ExamGecko
Login
Home / Palo Alto Networks / PCNSE / List of questions
Ask Question

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 22

List of questions

Question 211

Report Export Collapse

A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)

A subject alternative name
A subject alternative name
A private key
A private key
A server certificate
A server certificate
A certificate authority (CA) certificate
A certificate authority (CA) certificate
Suggested answer: A, C
Explanation:

When deploying SSL Forward Proxy decryption, a forward trust certificate must have a subject alternative name (SAN) and be a server certificate. SAN is an extension to the X.509 standard that allows multiple domain names to be protected by a single SSL/TLS certificate. It is used to identify the domain names or IP addresses that the certificate should be valid for. A private key is also required but it is not mentioned in the options. A certificate authority (CA) certificate is not required as the forward trust certificate itself is a CA certificate.

asked 23/09/2024
Bassem Louati
36 questions

Question 212

Report Export Collapse

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?

ASBR
ASBR
ECMP
ECMP
OSPFv3
OSPFv3
OSPF
OSPF
Suggested answer: C
Explanation:

Support for multiple instances per linkóWith OSPFv3, you can run multiple instances of the OSPF protocol over a single link. This is accomplished by assigning an OSPFv3 instance ID number. An interface that is assigned to an instance ID drops packets that contain a different ID.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/ospf/ospfconcepts/ospfv3

asked 23/09/2024
Jean Presume
33 questions

Question 213

Report Export Collapse

A Security policy rule is configured with a Vulnerability Protection Profile and an action of "Deny." Which action will this configuration cause on the matched traffic?

The Profile Settings section will be grayed out when the Action is set to "Deny"
The Profile Settings section will be grayed out when the Action is set to "Deny"
It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit
It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit
The configuration will allow the matched session unless a vulnerability signature is detected.
The configuration will allow the matched session unless a vulnerability signature is detected.
The "Deny" action will supersede the per-severity defined actions defined in the associated Vulnerability Protection Profile It will cause the firewall to deny the matched sessions.Any configured Security Profiles have no effect if the Security policy rule action is set to "Deny"
The "Deny" action will supersede the per-severity defined actions defined in the associated Vulnerability Protection Profile It will cause the firewall to deny the matched sessions.Any configured Security Profiles have no effect if the Security policy rule action is set to "Deny"
Suggested answer: D
Explanation:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/security-profiles.html

First note in above link states:

"Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan traffic after the application or category is allowed by the security policy." The first thing the firewall checks per it's flow is the security policy match and action. The Security Profile never gets checked if a match happens on a policy set to deny that match.

asked 23/09/2024
David Stutz
37 questions

Question 214

Report Export Collapse

An engineer has discovered that certain real-time traffic is being treated as best effort due to it exceeding defined bandwidth Which QoS setting should the engineer adjust?

QoS profile: Egress Max
QoS profile: Egress Max
QoS interface: Egress Guaranteed
QoS interface: Egress Guaranteed
QoS profile: Egress Guaranteed
QoS profile: Egress Guaranteed
QoS interface: Egress Max
QoS interface: Egress Max
Suggested answer: C
Explanation:

When the egress guaranteed bandwidth is exceeded, the firewall passes traffic on a best-effort basis.

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/quality-of-service/qos-concepts/qos-bandwidth-management

asked 23/09/2024
Carlos Eduardo Araujo Fonseca
43 questions

Question 215

Report Export Collapse

A company is looking to increase redundancy in their network. Which interface type could help accomplish this?

Layer 2
Layer 2
Virtual wire
Virtual wire
Tap
Tap
Aggregate ethernet
Aggregate ethernet
Suggested answer: D
Explanation:

An aggregate group increases the bandwidth between peers by load balancing traffic across the combined interfaces. It also provides redundancy https://docs.paloaltonetworks.com/pan-os/10- 1/pan-os-networking-admin/configure-interfaces/configure-an-aggregate-interfacegroup# id9c0f5a8b-0aad-4be5-821d-ef9d7c11a88d

asked 23/09/2024
de jong arjen
49 questions

Question 216

Report Export Collapse

An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.

What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?

Configure a floating IP between the firewall pairs.
Configure a floating IP between the firewall pairs.
Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.
Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.
Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN.
Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN.
On one pair of firewalls, run the CLI command: set network interface vlan arp.
On one pair of firewalls, run the CLI command: set network interface vlan arp.
Suggested answer: B
Explanation:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCASchange the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet. This will prevent the MAC addresses from conflicting and allow the firewalls to properly route traffic. You can also configure a floating IP between the firewall pairs if necessary.

asked 23/09/2024
Mark Wingate
34 questions

Question 217

Report Export Collapse

How can an administrator use the Panorama device-deployment option to update the apps and threat version of an HA pair of managed firewalls?

Configure the firewall's assigned template to download the content updates.
Configure the firewall's assigned template to download the content updates.
Choose the download and install action for both members of the HA pair in the Schedule object.
Choose the download and install action for both members of the HA pair in the Schedule object.
Switch context to the firewalls to start the download and install process.
Switch context to the firewalls to start the download and install process.
Download the apps to the primary; no further action is required.
Download the apps to the primary; no further action is required.
Suggested answer: B
Explanation:

https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/use-caseconfigure-firewalls-using-panorama/set-up-your-centralized-configuration-and-policies/add-themanaged-firewalls-and-deploy-updates

asked 23/09/2024
Jorge Diaz
38 questions

Question 218

Report Export Collapse

An engineer is tasked with configuring a Zone Protection profile on the untrust zone.

Which three settings can be configured on a Zone Protection profile? (Choose three.)

Ethernet SGT Protection
Ethernet SGT Protection
Protocol Protection
Protocol Protection
DoS Protection
DoS Protection
Reconnaissance Protection
Reconnaissance Protection
Resource Protection
Resource Protection
Suggested answer: B, C, D
Explanation:

B. Protocol Protection: Protocol protection is used to limit or block traffic that uses certain protocols or application functions. For example, a Zone Protection profile can be configured to block traffic that uses non-standard protocols, such as IP-in-IP, or to limit the number of concurrent sessions for certain protocols, such as SIP.

C. DoS Protection: DoS protection is used to protect against various types of denial-of-service (DoS) attacks, such as SYN floods, UDP floods, ICMP floods, and others. A Zone Protection profile can be configured to limit the rate of traffic for certain protocols or to drop traffic that matches specific patterns, such as malformed packets or packets with invalid headers.

D. Reconnaissance Protection: Reconnaissance protection is used to prevent attackers from gathering information about the network, such as by using port scans or other techniques. A Zone Protection profile can be configured to limit the rate of traffic for certain types of reconnaissance, such as port scans or OS fingerprinting, or to drop traffic that matches specific patterns, such as packets with invalid flags or payloads.

asked 23/09/2024
Okan YILDIZ
45 questions

Question 219

Report Export Collapse

A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business application uptime requirements.

What is the correct setting?

Change the HA timer profile to "aggressive" or customize the settings in advanced profile.
Change the HA timer profile to "aggressive" or customize the settings in advanced profile.
Change the HA timer profile to "fast".
Change the HA timer profile to "fast".
Change the HA timer profile to "user-defined" and manually set the timers.
Change the HA timer profile to "user-defined" and manually set the timers.
Change the HA timer profile to "quick" and customize in advanced profile.
Change the HA timer profile to "quick" and customize in advanced profile.
Suggested answer: A
Explanation:

The HA timer profile determines the parameters for detecting failures and triggering failover in an A/P HA pair. The default timer profile is "recommended" which provides a balance between failover speed and stability. To achieve faster failover, the administrator can change the HA timer profile to "aggressive" which reduces the heartbeat intervals and timeouts. Alternatively, the administratorcan customize the settings in the advanced profile and manually adjust the timers according to their needs1. Reference: 1: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high- availability/ha-concepts/ha-timers

asked 23/09/2024
maria rocio ucha paz
46 questions

Question 220

Report Export Collapse

Where can an administrator see both the management-plane and data-plane CPU utilization in the WebUI?

System Resources widget
System Resources widget
System Logs widget
System Logs widget
Session Browser
Session Browser
General Information widget
General Information widget
Suggested answer: A
Explanation:

The System Resources widget of the Exadata WebUI, displays a real-time overview of the various resources like CPU, Memory, and I/O usage across the entire Exadata Database Machine. It shows the usage of both management-plane and data-plane CPU utilization.

System Resources Widget Displays the Management CPU usage, Data Plane usage, and the Session Count (the number of sessions established through the firewall or Panorama).

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/dashboard/dashboardwidgets.html

asked 23/09/2024
Christopher Harden
54 questions
Total 470 questions
Go to page: of 47
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?
Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration. What part of the configuration should the engineer verify'?
During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?
If a URL is in multiple custom URL categories with different actions, which action will take priority?
What is a correct statement regarding administrative authentication using external services with a local authorization method?
You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles. For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)
An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices. What should an administrator configure to route interesting traffic through the VPN tunnel?
A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?