ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 28

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?

Question 271

Report
Export
Collapse

An engineer is tasked with deploying SSL Forward Proxy decryption for their organization.

What should they review with their leadership before implementation?

A.
Browser-supported cipher documentation
A.
Browser-supported cipher documentation
Answers
B.
Cipher documentation supported by the endpoint operating system
B.
Cipher documentation supported by the endpoint operating system
Answers
C.
URL risk-based category distinctions
C.
URL risk-based category distinctions
Answers
D.
Legal compliance regulations and acceptable usage policies
D.
Legal compliance regulations and acceptable usage policies
Answers
Suggested answer: D

Explanation:

The engineer should review the legal compliance regulations and acceptable usage policies with their leadership before implementing SSL Forward Proxy decryption for their organization. SSL Forward Proxy decryption allows the firewall to decrypt and inspect the traffic from internal users to external servers. This can raise privacy and legal concerns for the users and the organization.

Therefore, the engineer should ensure that the leadership is aware of the implications and benefits of SSL Forward Proxy decryption and that they have a clear policy for informing and obtaining consent from the users. Option A is incorrect because browser-supported cipher documentation is not relevant for SSL Forward Proxy decryption. The firewall uses its own cipher suite to negotiate encryption with the external server, regardless of the browser settings. Option B is incorrect because cipher documentation supported by the endpoint operating system is not relevant for SSL Forward Proxy decryption. The firewall uses its own cipher suite to negotiate encryption with the external server, regardless of the endpoint operating system. Option C is incorrect because URL risk-based category distinctions are not relevant for

SSL Forward Proxy decryption. The firewall can decrypt and inspect traffic based on any URL category, not just risk-based ones.

Question 272

Report
Export
Collapse

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?

A.
Deny
A.
Deny
Answers
B.
Discard
B.
Discard
Answers
C.
Allow
C.
Allow
Answers
D.
Next VR
D.
Next VR
Answers
Suggested answer: D

Explanation:

Next VR can be used as an Action when creating a Policy-Based Forwarding (PBF) policy. A PBF policy allows the firewall to forward traffic based on criteria such as source and destination IP addresses, application, user, and service. The Action of a PBF policy defines how the firewall forwards the matching traffic. Next VR specifies the virtual router to which the firewall forwards the traffic. Option A is incorrect because Deny is not a valid Action for a PBF policy. Deny is an Action for a security policy that blocks the matching traffic. Option B is incorrect because Discard is not a valid Action for a PBF policy. Discard is an Action for a DoS protection policy that drops the matching traffic. Option C is incorrect because Allow is not a valid Action for a PBF policy. Allow is an Action for a security policy that permits the matching traffic.

Question 273

Report
Export
Collapse

An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.

Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)

A.
Hello Interval
A.
Hello Interval
Answers
B.
Promotion Hold Time
B.
Promotion Hold Time
Answers
C.
Heartbeat Interval
C.
Heartbeat Interval
Answers
D.
Monitor Fail Hold Up Time
D.
Monitor Fail Hold Up Time
Answers
Suggested answer: C

Explanation:

The heartbeat interval determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping). The default value is 1000 milliseconds (1 second). The heartbeat interval is used to detect failures and trigger failover in an HA pair1. The other options are not correct. The hello interval determines the frequency at which the HA peers exchange messages in the form of an HA packet. The default value is 3000 milliseconds (3 seconds). The hello interval is used to establish and maintain HA connectivity2. The promotion hold time determines the amount of time that a passive firewall waits before it becomes active after detecting a failure on the active firewall. The default value is 5000 milliseconds (5 seconds)3. The monitor fail hold up time determines the amount of time that a firewall waits before it declares a monitor failure after detecting a link down event on an interface. The default value is 2000 milliseconds (2 seconds)4. Reference: 1:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/hatimers 2:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/haconcepts/ha-timers 3:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/highavailability/ha-concepts/ha-timers 4:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-osadmin/high-availability/ha-concepts/ha-timers

Question 274

Report
Export
Collapse

Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.)

A.
Verify
A.
Verify
Answers
B.
Schedules
B.
Schedules
Answers
C.
Install from file
C.
Install from file
Answers
D.
Check dependencies
D.
Check dependencies
Answers
E.
Revert content
E.
Revert content
Answers
Suggested answer: B, C, E

Explanation:

Panorama offers three options for deploying dynamic updates to its managed devices: Schedules, Install from file, and Revert content. Schedules allows the administrator to configure a recurring schedule for downloading and installing dynamic updates from the Palo Alto Networks update server. Install from file allows the administrator to manually upload and install a dynamic update file from a local system. Revert content allows the administrator to revert to a previous version of a dynamic update in case of any issues with the current version. Option A is incorrect because Verify is not an option for deploying dynamic updates on Panoram a. Verify is an option for validating the configuration on Panorama or a managed device. Option D is incorrect because Check dependencies is not an option for deploying dynamic updates on Panorama. Check dependencies is an option for checking if a configuration change affects other settings on Panorama or a managed device.

Question 275

Report
Export
Collapse

An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI.

Which CLI command can the engineer use?

A.
test vpn flow
A.
test vpn flow
Answers
B.
test vpn Ikeósa
B.
test vpn Ikeósa
Answers
C.
test vpn tunnel
C.
test vpn tunnel
Answers
D.
test vpn gateway
D.
test vpn gateway
Answers
Suggested answer: D

Explanation:

The engineer can use the test vpn gateway CLI command to manually initiate a VPN tunnel from the CLI. This command allows the engineer to specify the name of the VPN gateway and the IP address of the peer to initiate an IKE negotiation and establish a VPN tunnel. Option A is incorrect because test vpn flow is not a valid CLI command. Option B is incorrect because test vpn ike-sa is a CLI command that displays information about the IKE security associations, not initiates a VPN tunnel. Option C is incorrect because test vpn tunnel is a CLI command that displays information about the IPSec security associations, not initiates a VPN tunnel.

Question 276

Report
Export
Collapse

As a best practice, logging at session start should be used in which case?

A.
On all Allow rules
A.
On all Allow rules
Answers
B.
While troubleshooting
B.
While troubleshooting
Answers
C.
Only when log at session end is enabled
C.
Only when log at session end is enabled
Answers
D.
Only on Deny rules
D.
Only on Deny rules
Answers
Suggested answer: B

Explanation:

Logging at session start should be used as a best practice while troubleshooting. Logging at session start allows the administrator to see the logs for sessions that are initiated but not completed, such as sessions that are dropped or blocked by the firewall. This can help the administrator to identify and resolve issues with network connectivity or firewall configuration. Logging at session start should not be used for normal operations because it generates more logs and consumes more resources on the firewall. Option A is incorrect because logging at session start should not be used on all Allow rules. Logging at session end is sufficient for Allow rules because it provides information about the completed sessions, such as bytes and packets transferred, application, user, and threat information.

Option C is incorrect because logging at session start can be used independently of logging at session end. Logging at session start and logging at session end are not mutually exclusive options. Option D is incorrect because logging at session start should not be used only on Deny rules. Logging at session end is sufficient for Deny rules because it provides information about the denied sessions, such as source and destination IP addresses, ports, and protocol.

Question 277

Report
Export
Collapse

An auditor is evaluating the configuration of Panorama and notices a discrep-ancy between the Panorama template and the local firewall configuration.

When overriding the firewall configuration pushed from Panorama, what should you consider?

A.
The modification will not be visible in Panorama.
A.
The modification will not be visible in Panorama.
Answers
B.
The firewall template will show that it is out of sync within Panorama.
B.
The firewall template will show that it is out of sync within Panorama.
Answers
C.
Panorama will update the template with the overridden value.
C.
Panorama will update the template with the overridden value.
Answers
D.
Only Panorama can revert the override.
D.
Only Panorama can revert the override.
Answers
Suggested answer: A

Explanation:

When overriding the firewall configuration pushed from Panorama, the modification will not be visible in Panoram a. The firewall will show an override icon next to the modified setting and will display a warning message that the local configuration differs from Panorama. The override icon will also appear on Panorama next to the firewall name in the Device Groups and Templates tabs1. The other options are not correct. The firewall template will not show that it is out of sync within Panorama, because the template itself is not modified. Panorama will not update the template with the overridden value, because the template is read-only on the firewall. The override can be reverted either from Panorama or from the firewall2. Reference: 1: https://docs.paloaltonetworks.com/pan-os/10-2/panos-admin/firewall-administration/manage-configuration/override-a-template-setting 2:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/manageconfiguration/revert-an-overridden-template-setting

Question 278

Report
Export
Collapse

Which type of zone will allow different virtual systems to communicate with each other?

A.
Tap
A.
Tap
Answers
B.
External
B.
External
Answers
C.
Virtual Wire
C.
Virtual Wire
Answers
D.
Tunnel
D.
Tunnel
Answers
Suggested answer: B

Explanation:

An external zone is a type of zone that will allow different virtual systems to communicate with each other. An external zone is a special zone that is shared by all virtual systems on the firewall and can be used to route traffic between virtual systems without leaving the firewall. The external zone can also be used to route traffic to other zones within the same virtual system1. The other options are not correct. A tap zone is a type of zone that is used to passively monitor traffic without affecting the flow of packets2. A virtual wire zone is a type of zone that is used to create a transparent bridge between two network segments without changing the original IP addressing or routing3. A tunnel zone is a type of zone that is used to terminate VPN tunnels or other types of encapsulated traffic4.

Reference: 1: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/virtualsystems/communication-between-virtual-systems/inter-vsys-traffic-that-remains-within-thefirewall/external-zone 2:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-osadmin/networking/configure-interfaces/configure-a-tap-interface 3:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/networking/configureinterfaces/configure-a-virtual-wire 4:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-osadmin/networking/configure-interfaces/configure-a-tunnel-interface

Question 279

Report
Export
Collapse

What must be configured to apply tags automatically based on User-ID logs?

A.
Log Forwarding profile
A.
Log Forwarding profile
Answers
B.
Device ID
B.
Device ID
Answers
C.
Log settings
C.
Log settings
Answers
D.
Group mapping
D.
Group mapping
Answers
Suggested answer: C

Explanation:

Depending on the type of log you want to use for tagging, create a log forwarding profile or configure the log settings to define how you want the firewall or Panorama to handle logs. For Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, create a log forwarding profile. For User-ID, GlobalProtect, and IP-Tag logs, configure the log settings.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-auto-tagging-toautomate-security-actions

Question 280

Report
Export
Collapse

An administrator needs to gather information about the firewall CPU utiliza-tion on both the management plane and the data plane.

Where does the administrator view the desired data?

A.
Application Command and Control Center
A.
Application Command and Control Center
Answers
B.
Monitor > Utilization
B.
Monitor > Utilization
Answers
C.
Support > Resources
C.
Support > Resources
Answers
D.
System Resources Widget on the Dashboard
D.
System Resources Widget on the Dashboard
Answers
Suggested answer: D

Explanation:

The System Resources widget on the Dashboard in the WebUI shows both the management plane and data plane CPU utilization as well as other system resources such as memory, disk, and session1.

The other options do not show both the management plane and data plane CPU utilization. The Application Command and Control Center (ACC) shows the network activity and application usage based on traffic logs2. The Monitor >

Utilization page shows the interface utilization and packet buffer utilization3. The Support > Resources page shows the system resources for Panorama only4.

Reference: 1: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interfacehelp/dashboard/dashboard-widgets 2:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-osweb-interface-help/acc/acc-overview 3:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-osweb-interface-help/monitor/monitor-utilization 4:

https://docs.paloaltonetworks.com/panorama/10-2/panorama-web-interfacehelp/support/support-resources

Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms