Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 24
List of questions
Related questions
Question 231
A security engineer received multiple reports of an IPSec VPN tunnel going down the night before.
The engineer couldn't find any events related to VPN under system togs.
What is the likely cause?
Explanation:
This means that the firewall does not have a mechanism to monitor the status of the IPSec VPN tunnel and generate logs when it goes down or up. The Tunnel Monitor is an optional feature that can be enabled on each IPSec tunnel interface and it uses ICMP probes to check the connectivity of the tunnel peer. If the firewall does not receive a response from the peer after a specified number of retries, it marks the tunnel as down and logs an event1.
Question 232
How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?
Explanation:
Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot1. This means that the administrator can enable advanced routing features such as RIB filtering, BFD, multicast, and redistribution profiles for each virtual router on the firewall. The firewall requires a reboot after enabling advanced routing to apply the changes.
Question 233
A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Application to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.
How does the firewall identify the New App-ID characteristic?
Explanation:
When creating a new App-ID report under Monitor > Reports > Application Reports > New Application, the firewall identifies new applications based on the New App-IDs in the most recently installed content releases. The New App-IDs are the application signatures that have been added in the latest content release, which can be found under Objects > Security Profiles > Application. This allows the engineer to monitor any new applications that have been added to the firewall's database and evaluate whether to allow or block them with a Security policy update.
Question 234
An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.
What are two benefits of using an explicit proxy method versus a transparent proxy method?
(Choose two.)
Explanation:
B. Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy12. This means that the client can see the proxy's IP address and port number, and can use tools like ping or traceroute to check connectivity and latency issues. Transparent proxies are invisible to the client browser, which makes it harder to diagnose problems.
C. Explicit proxy supports interception of traffic using non-standard HTTPS ports3. This means thatthe proxy can handle HTTPS requests that use ports other than 443, which may be required by someapplications or websites. Transparent proxies can only intercept HTTPS traffic on port 443, whichlimits their functionality.
Question 235
What is the best definition of the Heartbeat Interval?
Explanation:
According to the Palo Alto Networks Knowledge Base12, the best definition of the Heartbeat Interval is A. The interval in milliseconds between hello packets.
The Heartbeat Interval is a CLI command that configures how often an HA peer sends an ICMP ping to its partner through the HA control link. The ping verifies network connectivity and ensures that the peer kernel is responsive. The default value is 1000ms for all Palo Alto Networks platforms.
Question 236
An administrator wants to configure the Palo Alto Networks Windows User-ID agent to map IP addresses to usernames. The company uses four Microsoft Active Directory servers and two Microsoft Exchange servers, which can provide logs for login events.
All six servers have IP addresses assigned from the following subnet: 192.168 28.32/27. The Microsoft Active Directory servers reside in 192.168.28.32/28. and the Microsoft Exchange servers resideL in 192.168.28 48/28 What information does the administrator need to provide in the User Identification > Discovery section?
Explanation:
The administrator needs to provide the IP address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for each of the six servers in the User Identification > Discovery section. The administrator should enter the network address of 192.168.28.32/28 and select "Microsoft Active Directory" as the server type for the four Active Directory servers and enter the network address of 192.168.28.48/28 and select "Microsoft Exchange" as the server type for the two Exchange servers. This will allow the User-ID agent to discover and map the IP address of each server to the corresponding username.
Question 237
A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS (Perfect Forward Secrecy) needs to be enabled.
What action should the engineer take?
Explanation:
PFS (Perfect Forward Secrecy) is a feature that ensures that the encryption keys used for each IPSec session are not derived from previous keys. This provides more security in case one key is compromised. To enable PFS, the administrator needs to select the appropriate DH (Diffie-Hellman) Group under the IPSec Crypto profile that is applied to the IPSec tunnel. The DH Group determinesthe strength of the key exchange and should match on both ends of the tunnel1. The other optionsdo not enable PFS. The authentication algorithm in the IPSec Crypto profile is used to verify theintegrity of the IPSec packets. The PFS option under the IPSec Tunnel advanced options or the IKE gateway advanced options does not exist in the WebUI. Reference: 1: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/vpn/site-to-site-vpn/configure-the- ipsec-crypto-profile
Question 238
A network security engineer configured IP multicast in the virtual router to support a new application. Users in different network segments are reporting that they are unable to access the application.
What must be enabled to allow an interface to forward multicast traffic?
Explanation:
A protocol that enables routers to forward multicast traffic efficiently based on the source and destination addresses. PIM can operate in two modes: sparse mode (PIM-SM) or dense mode (PIMDM).
PIM-SM uses a rendezvous point (RP) as a central point for distributing multicast traffic, while PIM-DM uses flooding and pruning techniques2. to enable PIM on the interface which allows routers to forward multicast traffic using either sparse mode or dense mode depending on your network topology and requirements.
Question 239
A super user is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups m their hierarchy to deploy policies and objects.
Which type of role-based access is most appropriate for this project?
Explanation:
A Device Group and Template Admin is a type of role-based access that allows the administrator to assign different privileges for different device groups and templates. This is useful for managing multiple firewalls with different configuration needs. For example, the administrator can create aDevice Group and Template Admin role that allows the contractors to deploy policies and objects only to their assigned device groups and templates1. The other options are not suitable for this project. A Dynamic Admin with the Panorama Administrator role has full access to all device groups and templates2. A Custom Panorama Admin can have limited access to device groups and templates, but cannot have different privileges for different device groups and templates3. A Dynamic Read onlysuperuser can only view the configuration and logs, but cannot deploy policies and objects.Reference: 1: https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama- overview/role-based-access-control/administrative-roles/device-group-and-template-admin 2:https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-overview/role- based-access-control/administrative-roles/dynamic-admin 3: https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-overview/role- based-access-control/administrative-roles/custom-panorama-admin : https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-overview/role- based-access-control/administrative-roles/dynamic-read-only-superuser
Question 240
An engineer receives reports from users that applications are not working and that websites are only partially loading in an asymmetric environment. After investigating, the engineer observes the flow_tcp_non_syn_drop counter increasing in the show counters global output.
Which troubleshooting command should the engineer use to work around this issue?
Explanation:
To work around this issue, one possible troubleshooting command is set deviceconfig setting session tcp-reject-non-syn no which disables TCP reject non-SYN temporarily (until reboot)4. This command allows non-SYN first packet through without dropping it.
The flow_tcp_non_syn_drop counter increases when the firewall receives packets with the ACK flag set, but not the SYN flag, which indicates asymmetric traffic flow. The tcp-reject-non-syn option enables or disables the firewall to drop non-SYN TCP packets. In this case, disabling the tcp-rejectnon- syn option using the "set deviceconfig setting session tcp-reject-non-syn no" command can help work around the issue. This allows the firewall to accept non-SYN packets and create a session for the existing flow.
Question