ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 32

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?

Question 311

Report
Export
Collapse

An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.

Which three parts of a template an engineer can configure? (Choose three.)

A.
NTP Server Address
A.
NTP Server Address
Answers
B.
Antivirus Profile
B.
Antivirus Profile
Answers
C.
Authentication Profile
C.
Authentication Profile
Answers
D.
Service Route Configuration
D.
Service Route Configuration
Answers
E.
Dynamic Address Groups
E.
Dynamic Address Groups
Answers
Suggested answer: A, C, D

Explanation:

NTP Server Address D.Service Route Configuration Short Explanation of Correct Answer Only: These parts of a template can be configured on Panorama1.An antivirus profile and an authentication profile are not parts of a template, but parts of a device group2. Reference:1: https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/manage-templates-and-template-stacks/templates-and-template-stacks-overview2: https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/manage-device-groups/device-group-overview

Question 312

Report
Export
Collapse

A security engineer needs firewall management access on a trusted interface.

Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)

A.
Minimum TLS version
A.
Minimum TLS version
Answers
B.
Certificate
B.
Certificate
Answers
C.
Encryption Algorithm
C.
Encryption Algorithm
Answers
D.
Maximum TLS version
D.
Maximum TLS version
Answers
E.
Authentication Algorithm
E.
Authentication Algorithm
Answers
Suggested answer: A, B, D

Question 313

Report
Export
Collapse

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed.

What is one way the administrator can meet this requirement?

A.
Perform a commit force from the CLI of the firewall.
A.
Perform a commit force from the CLI of the firewall.
Answers
B.
Perform a template commit push from Panorama using the 'Force Template Values' option.
B.
Perform a template commit push from Panorama using the 'Force Template Values' option.
Answers
C.
Perform a device-group commit push from Panorama using the 'Include Device and Network Templates' option.
C.
Perform a device-group commit push from Panorama using the 'Include Device and Network Templates' option.
Answers
D.
Reload the running configuration and perform a Firewall local commit
D.
Reload the running configuration and perform a Firewall local commit
Answers
Suggested answer: B

Explanation:

This option will overwrite any local configuration on the firewall with the template configuration from Panorama1.Performing a commit force from the CLI of the firewall will not remove the local override2.Performing a device-group commit push from Panorama using the ''Include Device and Network Templates'' option will not remove the local override3.Reloading the running configuration and performing a Firewall local commit will not remove the local override. Reference:1: https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/manage-templates-and-template-stacks/force-template-values2: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-cli-quick-start/use-the-cli/commit-changes3: https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/manage-device-groups/push-policy-and-configuration-to-firewalls : https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall-administration/manage-firewall-configurations/revert-to-a-previous-configuration

Question 314

Report
Export
Collapse

A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL.

When creating a new rule, what is needed to allow the application to resolve dependencies?

A.
Add SSL and web-browsing applications to the same rule.
A.
Add SSL and web-browsing applications to the same rule.
Answers
B.
Add web-browsing application to the same rule.
B.
Add web-browsing application to the same rule.
Answers
C.
Add SSL application to the same rule.
C.
Add SSL application to the same rule.
Answers
D.
SSL and web-browsing must both be explicitly allowed
D.
SSL and web-browsing must both be explicitly allowed
Answers
Suggested answer: C

Question 315

Report
Export
Collapse

An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator

noticed that OSPF routes were not being learned.

Which two actions could an administrator take to troubleshoot this issue? (Choose two.)

A.
Run the CLI command show advanced-routing ospf neighbor
A.
Run the CLI command show advanced-routing ospf neighbor
Answers
B.
In the WebUl, view the Runtime Stats in the logical router.
B.
In the WebUl, view the Runtime Stats in the logical router.
Answers
C.
In the WebUl, view the Runtime Stats in the virtual router.
C.
In the WebUl, view the Runtime Stats in the virtual router.
Answers
D.
Look for configuration problems in Network > virtual router > OSPF
D.
Look for configuration problems in Network > virtual router > OSPF
Answers
E.
E.
Answers
Suggested answer: A, C

Question 316

Report
Export
Collapse

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?


A.
Change destination NAT zone to Trust_L3.
A.
Change destination NAT zone to Trust_L3.
Answers
B.
Change destination translation to Dynamic IP (with session distribution) using firewall ethI/2 address.
B.
Change destination translation to Dynamic IP (with session distribution) using firewall ethI/2 address.
Answers
C.
Change Source NAT zone to Untrust_L3.
C.
Change Source NAT zone to Untrust_L3.
Answers
D.
Add source Translation to translate original source IP to the firewall eth1/2 interface translation.
D.
Add source Translation to translate original source IP to the firewall eth1/2 interface translation.
Answers
Suggested answer: D

Question 317

Report
Export
Collapse

An administrator needs to identify which NAT policy is being used for internet traffic.

From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?

A.
Click Session Browser and review the session details.
A.
Click Session Browser and review the session details.
Answers
B.
Click Traffic view and review the information in the detailed log view.
B.
Click Traffic view and review the information in the detailed log view.
Answers
C.
Click Traffic view; ensure that the Source or Destination NAT columns are included and review the information in the detailed log view.
C.
Click Traffic view; ensure that the Source or Destination NAT columns are included and review the information in the detailed log view.
Answers
D.
Click App Scope > Network Monitor and filter the report for NAT rules
D.
Click App Scope > Network Monitor and filter the report for NAT rules
Answers
Suggested answer: C

Question 318

Report
Export
Collapse

An administrator troubleshoots an issue that causes packet drops.

Which log type will help the engineer verify whether packet buffer protection was activated?

A.
Data Filtering
A.
Data Filtering
Answers
B.
Threat
B.
Threat
Answers
C.
Traffic
C.
Traffic
Answers
D.
Configuration
D.
Configuration
Answers
Suggested answer: B

Explanation:

The firewall records alert events in the System log and events for dropped traffic, discarded sessions, and blocked IP address in the Threat log when packet buffer protection is activated12.Packet buffer protection is a feature that helps prevent packet buffer exhaustion by identifying and dropping traffic from sources that consume excessive packet buffers3. Reference:3: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/packet-buffer-protection1: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNB7CAM&lang=en_US2: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNGFCA4

Question 319

Report
Export
Collapse

Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)

A.
A Deny policy for the tagged traffic
A.
A Deny policy for the tagged traffic
Answers
B.
An Allow policy for the initial traffic
B.
An Allow policy for the initial traffic
Answers
C.
A Decryption policy to decrypt the traffic and see the tag
C.
A Decryption policy to decrypt the traffic and see the tag
Answers
D.
A Deny policy with the 'tag' App-ID to block the tagged traffic
D.
A Deny policy with the 'tag' App-ID to block the tagged traffic
Answers
Suggested answer: A, B

Question 320

Report
Export
Collapse

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.

The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?

A.
A web server certificate signed by the organization's PKI
A.
A web server certificate signed by the organization's PKI
Answers
B.
A self-signed certificate generated on the firewall
B.
A self-signed certificate generated on the firewall
Answers
C.
A subordinate Certificate Authority certificate signed by the organization's PKI
C.
A subordinate Certificate Authority certificate signed by the organization's PKI
Answers
D.
A web server certificate signed by an external Certificate Authority
D.
A web server certificate signed by an external Certificate Authority
Answers
Suggested answer: B
Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms