ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 24

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
A network security engineer must implement Quality of Service policies to ensure specific levels of delivery guarantees for various applications in the environment They want to ensure that they know as much as they can about QoS before deploying. Which statement about the QoS feature is correct?
Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)

Question 231

Report
Export
Collapse

A security engineer received multiple reports of an IPSec VPN tunnel going down the night before.

The engineer couldn't find any events related to VPN under system togs.

What is the likely cause?

A.
Dead Peer Detection is not enabled.
A.
Dead Peer Detection is not enabled.
Answers
B.
Tunnel Inspection settings are misconfigured.
B.
Tunnel Inspection settings are misconfigured.
Answers
C.
The Tunnel Monitor is not configured.
C.
The Tunnel Monitor is not configured.
Answers
D.
The log quota for GTP and Tunnel needs to be adjusted
D.
The log quota for GTP and Tunnel needs to be adjusted
Answers
Suggested answer: C

Explanation:

This means that the firewall does not have a mechanism to monitor the status of the IPSec VPN tunnel and generate logs when it goes down or up. The Tunnel Monitor is an optional feature that can be enabled on each IPSec tunnel interface and it uses ICMP probes to check the connectivity of the tunnel peer. If the firewall does not receive a response from the peer after a specified number of retries, it marks the tunnel as down and logs an event1.

Question 232

Report
Export
Collapse

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?

A.
Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and reboot.
A.
Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and reboot.
Answers
B.
Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit.
B.
Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit.
Answers
C.
Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot.
C.
Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot.
Answers
D.
Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot
D.
Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot
Answers
Suggested answer: C

Explanation:

Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot1. This means that the administrator can enable advanced routing features such as RIB filtering, BFD, multicast, and redistribution profiles for each virtual router on the firewall. The firewall requires a reboot after enabling advanced routing to apply the changes.

Question 233

Report
Export
Collapse

A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Application to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.

How does the firewall identify the New App-ID characteristic?

A.
It matches to the New App-IDs downloaded in the last 30 days.
A.
It matches to the New App-IDs downloaded in the last 30 days.
Answers
B.
It matches to the New App-IDs downloaded in the last 90 days
B.
It matches to the New App-IDs downloaded in the last 90 days
Answers
C.
It matches to the New App-IDs installed since the last time the firewall was rebooted
C.
It matches to the New App-IDs installed since the last time the firewall was rebooted
Answers
D.
It matches to the New App-IDs in the most recently installed content releases.
D.
It matches to the New App-IDs in the most recently installed content releases.
Answers
Suggested answer: D

Explanation:

When creating a new App-ID report under Monitor > Reports > Application Reports > New Application, the firewall identifies new applications based on the New App-IDs in the most recently installed content releases. The New App-IDs are the application signatures that have been added in the latest content release, which can be found under Objects > Security Profiles > Application. This allows the engineer to monitor any new applications that have been added to the firewall's database and evaluate whether to allow or block them with a Security policy update.

Question 234

Report
Export
Collapse

An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.

What are two benefits of using an explicit proxy method versus a transparent proxy method?

(Choose two.)

A.
No client configuration is required for explicit proxy, which simplifies the deployment complexity.
A.
No client configuration is required for explicit proxy, which simplifies the deployment complexity.
Answers
B.
Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.
B.
Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.
Answers
C.
Explicit proxy supports interception of traffic using non-standard HTTPS ports.
C.
Explicit proxy supports interception of traffic using non-standard HTTPS ports.
Answers
D.
It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request
D.
It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request
Answers
Suggested answer: B, C

Explanation:

B. Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy12. This means that the client can see the proxy's IP address and port number, and can use tools like ping or traceroute to check connectivity and latency issues. Transparent proxies are invisible to the client browser, which makes it harder to diagnose problems.

C. Explicit proxy supports interception of traffic using non-standard HTTPS ports3. This means thatthe proxy can handle HTTPS requests that use ports other than 443, which may be required by someapplications or websites. Transparent proxies can only intercept HTTPS traffic on port 443, whichlimits their functionality.

Question 235

Report
Export
Collapse

What is the best definition of the Heartbeat Interval?

A.
The interval in milliseconds between hello packets
A.
The interval in milliseconds between hello packets
Answers
B.
The frequency at which the HA peers check link or path availability
B.
The frequency at which the HA peers check link or path availability
Answers
C.
The frequency at which the HA peers exchange ping
C.
The frequency at which the HA peers exchange ping
Answers
D.
The interval during which the firewall will remain active following a link monitor failure
D.
The interval during which the firewall will remain active following a link monitor failure
Answers
Suggested answer: A

Explanation:

According to the Palo Alto Networks Knowledge Base12, the best definition of the Heartbeat Interval is A. The interval in milliseconds between hello packets.

The Heartbeat Interval is a CLI command that configures how often an HA peer sends an ICMP ping to its partner through the HA control link. The ping verifies network connectivity and ensures that the peer kernel is responsive. The default value is 1000ms for all Palo Alto Networks platforms.

Question 236

Report
Export
Collapse

An administrator wants to configure the Palo Alto Networks Windows User-ID agent to map IP addresses to usernames. The company uses four Microsoft Active Directory servers and two Microsoft Exchange servers, which can provide logs for login events.

All six servers have IP addresses assigned from the following subnet: 192.168 28.32/27. The Microsoft Active Directory servers reside in 192.168.28.32/28. and the Microsoft Exchange servers resideL in 192.168.28 48/28 What information does the administrator need to provide in the User Identification > Discovery section?

A.
The IP-address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for each of the six servers
A.
The IP-address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for each of the six servers
Answers
B.
Network 192 168.28.32/28 with server type Microsoft Active Directory and network 192.168.28.48/28 with server type Microsoft Exchange
B.
Network 192 168.28.32/28 with server type Microsoft Active Directory and network 192.168.28.48/28 with server type Microsoft Exchange
Answers
C.
Network 192 168 28.32/27 with server type Microsoft
C.
Network 192 168 28.32/27 with server type Microsoft
Answers
D.
One IP address of a Microsoft Active Directory server and "Auto Discover" enabled to automatically obtain all five of the other servers
D.
One IP address of a Microsoft Active Directory server and "Auto Discover" enabled to automatically obtain all five of the other servers
Answers
Suggested answer: A

Explanation:

The administrator needs to provide the IP address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for each of the six servers in the User Identification > Discovery section. The administrator should enter the network address of 192.168.28.32/28 and select "Microsoft Active Directory" as the server type for the four Active Directory servers and enter the network address of 192.168.28.48/28 and select "Microsoft Exchange" as the server type for the two Exchange servers. This will allow the User-ID agent to discover and map the IP address of each server to the corresponding username.

Question 237

Report
Export
Collapse

A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS (Perfect Forward Secrecy) needs to be enabled.

What action should the engineer take?

A.
Add an authentication algorithm in the IPSec Crypto profile.
A.
Add an authentication algorithm in the IPSec Crypto profile.
Answers
B.
Enable PFS under the IPSec Tunnel advanced options.
B.
Enable PFS under the IPSec Tunnel advanced options.
Answers
C.
Select the appropriate DH Group under the IPSec Crypto profile.
C.
Select the appropriate DH Group under the IPSec Crypto profile.
Answers
D.
Enable PFS under the IKE gateway advanced options
D.
Enable PFS under the IKE gateway advanced options
Answers
Suggested answer: C

Explanation:

PFS (Perfect Forward Secrecy) is a feature that ensures that the encryption keys used for each IPSec session are not derived from previous keys. This provides more security in case one key is compromised. To enable PFS, the administrator needs to select the appropriate DH (Diffie-Hellman) Group under the IPSec Crypto profile that is applied to the IPSec tunnel. The DH Group determinesthe strength of the key exchange and should match on both ends of the tunnel1. The other optionsdo not enable PFS. The authentication algorithm in the IPSec Crypto profile is used to verify theintegrity of the IPSec packets. The PFS option under the IPSec Tunnel advanced options or the IKE gateway advanced options does not exist in the WebUI. Reference: 1: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/vpn/site-to-site-vpn/configure-the- ipsec-crypto-profile

Question 238

Report
Export
Collapse

A network security engineer configured IP multicast in the virtual router to support a new application. Users in different network segments are reporting that they are unable to access the application.

What must be enabled to allow an interface to forward multicast traffic?

A.
IGMP
A.
IGMP
Answers
B.
PIM
B.
PIM
Answers
C.
BFD
C.
BFD
Answers
D.
SSM
D.
SSM
Answers
Suggested answer: B

Explanation:

A protocol that enables routers to forward multicast traffic efficiently based on the source and destination addresses. PIM can operate in two modes: sparse mode (PIM-SM) or dense mode (PIMDM).

PIM-SM uses a rendezvous point (RP) as a central point for distributing multicast traffic, while PIM-DM uses flooding and pruning techniques2. to enable PIM on the interface which allows routers to forward multicast traffic using either sparse mode or dense mode depending on your network topology and requirements.

Question 239

Report
Export
Collapse

A super user is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups m their hierarchy to deploy policies and objects.

Which type of role-based access is most appropriate for this project?

A.
Create a Dynamic Admin with the Panorama Administrator role.
A.
Create a Dynamic Admin with the Panorama Administrator role.
Answers
B.
Create a Device Group and Template Admin.
B.
Create a Device Group and Template Admin.
Answers
C.
Create a Custom Panorama Admin.
C.
Create a Custom Panorama Admin.
Answers
D.
Create a Dynamic Read only superuser
D.
Create a Dynamic Read only superuser
Answers
Suggested answer: B

Explanation:

A Device Group and Template Admin is a type of role-based access that allows the administrator to assign different privileges for different device groups and templates. This is useful for managing multiple firewalls with different configuration needs. For example, the administrator can create aDevice Group and Template Admin role that allows the contractors to deploy policies and objects only to their assigned device groups and templates1. The other options are not suitable for this project. A Dynamic Admin with the Panorama Administrator role has full access to all device groups and templates2. A Custom Panorama Admin can have limited access to device groups and templates, but cannot have different privileges for different device groups and templates3. A Dynamic Read onlysuperuser can only view the configuration and logs, but cannot deploy policies and objects.Reference: 1: https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama- overview/role-based-access-control/administrative-roles/device-group-and-template-admin 2:https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-overview/role- based-access-control/administrative-roles/dynamic-admin 3: https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-overview/role- based-access-control/administrative-roles/custom-panorama-admin : https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-overview/role- based-access-control/administrative-roles/dynamic-read-only-superuser

Question 240

Report
Export
Collapse

An engineer receives reports from users that applications are not working and that websites are only partially loading in an asymmetric environment. After investigating, the engineer observes the flow_tcp_non_syn_drop counter increasing in the show counters global output.

Which troubleshooting command should the engineer use to work around this issue?

A.
set deviceconfig setting tcp asymmetric-path drop
A.
set deviceconfig setting tcp asymmetric-path drop
Answers
B.
set deviceconfig setting session tcp-reject-non-syn no
B.
set deviceconfig setting session tcp-reject-non-syn no
Answers
C.
set session tcp-reject-non-syn yes
C.
set session tcp-reject-non-syn yes
Answers
D.
set deviceconfig setting tcp asymmetric-path bypass
D.
set deviceconfig setting tcp asymmetric-path bypass
Answers
Suggested answer: B

Explanation:

To work around this issue, one possible troubleshooting command is set deviceconfig setting session tcp-reject-non-syn no which disables TCP reject non-SYN temporarily (until reboot)4. This command allows non-SYN first packet through without dropping it.

The flow_tcp_non_syn_drop counter increases when the firewall receives packets with the ACK flag set, but not the SYN flag, which indicates asymmetric traffic flow. The tcp-reject-non-syn option enables or disables the firewall to drop non-SYN TCP packets. In this case, disabling the tcp-rejectnon- syn option using the "set deviceconfig setting session tcp-reject-non-syn no" command can help work around the issue. This allows the firewall to accept non-SYN packets and create a session for the existing flow.

Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms