ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 5

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?

Question 41

Report
Export
Collapse

An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0."

What is the cause of the issue?

A.
IPSec crypto profile mismatch
A.
IPSec crypto profile mismatch
Answers
B.
IPSec protocol mismatch
B.
IPSec protocol mismatch
Answers
C.
mismatched Proxy-IDs
C.
mismatched Proxy-IDs
Answers
D.
bad local and peer identification IP addresses in the IKE gateway
D.
bad local and peer identification IP addresses in the IKE gateway
Answers
Suggested answer: C

Explanation:

According to the Palo Alto Networks documentation, "A successful phase 2 negotiation requires not only that the security proposals match, but also the proxy-ids on either peer, be a mirror image of each other. So it is mandatory to configure the proxy-IDs whenever you establish a tunnel between the Palo Alto Network firewall and the firewalls configured for policy-based VPNs." The log message indicates that the local and remote IDs are identical, which means they are not mirrored.Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClW8CAK

Question 42

Report
Export
Collapse

When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

A.
The interface must be used for traffic to the required services
A.
The interface must be used for traffic to the required services
Answers
B.
You must enable DoS and zone protection
B.
You must enable DoS and zone protection
Answers
C.
You must set the interface to Layer 2 Layer 3. or virtual wire
C.
You must set the interface to Layer 2 Layer 3. or virtual wire
Answers
D.
You must use a static IP address
D.
You must use a static IP address
Answers
Suggested answer: D

Explanation:

According to the Palo Alto Networks documentation, "To configure a service route, you must specify a source interface and a source address. The source interface can be any data port (Ethernet interface) or a loopback interface. The source address must be a static IP address that is configured on the source interface." Reference: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/service- routes/service-routes-overview

Question 43

Report
Export
Collapse

Refer to the image.

An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the Global template NTP servers. The administrator needs to change the IP address to a preferable server for this template stack but cannot impact other template stacks.

How can the issue be corrected?

A.
Override the value on the NYCFW template.
A.
Override the value on the NYCFW template.
Answers
B.
Override a template value using a template stack variable.
B.
Override a template value using a template stack variable.
Answers
C.
Override the value on the Global template.
C.
Override the value on the Global template.
Answers
D.
Enable "objects defined in ancestors will take higher precedence" under Panorama settings.
D.
Enable "objects defined in ancestors will take higher precedence" under Panorama settings.
Answers
Suggested answer: B

Explanation:

Both templates and template stacks support variables. Variables allow you to create placeholder objects with their value specified in the template or template stack based on your configuration needs. Create a template or template stack variable to replace IP addresses, Group IDs, and interfaces in your configurations. https://docs.paloaltonetworks.com/panorama/10-0/panorama- admin/manage-firewalls/manage-templates-and-template-stacks/override-a-template-setting.html

Question 44

Report
Export
Collapse

You need to allow users to access the office-suite applications of their choice. How should you configure the firewall to allow access to any office-suite application?

A.
Create an Application Group and add Office 365, Evernote Google Docs and Libre Office
A.
Create an Application Group and add Office 365, Evernote Google Docs and Libre Office
Answers
B.
Create an Application Group and add business-systems to it.
B.
Create an Application Group and add business-systems to it.
Answers
C.
Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory.
C.
Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory.
Answers
D.
Create an Application Filter and name it Office Programs then filter on the business-systems category.
D.
Create an Application Filter and name it Office Programs then filter on the business-systems category.
Answers
Suggested answer: C

Explanation:

According to the Palo Alto Networks documentation, "Application filters enable you to create groups of applications based on specific characteristics such as subcategory, technology, risk factor, and so on. You can then use these groups in Security policy rules to allow or block access to the applications.For example, you can create an application filter that includes all applications in the office-programs subcategory and use it in a Security policy rule to allow access to any office-suite application." Reference: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/manage- applications-in-a-policy/use-application-filters-in-policy

Question 45

Report
Export
Collapse

Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

A.
Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection
A.
Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection
Answers
B.
Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN. ICMP ICMPv6, UDP. and other IP flood attacks
B.
Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN. ICMP ICMPv6, UDP. and other IP flood attacks
Answers
C.
Add a WildFire subscription to activate DoS and zone protection features
C.
Add a WildFire subscription to activate DoS and zone protection features
Answers
D.
Replace the hardware firewall because DoS and zone protection are not available with VM-Series systems
D.
Replace the hardware firewall because DoS and zone protection are not available with VM-Series systems
Answers
Suggested answer: A

Explanation:

1 - https://docs.paloaltonetworks.com/best-practices/8-1/dos-and-zone-protection-bestpractices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-bestpractices.html#:~:text=DoS%20and%20Zone%20Protection%20help,device%20at%20the%20internet%20perimeter.

2 - https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/zone-protection-and-dosprotection/zone-defense/take-baseline-cps-measurements-for-setting-flood-thresholds/how-tomeasure-cps.html

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dosprotection.html

Question 46

Report
Export
Collapse

A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, / license and /software Why did the bootstrap process fail for the VM-Series firewall in Azure?

A.
All public cloud deployments require the /plugins folder to support proper firewall native integrations
A.
All public cloud deployments require the /plugins folder to support proper firewall native integrations
Answers
B.
The /content folder is missing from the bootstrap package
B.
The /content folder is missing from the bootstrap package
Answers
C.
The VM-Series firewall was not pre-registered in Panorama and prevented the bootstrap process from successfully completing
C.
The VM-Series firewall was not pre-registered in Panorama and prevented the bootstrap process from successfully completing
Answers
D.
The /config or /software folders were missing mandatory files to successfully bootstrap
D.
The /config or /software folders were missing mandatory files to successfully bootstrap
Answers
Suggested answer: B

Explanation:

https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/bootstrap-the-vm- series-firewall/bootstrap-the-vm-series-firewall-in-azure The bootstrap process failed for the VM-Series firewall in Azure because the /content folder is missing from the bootstrap package 1. Reference: 1: Bootstrap the VM-Series Firewall on Azure - Palo Alto Networks

Question 47

Report
Export
Collapse

A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (Cas) i. Enterprise-Trusted-CA; which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system ) ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate iii. Enterprise-lntermediate-CA iv. Enterprise-Root-CA which is verified only as Trusted Root CA An end-user visits https // www example-website com/ with a server certificate Common Name (CN) www example-website com The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall The end-user's browser will show that the certificate for www.example-website.com was issued by which of the following?

A.
Enterprise-Untrusted-CA which is a self-signed CA
A.
Enterprise-Untrusted-CA which is a self-signed CA
Answers
B.
Enterprise-Trusted-CA which is a self-signed CA
B.
Enterprise-Trusted-CA which is a self-signed CA
Answers
C.
Enterprise-lntermediate-CA which was. in turn, issued by Enterprise-Root-CA
C.
Enterprise-lntermediate-CA which was. in turn, issued by Enterprise-Root-CA
Answers
D.
Enterprise-Root-CA which is a self-signed CA
D.
Enterprise-Root-CA which is a self-signed CA
Answers
Suggested answer: A

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward- proxyEnterprise-Trusted-CA is installed in the trusted store of the end-user browser and system. So it should not lead to any certificate issue.

The most possible that www.example-website.com is signed by not trusted certificate authority which leads to use Enterprise-Untrusted-CA, which is not trusted as well

Question 48

Report
Export
Collapse

An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three remote networks.

What is the minimum amount of bandwidth the administrator could configure at the compute location?

A.
90Mbps
A.
90Mbps
Answers
B.
300 Mbps
B.
300 Mbps
Answers
C.
75Mbps
C.
75Mbps
Answers
D.
50Mbps
D.
50Mbps
Answers
Suggested answer: D

Explanation:

The number you specify for the bandwidth applies to both the egress and ingress traffic for the remote network connection. If you specify a bandwidth of 50 Mbps, Prisma Access provides you with a remote network connection with 50 Mbps of bandwidth on ingress and 50 Mbps on egress. Your bandwidth speeds can go up to 10% over the specified amount without traffic being dropped; for a 50 Mbps connection, the maximum bandwidth allocation is 55 Mbps on ingress and 55

Mbps on egress (50 Mbps plus 10% overage allocation).

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prismaaccess-for-networks/how-to-calculate-network-bandwidth

Question 49

Report
Export
Collapse

What best describes the HA Promotion Hold Time?

A.
the time that is recommended to avoid an HA failover due to the occasional flapping of neighboring devices
A.
the time that is recommended to avoid an HA failover due to the occasional flapping of neighboring devices
Answers
B.
the time that is recommended to avoid a failover when both firewalls experience the same link/path monitor failure simultaneously
B.
the time that is recommended to avoid a failover when both firewalls experience the same link/path monitor failure simultaneously
Answers
C.
the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost
C.
the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost
Answers
D.
the time that a passive firewall with a low device priority will wait before taking over as the active firewall if the firewall is operational again
D.
the time that a passive firewall with a low device priority will wait before taking over as the active firewall if the firewall is operational again
Answers
Suggested answer: C

Explanation:

HA Promotion Hold Time is the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost 2. Reference: 2: PAN-OS Æ New Features Guide

Question 50

Report
Export
Collapse

How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?

A.
Use the debug dataplane packet-diag set capture stage firewall file command.
A.
Use the debug dataplane packet-diag set capture stage firewall file command.
Answers
B.
Enable all four stages of traffic capture (TX, RX, DROP, Firewall).
B.
Enable all four stages of traffic capture (TX, RX, DROP, Firewall).
Answers
C.
Use the debug dataplane packet-diag set capture stage management file command.
C.
Use the debug dataplane packet-diag set capture stage management file command.
Answers
D.
Use the tcpdump command.
D.
Use the tcpdump command.
Answers
Suggested answer: D

Explanation:

Reference: https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/take-packet-captures/take-a-packet-capture-on-the-management-interface.html

Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms