ExamGecko
Ask Question

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 28

Question list
Search

List of questions

Search

Related questions











Question 271

Report
Export
Collapse

An engineer is tasked with deploying SSL Forward Proxy decryption for their organization.

What should they review with their leadership before implementation?

Browser-supported cipher documentation
Browser-supported cipher documentation
Cipher documentation supported by the endpoint operating system
Cipher documentation supported by the endpoint operating system
URL risk-based category distinctions
URL risk-based category distinctions
Legal compliance regulations and acceptable usage policies
Legal compliance regulations and acceptable usage policies
Suggested answer: D

Explanation:

The engineer should review the legal compliance regulations and acceptable usage policies with their leadership before implementing SSL Forward Proxy decryption for their organization. SSL Forward Proxy decryption allows the firewall to decrypt and inspect the traffic from internal users to external servers. This can raise privacy and legal concerns for the users and the organization.

Therefore, the engineer should ensure that the leadership is aware of the implications and benefits of SSL Forward Proxy decryption and that they have a clear policy for informing and obtaining consent from the users. Option A is incorrect because browser-supported cipher documentation is not relevant for SSL Forward Proxy decryption. The firewall uses its own cipher suite to negotiate encryption with the external server, regardless of the browser settings. Option B is incorrect because cipher documentation supported by the endpoint operating system is not relevant for SSL Forward Proxy decryption. The firewall uses its own cipher suite to negotiate encryption with the external server, regardless of the endpoint operating system. Option C is incorrect because URL risk-based category distinctions are not relevant for

SSL Forward Proxy decryption. The firewall can decrypt and inspect traffic based on any URL category, not just risk-based ones.

asked 23/09/2024
sheldan simeina
36 questions

Question 272

Report
Export
Collapse

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?

Deny
Deny
Discard
Discard
Allow
Allow
Next VR
Next VR
Suggested answer: D

Explanation:

Next VR can be used as an Action when creating a Policy-Based Forwarding (PBF) policy. A PBF policy allows the firewall to forward traffic based on criteria such as source and destination IP addresses, application, user, and service. The Action of a PBF policy defines how the firewall forwards the matching traffic. Next VR specifies the virtual router to which the firewall forwards the traffic. Option A is incorrect because Deny is not a valid Action for a PBF policy. Deny is an Action for a security policy that blocks the matching traffic. Option B is incorrect because Discard is not a valid Action for a PBF policy. Discard is an Action for a DoS protection policy that drops the matching traffic. Option C is incorrect because Allow is not a valid Action for a PBF policy. Allow is an Action for a security policy that permits the matching traffic.

asked 23/09/2024
David Vicente Martinez
33 questions

Question 273

Report
Export
Collapse

An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.

Palo Alto Networks PCNSE image Question 273 54510 09232024001220000000

Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)

Hello Interval
Hello Interval
Promotion Hold Time
Promotion Hold Time
Heartbeat Interval
Heartbeat Interval
Monitor Fail Hold Up Time
Monitor Fail Hold Up Time
Suggested answer: C

Explanation:

The heartbeat interval determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping). The default value is 1000 milliseconds (1 second). The heartbeat interval is used to detect failures and trigger failover in an HA pair1. The other options are not correct. The hello interval determines the frequency at which the HA peers exchange messages in the form of an HA packet. The default value is 3000 milliseconds (3 seconds). The hello interval is used to establish and maintain HA connectivity2. The promotion hold time determines the amount of time that a passive firewall waits before it becomes active after detecting a failure on the active firewall. The default value is 5000 milliseconds (5 seconds)3. The monitor fail hold up time determines the amount of time that a firewall waits before it declares a monitor failure after detecting a link down event on an interface. The default value is 2000 milliseconds (2 seconds)4. Reference: 1:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/hatimers 2:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/haconcepts/ha-timers 3:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/highavailability/ha-concepts/ha-timers 4:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-osadmin/high-availability/ha-concepts/ha-timers

asked 23/09/2024
Salman Hashmi
39 questions

Question 274

Report
Export
Collapse

Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.)

Verify
Verify
Schedules
Schedules
Install from file
Install from file
Check dependencies
Check dependencies
Revert content
Revert content
Suggested answer: B, C, E

Explanation:

Panorama offers three options for deploying dynamic updates to its managed devices: Schedules, Install from file, and Revert content. Schedules allows the administrator to configure a recurring schedule for downloading and installing dynamic updates from the Palo Alto Networks update server. Install from file allows the administrator to manually upload and install a dynamic update file from a local system. Revert content allows the administrator to revert to a previous version of a dynamic update in case of any issues with the current version. Option A is incorrect because Verify is not an option for deploying dynamic updates on Panoram a. Verify is an option for validating the configuration on Panorama or a managed device. Option D is incorrect because Check dependencies is not an option for deploying dynamic updates on Panorama. Check dependencies is an option for checking if a configuration change affects other settings on Panorama or a managed device.

asked 23/09/2024
TIAM HERVE
47 questions

Question 275

Report
Export
Collapse

An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI.

Which CLI command can the engineer use?

test vpn flow
test vpn flow
test vpn Ikeósa
test vpn Ikeósa
test vpn tunnel
test vpn tunnel
test vpn gateway
test vpn gateway
Suggested answer: D

Explanation:

The engineer can use the test vpn gateway CLI command to manually initiate a VPN tunnel from the CLI. This command allows the engineer to specify the name of the VPN gateway and the IP address of the peer to initiate an IKE negotiation and establish a VPN tunnel. Option A is incorrect because test vpn flow is not a valid CLI command. Option B is incorrect because test vpn ike-sa is a CLI command that displays information about the IKE security associations, not initiates a VPN tunnel. Option C is incorrect because test vpn tunnel is a CLI command that displays information about the IPSec security associations, not initiates a VPN tunnel.

asked 23/09/2024
Khuong Tang
31 questions

Question 276

Report
Export
Collapse

As a best practice, logging at session start should be used in which case?

On all Allow rules
On all Allow rules
While troubleshooting
While troubleshooting
Only when log at session end is enabled
Only when log at session end is enabled
Only on Deny rules
Only on Deny rules
Suggested answer: B

Explanation:

Logging at session start should be used as a best practice while troubleshooting. Logging at session start allows the administrator to see the logs for sessions that are initiated but not completed, such as sessions that are dropped or blocked by the firewall. This can help the administrator to identify and resolve issues with network connectivity or firewall configuration. Logging at session start should not be used for normal operations because it generates more logs and consumes more resources on the firewall. Option A is incorrect because logging at session start should not be used on all Allow rules. Logging at session end is sufficient for Allow rules because it provides information about the completed sessions, such as bytes and packets transferred, application, user, and threat information.

Option C is incorrect because logging at session start can be used independently of logging at session end. Logging at session start and logging at session end are not mutually exclusive options. Option D is incorrect because logging at session start should not be used only on Deny rules. Logging at session end is sufficient for Deny rules because it provides information about the denied sessions, such as source and destination IP addresses, ports, and protocol.

asked 23/09/2024
Kevin Lizano
37 questions

Question 277

Report
Export
Collapse

An auditor is evaluating the configuration of Panorama and notices a discrep-ancy between the Panorama template and the local firewall configuration.

When overriding the firewall configuration pushed from Panorama, what should you consider?

The modification will not be visible in Panorama.
The modification will not be visible in Panorama.
The firewall template will show that it is out of sync within Panorama.
The firewall template will show that it is out of sync within Panorama.
Panorama will update the template with the overridden value.
Panorama will update the template with the overridden value.
Only Panorama can revert the override.
Only Panorama can revert the override.
Suggested answer: A

Explanation:

When overriding the firewall configuration pushed from Panorama, the modification will not be visible in Panoram a. The firewall will show an override icon next to the modified setting and will display a warning message that the local configuration differs from Panorama. The override icon will also appear on Panorama next to the firewall name in the Device Groups and Templates tabs1. The other options are not correct. The firewall template will not show that it is out of sync within Panorama, because the template itself is not modified. Panorama will not update the template with the overridden value, because the template is read-only on the firewall. The override can be reverted either from Panorama or from the firewall2. Reference: 1: https://docs.paloaltonetworks.com/pan-os/10-2/panos-admin/firewall-administration/manage-configuration/override-a-template-setting 2:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/manageconfiguration/revert-an-overridden-template-setting

asked 23/09/2024
Karanshah Gulati
44 questions

Question 278

Report
Export
Collapse

Which type of zone will allow different virtual systems to communicate with each other?

Tap
Tap
External
External
Virtual Wire
Virtual Wire
Tunnel
Tunnel
Suggested answer: B

Explanation:

An external zone is a type of zone that will allow different virtual systems to communicate with each other. An external zone is a special zone that is shared by all virtual systems on the firewall and can be used to route traffic between virtual systems without leaving the firewall. The external zone can also be used to route traffic to other zones within the same virtual system1. The other options are not correct. A tap zone is a type of zone that is used to passively monitor traffic without affecting the flow of packets2. A virtual wire zone is a type of zone that is used to create a transparent bridge between two network segments without changing the original IP addressing or routing3. A tunnel zone is a type of zone that is used to terminate VPN tunnels or other types of encapsulated traffic4.

Reference: 1: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/virtualsystems/communication-between-virtual-systems/inter-vsys-traffic-that-remains-within-thefirewall/external-zone 2:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-osadmin/networking/configure-interfaces/configure-a-tap-interface 3:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/networking/configureinterfaces/configure-a-virtual-wire 4:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-osadmin/networking/configure-interfaces/configure-a-tunnel-interface

asked 23/09/2024
Paula Delgado
35 questions

Question 279

Report
Export
Collapse

What must be configured to apply tags automatically based on User-ID logs?

Log Forwarding profile
Log Forwarding profile
Device ID
Device ID
Log settings
Log settings
Group mapping
Group mapping
Suggested answer: C

Explanation:

Depending on the type of log you want to use for tagging, create a log forwarding profile or configure the log settings to define how you want the firewall or Panorama to handle logs. For Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, create a log forwarding profile. For User-ID, GlobalProtect, and IP-Tag logs, configure the log settings.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-auto-tagging-toautomate-security-actions

asked 23/09/2024
Soma Ismael Bola
39 questions

Question 280

Report
Export
Collapse

An administrator needs to gather information about the firewall CPU utiliza-tion on both the management plane and the data plane.

Where does the administrator view the desired data?

Application Command and Control Center
Application Command and Control Center
Monitor > Utilization
Monitor > Utilization
Support > Resources
Support > Resources
System Resources Widget on the Dashboard
System Resources Widget on the Dashboard
Suggested answer: D

Explanation:

The System Resources widget on the Dashboard in the WebUI shows both the management plane and data plane CPU utilization as well as other system resources such as memory, disk, and session1.

The other options do not show both the management plane and data plane CPU utilization. The Application Command and Control Center (ACC) shows the network activity and application usage based on traffic logs2. The Monitor >

Utilization page shows the interface utilization and packet buffer utilization3. The Support > Resources page shows the system resources for Panorama only4.

Reference: 1: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interfacehelp/dashboard/dashboard-widgets 2:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-osweb-interface-help/acc/acc-overview 3:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-osweb-interface-help/monitor/monitor-utilization 4:

https://docs.paloaltonetworks.com/panorama/10-2/panorama-web-interfacehelp/support/support-resources

asked 23/09/2024
mohamed mamdouh
43 questions
Total 470 questions
Go to page: of 47