ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 34

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?

Question 331

Report
Export
Collapse

What is the best description of the Cluster Synchronization Timeout (min)?

A.
The maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing
A.
The maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing
Answers
B.
The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
B.
The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
Answers
C.
The timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional
C.
The timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional
Answers
D.
The maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational
D.
The maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational
Answers
Suggested answer: A

Explanation:

The best description of the Cluster Synchronization Timeout (min) is the maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing. This is a parameter that can be configured in an HA cluster, which is a group of firewalls that share session state and provide high availability and scalability. The Cluster Synchronization Timeout (min) determines how long the local firewall will wait for the cluster to reach a stable state before it decides to become Active and process traffic. A stable state means that all cluster members are either Active or Passive, and have synchronized their sessions with each other. If there is another cluster member that is in an unknown or unstable state, such as Initializing, Non-functional, or Suspended, then it may prevent the cluster from fully synchronizing and cause a delay in traffic processing. The Cluster Synchronization Timeout (min) can be set to a value between 0 and 30 minutes, with a default of 0. If it is set to 0, then the local firewall will not wait for any other cluster member and will immediately go to Active state.If it is set to a positive value, then the local firewall will wait for that amount of time before going to Active state, unless the cluster reaches a stable state earlier12.Reference:Configure HA Clustering, PCNSE Study Guide (page 53)

Question 332

Report
Export
Collapse

Which template values will be configured on the firewall if each template has an SSL to be deployed. The template stack should consist of four templates arranged according to the diagram.

Which template values will be configured on the firewall if each template has an SSL/TLS Service profile configured named Management?

A.
Values in Datacenter
A.
Values in Datacenter
Answers
B.
Values in efwOlab.chi
B.
Values in efwOlab.chi
Answers
C.
Values in Global Settings
C.
Values in Global Settings
Answers
D.
Values in Chicago
D.
Values in Chicago
Answers
Suggested answer: D

Explanation:

The template stack should consist of four templates arranged according to the diagram. The template values that will be configured on the firewall if each template has an SSL/TLS Service profile configured named Management will be the values in Chicago. This is because the SSL/TLS Service profile is configured in the Chicago template, which is the highest priority template in the stack. The firewall will inherit the settings from the highest priority template that has the setting configured, and ignore the settings from the lower priority templates that have the same setting configured. Therefore, the values in Datacenter, efwOlab.chi, and Global Settings will not be applied to the firewall.Reference:

[Manage Templates and Template Stacks]

[Template Stack Configuration]

[Template Stack Priority]

Question 333

Report
Export
Collapse

An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices.

What should an administrator configure to route interesting traffic through the VPN tunnel?

A.
Proxy IDs
A.
Proxy IDs
Answers
B.
GRE Encapsulation
B.
GRE Encapsulation
Answers
C.
Tunnel Monitor
C.
Tunnel Monitor
Answers
D.
ToS Header
D.
ToS Header
Answers
Suggested answer: A

Explanation:

An administrator should configure proxy IDs to route interesting traffic through the VPN tunnel when the peer device is a policy-based VPN device. Proxy IDs are used to identify the traffic that belongs to a particular IPSec VPN and to direct it to the appropriate tunnel. Proxy IDs consist of a local IP address, a remote IP address, and an application (protocol and port numbers). Each proxy ID is considered to be a VPN tunnel and is counted towards the IPSec VPN tunnel capacity of the firewall. Proxy IDs are required for IKEv1 VPNs and optional for IKEv2 VPNs. If the proxy ID is not configured, the firewall uses the default values of source IP: 0.0.0.0/0, destination IP: 0.0.0.0/0, and application: any, which may not match the peer's policy and result in a failure to establish the VPN connection.Reference:

Proxy ID for IPSec VPN

Set Up an IPSec Tunnel

Question 334

Report
Export
Collapse

Given the following configuration, which route is used for destination 10 10 0 4?

A.
Route 2
A.
Route 2
Answers
B.
Route 3
B.
Route 3
Answers
C.
Route 1
C.
Route 1
Answers
D.
Route 4
D.
Route 4
Answers
Suggested answer: A

Question 335

Report
Export
Collapse

An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram

Which template values will be configured on the firewall If each template has an SSL/TLS Service profile configured named Management?

A.
Values in Chicago
A.
Values in Chicago
Answers
B.
Values in efw01lab.chi
B.
Values in efw01lab.chi
Answers
C.
Values in Datacenter
C.
Values in Datacenter
Answers
D.
Values in Global Settings
D.
Values in Global Settings
Answers
Suggested answer: B

Question 336

Report
Export
Collapse

What can the Log Forwarding built-in action with tagging be used to accomplish?

A.
Block the source zones of selected unwanted traffic.
A.
Block the source zones of selected unwanted traffic.
Answers
B.
Block the destination IP addresses of selected unwanted traffic.
B.
Block the destination IP addresses of selected unwanted traffic.
Answers
C.
Forward selected logs to the Azure Security Center.
C.
Forward selected logs to the Azure Security Center.
Answers
D.
Block the destination zones of selected unwanted traffic.
D.
Block the destination zones of selected unwanted traffic.
Answers
Suggested answer: B

Explanation:

The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.

This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes. For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.

Question 337

Report
Export
Collapse

Which three statements accurately describe Decryption Mirror? (Choose three.)

A.
Decryption Mirror requires a tap interface on the firewall
A.
Decryption Mirror requires a tap interface on the firewall
Answers
B.
Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel
B.
Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel
Answers
C.
Only management consent is required to use the Decryption Mirror feature.
C.
Only management consent is required to use the Decryption Mirror feature.
Answers
D.
Decryption, storage, inspection, and use of SSL traffic are regulated in certain countries.
D.
Decryption, storage, inspection, and use of SSL traffic are regulated in certain countries.
Answers
E.
You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment.
E.
You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment.
Answers
Suggested answer: B, D, E

Explanation:

Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.

Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.

The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' 'PAN-OS Administrator's Guide' and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.

Question 338

Report
Export
Collapse

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections

What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?

A.
TCP Fast Open in the Strip TCP options
A.
TCP Fast Open in the Strip TCP options
Answers
B.
Ethernet SGT Protection
B.
Ethernet SGT Protection
Answers
C.
Stream ID in the IP Option Drop options
C.
Stream ID in the IP Option Drop options
Answers
D.
Record Route in IP Option Drop options
D.
Record Route in IP Option Drop options
Answers
Suggested answer: B

Explanation:

Cisco TrustSec technology uses Security Group Tags (SGTs) to enforce access controls on Layer 2 traffic. When implementing Zone Protection on a Palo Alto Networks firewall in an environment with Cisco TrustSec, you should configure Ethernet SGT Protection. This setting ensures that the firewall can recognize SGTs in Ethernet frames and apply the appropriate actions based on the configured policies. The use of Ethernet SGT Protection in conjunction with TrustSec is covered in advanced firewall configuration documentation and in interoperability guides between Palo Alto Networks and Cisco systems.

Question 339

Report
Export
Collapse

When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port?

A.
HA1
A.
HA1
Answers
B.
HA3
B.
HA3
Answers
C.
HA2
C.
HA2
Answers
D.
HA4
D.
HA4
Answers
Suggested answer: D

Explanation:

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-clustering-overview

Question 340

Report
Export
Collapse

Which three authentication types can be used to authenticate users? (Choose three.)

A.
Local database authentication
A.
Local database authentication
Answers
B.
PingID
B.
PingID
Answers
C.
Kerberos single sign-on
C.
Kerberos single sign-on
Answers
D.
GlobalProtect client
D.
GlobalProtect client
Answers
E.
Cloud authentication service
E.
Cloud authentication service
Answers
Suggested answer: A, C, E

Explanation:

The three authentication types that can be used to authenticate users are:

A: Local database authentication.This is the authentication type that uses the local user database on the firewall or Panorama to store and verify user credentials1.

C: Cloud authentication service.This is the authentication type that uses a cloud-based identity provider, such as Okta, PingOne, or PingFederate, to authenticate users and provide SAML assertions to the firewall or Panorama2.

E: Kerberos single sign-on.This is the authentication type that uses the Kerberos protocol to authenticate users who are logged in to a Windows domain and provide them with seamless access to resources on the firewall or Panorama3.

Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms