ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 22

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
A network security engineer must implement Quality of Service policies to ensure specific levels of delivery guarantees for various applications in the environment They want to ensure that they know as much as they can about QoS before deploying. Which statement about the QoS feature is correct?
Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)

Question 211

Report
Export
Collapse

A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)

A.
A subject alternative name
A.
A subject alternative name
Answers
B.
A private key
B.
A private key
Answers
C.
A server certificate
C.
A server certificate
Answers
D.
A certificate authority (CA) certificate
D.
A certificate authority (CA) certificate
Answers
Suggested answer: A, C

Explanation:

When deploying SSL Forward Proxy decryption, a forward trust certificate must have a subject alternative name (SAN) and be a server certificate. SAN is an extension to the X.509 standard that allows multiple domain names to be protected by a single SSL/TLS certificate. It is used to identify the domain names or IP addresses that the certificate should be valid for. A private key is also required but it is not mentioned in the options. A certificate authority (CA) certificate is not required as the forward trust certificate itself is a CA certificate.

Question 212

Report
Export
Collapse

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?

A.
ASBR
A.
ASBR
Answers
B.
ECMP
B.
ECMP
Answers
C.
OSPFv3
C.
OSPFv3
Answers
D.
OSPF
D.
OSPF
Answers
Suggested answer: C

Explanation:

Support for multiple instances per linkóWith OSPFv3, you can run multiple instances of the OSPF protocol over a single link. This is accomplished by assigning an OSPFv3 instance ID number. An interface that is assigned to an instance ID drops packets that contain a different ID.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/ospf/ospfconcepts/ospfv3

Question 213

Report
Export
Collapse

A Security policy rule is configured with a Vulnerability Protection Profile and an action of "Deny." Which action will this configuration cause on the matched traffic?

A.
The Profile Settings section will be grayed out when the Action is set to "Deny"
A.
The Profile Settings section will be grayed out when the Action is set to "Deny"
Answers
B.
It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit
B.
It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit
Answers
C.
The configuration will allow the matched session unless a vulnerability signature is detected.
C.
The configuration will allow the matched session unless a vulnerability signature is detected.
Answers
D.
The "Deny" action will supersede the per-severity defined actions defined in the associated Vulnerability Protection Profile It will cause the firewall to deny the matched sessions.Any configured Security Profiles have no effect if the Security policy rule action is set to "Deny"
D.
The "Deny" action will supersede the per-severity defined actions defined in the associated Vulnerability Protection Profile It will cause the firewall to deny the matched sessions.Any configured Security Profiles have no effect if the Security policy rule action is set to "Deny"
Answers
Suggested answer: D

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/security-profiles.html

First note in above link states:

"Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan traffic after the application or category is allowed by the security policy." The first thing the firewall checks per it's flow is the security policy match and action. The Security Profile never gets checked if a match happens on a policy set to deny that match.

Question 214

Report
Export
Collapse

An engineer has discovered that certain real-time traffic is being treated as best effort due to it exceeding defined bandwidth Which QoS setting should the engineer adjust?

A.
QoS profile: Egress Max
A.
QoS profile: Egress Max
Answers
B.
QoS interface: Egress Guaranteed
B.
QoS interface: Egress Guaranteed
Answers
C.
QoS profile: Egress Guaranteed
C.
QoS profile: Egress Guaranteed
Answers
D.
QoS interface: Egress Max
D.
QoS interface: Egress Max
Answers
Suggested answer: C

Explanation:

When the egress guaranteed bandwidth is exceeded, the firewall passes traffic on a best-effort basis.

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/quality-of-service/qos-concepts/qos-bandwidth-management

Question 215

Report
Export
Collapse

A company is looking to increase redundancy in their network. Which interface type could help accomplish this?

A.
Layer 2
A.
Layer 2
Answers
B.
Virtual wire
B.
Virtual wire
Answers
C.
Tap
C.
Tap
Answers
D.
Aggregate ethernet
D.
Aggregate ethernet
Answers
Suggested answer: D

Explanation:

An aggregate group increases the bandwidth between peers by load balancing traffic across the combined interfaces. It also provides redundancy https://docs.paloaltonetworks.com/pan-os/10- 1/pan-os-networking-admin/configure-interfaces/configure-an-aggregate-interfacegroup# id9c0f5a8b-0aad-4be5-821d-ef9d7c11a88d

Question 216

Report
Export
Collapse

An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.

What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?

A.
Configure a floating IP between the firewall pairs.
A.
Configure a floating IP between the firewall pairs.
Answers
B.
Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.
B.
Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.
Answers
C.
Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN.
C.
Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN.
Answers
D.
On one pair of firewalls, run the CLI command: set network interface vlan arp.
D.
On one pair of firewalls, run the CLI command: set network interface vlan arp.
Answers
Suggested answer: B

Explanation:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCASchange the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet. This will prevent the MAC addresses from conflicting and allow the firewalls to properly route traffic. You can also configure a floating IP between the firewall pairs if necessary.

Question 217

Report
Export
Collapse

How can an administrator use the Panorama device-deployment option to update the apps and threat version of an HA pair of managed firewalls?

A.
Configure the firewall's assigned template to download the content updates.
A.
Configure the firewall's assigned template to download the content updates.
Answers
B.
Choose the download and install action for both members of the HA pair in the Schedule object.
B.
Choose the download and install action for both members of the HA pair in the Schedule object.
Answers
C.
Switch context to the firewalls to start the download and install process.
C.
Switch context to the firewalls to start the download and install process.
Answers
D.
Download the apps to the primary; no further action is required.
D.
Download the apps to the primary; no further action is required.
Answers
Suggested answer: B

Explanation:

https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/use-caseconfigure-firewalls-using-panorama/set-up-your-centralized-configuration-and-policies/add-themanaged-firewalls-and-deploy-updates

Question 218

Report
Export
Collapse

An engineer is tasked with configuring a Zone Protection profile on the untrust zone.

Which three settings can be configured on a Zone Protection profile? (Choose three.)

A.
Ethernet SGT Protection
A.
Ethernet SGT Protection
Answers
B.
Protocol Protection
B.
Protocol Protection
Answers
C.
DoS Protection
C.
DoS Protection
Answers
D.
Reconnaissance Protection
D.
Reconnaissance Protection
Answers
E.
Resource Protection
E.
Resource Protection
Answers
Suggested answer: B, C, D

Explanation:

B. Protocol Protection: Protocol protection is used to limit or block traffic that uses certain protocols or application functions. For example, a Zone Protection profile can be configured to block traffic that uses non-standard protocols, such as IP-in-IP, or to limit the number of concurrent sessions for certain protocols, such as SIP.

C. DoS Protection: DoS protection is used to protect against various types of denial-of-service (DoS) attacks, such as SYN floods, UDP floods, ICMP floods, and others. A Zone Protection profile can be configured to limit the rate of traffic for certain protocols or to drop traffic that matches specific patterns, such as malformed packets or packets with invalid headers.

D. Reconnaissance Protection: Reconnaissance protection is used to prevent attackers from gathering information about the network, such as by using port scans or other techniques. A Zone Protection profile can be configured to limit the rate of traffic for certain types of reconnaissance, such as port scans or OS fingerprinting, or to drop traffic that matches specific patterns, such as packets with invalid flags or payloads.

Question 219

Report
Export
Collapse

A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business application uptime requirements.

What is the correct setting?

A.
Change the HA timer profile to "aggressive" or customize the settings in advanced profile.
A.
Change the HA timer profile to "aggressive" or customize the settings in advanced profile.
Answers
B.
Change the HA timer profile to "fast".
B.
Change the HA timer profile to "fast".
Answers
C.
Change the HA timer profile to "user-defined" and manually set the timers.
C.
Change the HA timer profile to "user-defined" and manually set the timers.
Answers
D.
Change the HA timer profile to "quick" and customize in advanced profile.
D.
Change the HA timer profile to "quick" and customize in advanced profile.
Answers
Suggested answer: A

Explanation:

The HA timer profile determines the parameters for detecting failures and triggering failover in an A/P HA pair. The default timer profile is "recommended" which provides a balance between failover speed and stability. To achieve faster failover, the administrator can change the HA timer profile to "aggressive" which reduces the heartbeat intervals and timeouts. Alternatively, the administratorcan customize the settings in the advanced profile and manually adjust the timers according to their needs1. Reference: 1: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high- availability/ha-concepts/ha-timers

Question 220

Report
Export
Collapse

Where can an administrator see both the management-plane and data-plane CPU utilization in the WebUI?

A.
System Resources widget
A.
System Resources widget
Answers
B.
System Logs widget
B.
System Logs widget
Answers
C.
Session Browser
C.
Session Browser
Answers
D.
General Information widget
D.
General Information widget
Answers
Suggested answer: A

Explanation:

The System Resources widget of the Exadata WebUI, displays a real-time overview of the various resources like CPU, Memory, and I/O usage across the entire Exadata Database Machine. It shows the usage of both management-plane and data-plane CPU utilization.

System Resources Widget Displays the Management CPU usage, Data Plane usage, and the Session Count (the number of sessions established through the firewall or Panorama).

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/dashboard/dashboardwidgets.html

Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms