ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 3

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?

Question 21

Report
Export
Collapse

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption?

(Choose two.)

A.
the website matches a category that is not allowed for most users
A.
the website matches a category that is not allowed for most users
Answers
B.
the website matches a high-risk category
B.
the website matches a high-risk category
Answers
C.
the web server requires mutual authentication
C.
the web server requires mutual authentication
Answers
D.
the website matches a sensitive category
D.
the website matches a sensitive category
Answers
Suggested answer: C, D

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryptionexclusions/palo-alto-networks-predefined-decryption-exclusions.htmlThe firewall provides a predefined SSL Decryption Exclusion list to exclude from decryptioncommonly used sites that break decryption because of technical reasons such as pinned certificatesand mutual authentication.

Question 22

Report
Export
Collapse

An administrator has a PA-820 firewall with an active Threat Prevention subscription The administrator is considering adding a WildFire subscription.

How does adding the WildFire subscription improve the security posture of the organization1?

A.
Protection against unknown malware can be provided in near real-time
A.
Protection against unknown malware can be provided in near real-time
Answers
B.
WildFire and Threat Prevention combine to provide the utmost security posture for the firewall
B.
WildFire and Threat Prevention combine to provide the utmost security posture for the firewall
Answers
C.
After 24 hours WildFire signatures are included in the antivirus update
C.
After 24 hours WildFire signatures are included in the antivirus update
Answers
D.
WildFire and Threat Prevention combine to minimize the attack surface
D.
WildFire and Threat Prevention combine to minimize the attack surface
Answers
Suggested answer: A

Explanation:

Adding a WildFire subscription can improve the security posture of the organization by providing protection against unknown malware in near real-time. With a WildFire subscription, the firewall can forward various file types for WildFire analysis, and can retrieve WildFire signatures for newly- discovered malware as soon as they are generated by the WildFire public cloud or a private cloud appliance. This reduces the exposure window and prevents further infection by the same malware.Reference: https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire- overview/wildfire-subscription

Question 23

Report
Export
Collapse

What are two valid deployment options for Decryption Broker? (Choose two)

A.
Transparent Bridge Security Chain
A.
Transparent Bridge Security Chain
Answers
B.
Layer 3 Security Chain
B.
Layer 3 Security Chain
Answers
C.
Layer 2 Security Chain
C.
Layer 2 Security Chain
Answers
D.
Transparent Mirror Security Chain
D.
Transparent Mirror Security Chain
Answers
Suggested answer: A, B

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryption- broker/decryption-broker-concepts

Question 24

Report
Export
Collapse

An administrator needs to assign a specific DNS server to one firewall within a device group. Where would the administrator go to edit a template variable at the device level?

A.
Variable CSV export under Panorama > templates
A.
Variable CSV export under Panorama > templates
Answers
B.
PDF Export under Panorama > templates
B.
PDF Export under Panorama > templates
Answers
C.
Manage variables under Panorama > templates
C.
Manage variables under Panorama > templates
Answers
D.
Managed Devices > Device Association
D.
Managed Devices > Device Association
Answers
Suggested answer: C

Explanation:

To edit a template variable at the device level, you need to go to Manage variables under Panorama > templates. This allows you to override the default value of a variable for a specific device or device group. For example, you can assign a specific DNS server to one firewall within a device group by editing the ${dns-primary} variable for that device. Reference: https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/manage- templates/use-template-variables.html

Question 25

Report
Export
Collapse

A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.

Which two mandatory options are used to configure a VLAN interface? (Choose two.)

A.
Virtual router
A.
Virtual router
Answers
B.
Security zone
B.
Security zone
Answers
C.
ARP entries
C.
ARP entries
Answers
D.
Netflow Profile
D.
Netflow Profile
Answers
Suggested answer: A, B

Explanation:

Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interfacehelp/network/network-interfaces/pa-7000-series- layer-2-interface#idd2bcaacc-54b9-4ec9-a1dd-8064499f5b9d

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAKVLAN interface is not necessary but in this scenarion we assume it is. Create VLAN object, VLANinterface and VLAN Zone. Attach VLAN interface to VLAN object together with two L2 interfaces thenattach VLAN interface to virtual router. Without VLAN interface you can pass traffic betweeninterfaces on the same network and with VLAN interface you can route traffic to other networks.

Question 26

Report
Export
Collapse

A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between peers. Where can the administrator find the corresponding logs after running a test command to initiate the VPN?

A.
Configuration logs
A.
Configuration logs
Answers
B.
System logs
B.
System logs
Answers
C.
Traffic logs
C.
Traffic logs
Answers
D.
Tunnel Inspection logs
D.
Tunnel Inspection logs
Answers
Suggested answer: B

Explanation:

According to the Palo Alto Networks documentation, "To view IKE and IPSec Crypto profiles in the logs, filter the System log for eventid equal to vpn (Monitor > Logs > System)." Reference:https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/vpn/set-up-site-to-site-vpn/set-up- ike-crypto-profiles.html

Question 27

Report
Export
Collapse

An administrator is using Panorama to manage me and suspects an IKE Crypto mismatch between peers, from the firewalls to Panoram a. However, pre-existing logs from the firewalls are not appearing in Panorama.

Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?

A.
Export the log database.
A.
Export the log database.
Answers
B.
Use the import option to pull logs.
B.
Use the import option to pull logs.
Answers
C.
Use the ACC to consolidate the logs.
C.
Use the ACC to consolidate the logs.
Answers
D.
Use the scp logdb export command.
D.
Use the scp logdb export command.
Answers
Suggested answer: A

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/use-the-cli/use-secure-copy-to-import-and-export-files/export-and-import-a-complete-log-database-logdb

Question 28

Report
Export
Collapse

A firewall administrator is trying to identify active routes learned via BGP in the virtual router runtime stats within the GUI. Where can they find this information?

A.
routes listed in the routing table with flags Oi
A.
routes listed in the routing table with flags Oi
Answers
B.
routes listed in the routing table with flags A?B
B.
routes listed in the routing table with flags A?B
Answers
C.
under the BGP Summary tab
C.
under the BGP Summary tab
Answers
D.
routes listed in the forwarding table with BGP in the Protocol column
D.
routes listed in the forwarding table with BGP in the Protocol column
Answers
Suggested answer: B

Explanation:

Flags

A?BóActive and learned via BGP

A CóActive and a result of an internal interface (connected) - Destination = network

A HóActive and a result of an internal interface (connected) - Destination = Host only

A RóActive and learned via RIP

A SóActive and static

SóInactive (because this route has a higher metric) and static

O1óOSPF external type-1

O2óOSPF external type-2

OióOSPF intra-area

OoóOSPF inter-area

Question 29

Report
Export
Collapse

A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a Palo Alto Networks firewall that was previously being used in a lab. The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file named initcfg txt. The firewall is currently running PAN-OS 10.0 and using a lab config The contents of init-cfg txi in the USB flash drive are as follows:

The USB flash drive has been inserted in the firewalls' USB port, and the firewall has been restarted using command:> request resort system Upon restart, the firewall fails to begin the bootstrapping process. The failure is caused because

A.
Firewall must be in factory default state or have all private data deleted for bootstrapping
A.
Firewall must be in factory default state or have all private data deleted for bootstrapping
Answers
B.
The hostname is a required parameter, but it is missing in init-cfg txt
B.
The hostname is a required parameter, but it is missing in init-cfg txt
Answers
C.
The USB must be formatted using the ext3 file system, FAT32 is not supported
C.
The USB must be formatted using the ext3 file system, FAT32 is not supported
Answers
D.
PANOS version must be 91.x at a minimum but the firewall is running 10.0.x
D.
PANOS version must be 91.x at a minimum but the firewall is running 10.0.x
Answers
E.
The bootstrap.xml file is a required file but it is missing
E.
The bootstrap.xml file is a required file but it is missing
Answers
Suggested answer: C

Explanation:

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/bootstrap-the-firewall/bootstrap-a-firewall-using-a-usb-flash-drive.html#id8378007f-d6e5-4f2d-84a4-5d50b0b3ad7d

Question 30

Report
Export
Collapse

A network security engineer wants to prevent resource-consumption issues on the firewall.

Which strategy is consistent with decryption best practices to ensure consistent performance?

A.
Use RSA in a Decryption profile tor higher-priority and higher-risk traffic, and use less processorintensive decryption methods for lower-risk traffic
A.
Use RSA in a Decryption profile tor higher-priority and higher-risk traffic, and use less processorintensive decryption methods for lower-risk traffic
Answers
B.
Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processorintensive decryption methods for tower-risk traffic
B.
Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processorintensive decryption methods for tower-risk traffic
Answers
C.
Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that are less processor-intensive
C.
Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that are less processor-intensive
Answers
D.
Use Decryption profiles to drop traffic that uses processor-intensive ciphers
D.
Use Decryption profiles to drop traffic that uses processor-intensive ciphers
Answers
Suggested answer: C

Explanation:

According to the Palo Alto Networks documentation, "Decryption Profiles define the cipher suite settings the firewall accepts so you can protect against vulnerable, weak protocols and algorithms.You can also use Decryption Profiles to downgrade processor-intensive ciphers to ciphers that areless processor-intensive." Reference: https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best-practices/decryption-best-practices/data-center-decryption-profile.html

Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms