ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 23

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
A network security engineer must implement Quality of Service policies to ensure specific levels of delivery guarantees for various applications in the environment They want to ensure that they know as much as they can about QoS before deploying. Which statement about the QoS feature is correct?
Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)

Question 221

Report
Export
Collapse

An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?

A.
The profile rule action
A.
The profile rule action
Answers
B.
CVE column
B.
CVE column
Answers
C.
Exceptions lab
C.
Exceptions lab
Answers
D.
The profile rule threat name
D.
The profile rule threat name
Answers
Suggested answer: C

Explanation:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMnCAK

Question 222

Report
Export
Collapse

When using SSH keys for CLI authentication for firewall administration, which method is used for authorization?

A.
Local
A.
Local
Answers
B.
LDAP
B.
LDAP
Answers
C.
Kerberos
C.
Kerberos
Answers
D.
Radius
D.
Radius
Answers
Suggested answer: A

Explanation:

When using SSH keys for CLI authentication for firewall administration, the method used for authorization is local. This is described in the Palo Alto Networks PCNSE Study Guide in Chapter 4:

Authentication and Authorization, under the section "CLI Authentication with SSH Keys":

"SSH keys use public key cryptography to authenticate users, but they do not provide a mechanism for authorization. Therefore, when using SSH keys for CLI authentication, authorization is always performed locally on the firewall."

Question 223

Report
Export
Collapse

An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.

What could an administrator do to troubleshoot the issue?

A.
Goto Device > High Availability> General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup
A.
Goto Device > High Availability> General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup
Answers
B.
Check peer IP address In the permit list In Device > Setup > Management > Interfaces > Management Interface Settings
B.
Check peer IP address In the permit list In Device > Setup > Management > Interfaces > Management Interface Settings
Answers
C.
Go to Device > High Availability > HA Communications> General> and check the Heartbeat Backup under Election Settings
C.
Go to Device > High Availability > HA Communications> General> and check the Heartbeat Backup under Election Settings
Answers
D.
Check peer IP address for heartbeat backup to Device > High Availability > HA Communications > Packet Forwarding settings.
D.
Check peer IP address for heartbeat backup to Device > High Availability > HA Communications > Packet Forwarding settings.
Answers
Suggested answer: B

Explanation:

If the HA status is showing as down after enabling HA Heartbeat Backup on two devices, an administrator could troubleshoot the issue by checking the peer IP address in the permit list in Device > Setup > Management > Interfaces > Management Interface Settings. This is described in the Palo Alto Networks PCNSE Study Guide in Chapter 7: High Availability, under the section "Configure Heartbeat Backup for Redundancy":

"Verify that the management interface's permitted IP addresses on each peer includes the IP address of the other peer's Heartbeat Backup interface."

Question 224

Report
Export
Collapse

A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose TWO)

A.
Exclude video traffic
A.
Exclude video traffic
Answers
B.
Enable decryption
B.
Enable decryption
Answers
C.
Block traffic that is not work-related
C.
Block traffic that is not work-related
Answers
D.
Create a Tunnel Inspection policy
D.
Create a Tunnel Inspection policy
Answers
Suggested answer: A, C

Explanation:

This is because excluding video traffic from being sent over the VPN will reduce the amount of bandwidth being used during peak hours, allowing more bandwidth to be available for other types of traffic. Blocking non-work related traffic will also reduce the amount of bandwidth being used, further freeing up bandwidth for work-related traffic.

Enabling decryption and creating a Tunnel Inspection policy are not likely to mitigate the issue of decreased performance during peak-use hours, as they do not directly address the issue of limited bandwidth availability during these times.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW

Question 225

Report
Export
Collapse

An administrator is configuring a Panorama device group

Which two objects are configurable? (Choose two )

A.
DNS Proxy
A.
DNS Proxy
Answers
B.
Address groups
B.
Address groups
Answers
C.
SSL/TLS roles
C.
SSL/TLS roles
Answers
D.
URL Filtering profiles
D.
URL Filtering profiles
Answers
Suggested answer: B, D

Explanation:

URL filtering is a feature in Palo Alto Networks firewalls that allows administrators to block access to specific URLs [1]. This feature can be configured via four different objects: Custom URL categories in URL Filtering profiles, PAN-DB URL categories in URL Filtering profiles, External Dynamic Lists (EDL) in URL Filtering profiles, and Custom URL categories in Security policy rules. The evaluation order for URL filtering is: Custom URL categories in URL Filtering profile, PAN-DB URL categories in URL Filtering profile, EDL in URL Filtering profile, and Custom URL category in Security policy rule. This information can be found in the Palo Alto Networks PCNSE Study Guide, which can be accessed here:

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/resource-library/palo-altonetworks-pcnse-study-guide.html.

Question 226

Report
Export
Collapse

A network security administrator wants to configure SSL inbound inspection.

Which three components are necessary for inspecting the HTTPS traffic as it enters the firewall?

(Choose three.)

A.
An SSL/TLS Service profile
A.
An SSL/TLS Service profile
Answers
B.
The web server's security certificate with the private key
B.
The web server's security certificate with the private key
Answers
C.
A Decryption profile
C.
A Decryption profile
Answers
D.
A Decryption policy
D.
A Decryption policy
Answers
E.
The client's security certificate with the private key
E.
The client's security certificate with the private key
Answers
Suggested answer: B, C, D

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-inboundinspection

Question 227

Report
Export
Collapse

A network security administrator has been tasked with deploying User-ID in their organization.

What are three valid methods of collecting User-ID information in a network? (Choose three.)

A.
Windows User-ID agent
A.
Windows User-ID agent
Answers
B.
GlobalProtect
B.
GlobalProtect
Answers
C.
XMLAPI
C.
XMLAPI
Answers
D.
External dynamic list
D.
External dynamic list
Answers
E.
Dynamic user groups
E.
Dynamic user groups
Answers
Suggested answer: A, B, C

Explanation:

User-ID is a feature that enables the firewall to identify users and groups based on their IP addresses, usernames, or other attributes.

There are three valid methods of collecting User-ID information in a network:

Windows User-ID agent: This is a software agent that runs on a Windows server and collects user mapping information from Active Directory, Exchange servers, or other sources.

GlobalProtect: This is a VPN solution that provides secure remote access for users and devices. It also collects user mapping information from endpoints that connect to the firewall using GlobalProtect.

XMLAPI: This is an application programming interface that allows third-party applications or scripts to send user mapping information to the firewall using XML format.

Question 228

Report
Export
Collapse

What steps should a user take to increase the NAT oversubscription rate from the default platform setting?

A.
Navigate to Device > Setup > TCP Settings > NAT Oversubscription Rate
A.
Navigate to Device > Setup > TCP Settings > NAT Oversubscription Rate
Answers
B.
Navigate to Policies > NAT > Destination Address Translation > Dynamic IP (with session distribution)
B.
Navigate to Policies > NAT > Destination Address Translation > Dynamic IP (with session distribution)
Answers
C.
Navigate to Policies > NAT > Source Address Translation > Dynamic IP (with session distribution)
C.
Navigate to Policies > NAT > Source Address Translation > Dynamic IP (with session distribution)
Answers
D.
Navigate to Device > Setup > Session Settings > NAT Oversubscription Rate
D.
Navigate to Device > Setup > Session Settings > NAT Oversubscription Rate
Answers
Suggested answer: D

Explanation:

NAT oversubscription is a feature that allows you to reuse a translated IP address and port for multiple source devices. This can help you conserve public IP addresses and increase the number of sessions that can be translated by a NAT rule.

Question 229

Report
Export
Collapse

A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?

A.
Choose the URL categories on Site Access column and set action to block Click the User credential Detection tab and select IP User Mapping Commit
A.
Choose the URL categories on Site Access column and set action to block Click the User credential Detection tab and select IP User Mapping Commit
Answers
B.
Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select use IP User Mapping Commit
B.
Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select use IP User Mapping Commit
Answers
C.
Choose the URL categories in the User Credential Submission column and set action to block Select the URL filtering settings and enable Domain Credential Filter Commit
C.
Choose the URL categories in the User Credential Submission column and set action to block Select the URL filtering settings and enable Domain Credential Filter Commit
Answers
D.
Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select Use Domain Credential Filter Commit
D.
Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select Use Domain Credential Filter Commit
Answers
Suggested answer: D

Question 230

Report
Export
Collapse

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)

A.
Inherit settings from the Shared group
A.
Inherit settings from the Shared group
Answers
B.
Inherit IPSec crypto profiles
B.
Inherit IPSec crypto profiles
Answers
C.
Inherit all Security policy rules and objects
C.
Inherit all Security policy rules and objects
Answers
D.
Inherit parent Security policy rules and objects
D.
Inherit parent Security policy rules and objects
Answers
Suggested answer: B, D

Explanation:

B. Inherit IPSec crypto profiles

This is correct because IPSec crypto profiles are one of the objects that can be inherited from a parent device group1. You can also create IPSec crypto profiles for use in shared or device group policy1.

D. Inherit parent Security policy rules and objects

This is correct because Security policy rules and objects are also inheritable from a parent device group1. You can also create Security policy rules and objects for use in shared or device group policy1.

Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms