the tool IP address to the reconnaissance protection source address exclusion in the DoS Protection profile would not have any effect. DoS Protection profiles are used to protect against excessive traffic volume, not network reconnaissance attempts. Option D is incorrect because changing the TCP port scan action from Block to Alert in the Zone Protection profile would only affect TCP port scans, not other types of scans. It would also affect all TCP port scans, not just those from the tool IP address.https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos- protection/configure-zone-protection-to-increase-network-security/configure-reconnaissance- protection

Question 196

Report
Export
Collapse

An administrator has 750 firewalls. The administrator's central-management Panorama instance deploys dynamic updates to the firewalls. The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.

If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear, what is the root cause?

A.
Panorama does not have valid licenses to push the dynamic updates.
A.
Panorama does not have valid licenses to push the dynamic updates.
Answers
B.
Panorama has no connection to Palo Alto Networks update servers.
B.
Panorama has no connection to Palo Alto Networks update servers.
Answers
C.
No service route is configured on the firewalls to Palo Alto Networks update servers.
C.
No service route is configured on the firewalls to Palo Alto Networks update servers.
Answers
D.
Locally-defined dynamic update settings take precedence over the settings that Panorama pushed.
D.
Locally-defined dynamic update settings take precedence over the settings that Panorama pushed.
Answers
Suggested answer: D

Explanation:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKQCA0 "Locally defined dynamic updates setting on a managed Palo Alto Networks firewall take preference over the Panorama pushed setting."

Question 197

Report
Export
Collapse

An administrator wants to enable WildFire inline machine learning.

Which three file types does WildFire inline ML analyze? (Choose three.)

A.
MS Office
A.
MS Office
Answers
B.
ELF
B.
ELF
Answers
C.
APK
C.
APK
Answers
D.
VBscripts
D.
VBscripts
Answers
E.
Powershell scripts
E.
Powershell scripts
Answers
Suggested answer: A, B, E

Question 198

Report
Export
Collapse

An administrator wants to grant read-only access to all firewall settings, except administrator accounts, to a new-hire colleague in the IT department.

Which dynamic role does the administrator assign to the new-hire colleague?

A.
Device administrator (read-only)
A.
Device administrator (read-only)
Answers
B.
System administrator (read-only)
B.
System administrator (read-only)
Answers
C.
Firewall administrator (read-only)
C.
Firewall administrator (read-only)
Answers
D.
Superuser (read-only)
D.
Superuser (read-only)
Answers
Suggested answer: A

Explanation:

Read-only access to all firewall settings except password profiles (no access) and administratoraccounts (only the logged in account is visible). https://docs.paloaltonetworks.com/pan-os/10- 1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-role-types

Question 199

Report
Export
Collapse

Which feature checks Panorama connectivity status after a commit?

A.
Automated commit recovery
A.
Automated commit recovery
Answers
B.
Scheduled config export
B.
Scheduled config export
Answers
C.
Device monitoring data under Panorama settings
C.
Device monitoring data under Panorama settings
Answers
D.
HTTP Server profiles
D.
HTTP Server profiles
Answers
Suggested answer: A

Explanation:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/panorama- features/automatic-panorama-connection-recovery

Question 200

Report
Export
Collapse

What is the dependency for users to access services that require authentication?

A.
An Authentication profile that includes those services
A.
An Authentication profile that includes those services
Answers
B.
Disabling the authentication timeout
B.
Disabling the authentication timeout
Answers
C.
An authentication sequence that includes those services
C.
An authentication sequence that includes those services
Answers
D.
A Security policy allowing users to access those services
D.
A Security policy allowing users to access those services
Answers
Suggested answer: D

Explanation:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication- policy/configure-authentication-policy

Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms