ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 43

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?

Question 421

Report
Export
Collapse

Which two are required by IPSec in transport mode? (Choose two.)

A.
Auto generated key
A.
Auto generated key
Answers
B.
NAT Traversal
B.
NAT Traversal
Answers
C.
IKEv1
C.
IKEv1
Answers
D.
DH-group 20 (ECP-384 bits)
D.
DH-group 20 (ECP-384 bits)
Answers
Suggested answer: C, D

Question 422

Report
Export
Collapse

The firewall team has been asked to deploy a new Panorama server and to forward all firewall logs to this server By default, which component of the Palo Alto Networks firewall architect is responsible for log forwarding and should be checked for early signs of overutilization?

A.
Management plane CPU
A.
Management plane CPU
Answers
B.
Dataplane CPU
B.
Dataplane CPU
Answers
C.
Packet buffers
C.
Packet buffers
Answers
D.
On-chip packet descriptors
D.
On-chip packet descriptors
Answers
Suggested answer: A

Question 423

Report
Export
Collapse

A firewall engineer needs to patch the company's Palo Alto Network firewalls to the latest version of PAN-OS. The company manages its firewalls by using panorama. Logs are forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire appliances for analysis. What must the engineer consider when planning deployment?

A.
Only Panorama and Dedicated Log Collectorss must be patched to the target PAN-OS version before updating the firewalls
A.
Only Panorama and Dedicated Log Collectorss must be patched to the target PAN-OS version before updating the firewalls
Answers
B.
Panorama, Dedicated Log Collectors and WildFire appliances must be patched to the target PAN-OS version before updating the firewalls.
B.
Panorama, Dedicated Log Collectors and WildFire appliances must be patched to the target PAN-OS version before updating the firewalls.
Answers
C.
Panorama, Dedicated Log Collectors and WildFire appliances must have the target PAN-OS version downloaded, after which the order of patching does not matter.
C.
Panorama, Dedicated Log Collectors and WildFire appliances must have the target PAN-OS version downloaded, after which the order of patching does not matter.
Answers
D.
Only Panorama must be patched to the PAN-OS version before updating the firewalls
D.
Only Panorama must be patched to the PAN-OS version before updating the firewalls
Answers
Suggested answer: B

Question 424

Report
Export
Collapse

Which two components are required to configure certificate-based authentication to the web Ul when an administrator needs firewall access on a trusted interface'? (Choose two.)

A.
Server certificate
A.
Server certificate
Answers
B.
SSL/TLS Service Profile
B.
SSL/TLS Service Profile
Answers
C.
Certificate Profile
C.
Certificate Profile
Answers
D.
CA certificate
D.
CA certificate
Answers
Suggested answer: C, D

Question 425

Report
Export
Collapse

What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three

A.
Configure a URL profile to block the phishing category.
A.
Configure a URL profile to block the phishing category.
Answers
B.
Create a URL filtering profile
B.
Create a URL filtering profile
Answers
C.
Enable User-ID.
C.
Enable User-ID.
Answers
D.
Create an anti-virus profile.
D.
Create an anti-virus profile.
Answers
E.
Create a decryption policy rule.
E.
Create a decryption policy rule.
Answers
Suggested answer: B, C, E

Question 426

Report
Export
Collapse

A new application server 192.168.197.40 has been deployed in the DMZ. There are no public IP addresses available resulting in the server sharing MAT IP 198 51 100 B8 with another OMZ serve that uses IP address 192 168 19? 60 Firewall security and NAT rules have been configured The application team has confirmed mat the new server is able to establish a secure connection to an external database with IP address 203.0.113.40. The database team reports that they are unable to establish a secure connection to 196 51 100 88 from 203.0.113.40 However it confirm a successful prig test to 198 51 100 88 Referring to the MAT configuration and traffic logs provided how can the firewall engineer resolve the situation and ensure inbound and outbound connections work concurrently for both DMZ servers?

A.
Replace the two NAT rules with a single rule that has both DMZ servers as 'Source Address.' both external servers as 'Destination Address.' and Source Translation remaining as is with bidirectional option enabled
A.
Replace the two NAT rules with a single rule that has both DMZ servers as 'Source Address.' both external servers as 'Destination Address.' and Source Translation remaining as is with bidirectional option enabled
Answers
B.
Sharing a single NAT IP is possible for outbound connectivity not for inbound, therefore, a new public IP address must be obtained for the new DMZ server and used in the NAT rule 6 DMZ server 2.
B.
Sharing a single NAT IP is possible for outbound connectivity not for inbound, therefore, a new public IP address must be obtained for the new DMZ server and used in the NAT rule 6 DMZ server 2.
Answers
C.
Configure separate source NAT and destination NAT rules for the two DMZ servers without using the bidirectional option.
C.
Configure separate source NAT and destination NAT rules for the two DMZ servers without using the bidirectional option.
Answers
D.
Move the NAT rule 6 DMZ server 2 above NAT rule 5 DMZ server 1.
D.
Move the NAT rule 6 DMZ server 2 above NAT rule 5 DMZ server 1.
Answers
Suggested answer: C

Explanation:

The table displays NAT rules configured on the firewall. The key points are:

Source Zone and Destination Zone define the traffic flow.

Source Address and Destination Address specify the IP addresses involved.

Service indicates the type of traffic (e.g., any, ping).

Source Translation and Destination Translation show the translated IP addresses for NAT.

Issue and Resolution Options

The application server at 192.168.197.40 can establish outbound connections but faces issues with inbound connections due to the shared NAT IP 198.51.100.88. The external database server cannot establish a secure connection back to 192.168.197.40.

Options to Resolve the Issue:

Replace the Two NAT Rules with a Single Rule:

Combining both DMZ servers into one NAT rule might simplify configuration but could cause issues in distinguishing inbound traffic for each server.

Pros: Simplifies rule management.

Cons: Might not address the inbound traffic issue properly.

New Public IP Address:

Obtaining a new public IP address for the new server (192.168.197.40) ensures dedicated inbound and outbound NAT.

Pros: Clear separation of traffic, resolves inbound connectivity issues.

Cons: Requires additional public IP.

Separate Source NAT and Destination NAT Rules:

Configuring distinct NAT rules for source and destination addresses without using the bidirectional option.

Pros: Clear and distinct rules for each direction of traffic.

Cons: More complex to manage, might require more firewall resources.

Move the NAT Rule:

Adjusting the order of NAT rules to prioritize the new server's rule.

Pros: Simple reordering might resolve prioritization conflicts.

Cons: Might not fully resolve the inbound connection issue.

Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms