Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 5
List of questions
Related questions
Question 41
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0."
What is the cause of the issue?
Explanation:
According to the Palo Alto Networks documentation, "A successful phase 2 negotiation requires not only that the security proposals match, but also the proxy-ids on either peer, be a mirror image of each other. So it is mandatory to configure the proxy-IDs whenever you establish a tunnel between the Palo Alto Network firewall and the firewalls configured for policy-based VPNs." The log message indicates that the local and remote IDs are identical, which means they are not mirrored.Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClW8CAK
Question 42
When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?
Explanation:
According to the Palo Alto Networks documentation, "To configure a service route, you must specify a source interface and a source address. The source interface can be any data port (Ethernet interface) or a loopback interface. The source address must be a static IP address that is configured on the source interface." Reference: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/service- routes/service-routes-overview
Question 43
Refer to the image.
An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the Global template NTP servers. The administrator needs to change the IP address to a preferable server for this template stack but cannot impact other template stacks.
How can the issue be corrected?
Explanation:
Both templates and template stacks support variables. Variables allow you to create placeholder objects with their value specified in the template or template stack based on your configuration needs. Create a template or template stack variable to replace IP addresses, Group IDs, and interfaces in your configurations. https://docs.paloaltonetworks.com/panorama/10-0/panorama- admin/manage-firewalls/manage-templates-and-template-stacks/override-a-template-setting.html
Question 44
You need to allow users to access the office-suite applications of their choice. How should you configure the firewall to allow access to any office-suite application?
Explanation:
According to the Palo Alto Networks documentation, "Application filters enable you to create groups of applications based on specific characteristics such as subcategory, technology, risk factor, and so on. You can then use these groups in Security policy rules to allow or block access to the applications.For example, you can create an application filter that includes all applications in the office-programs subcategory and use it in a Security policy rule to allow access to any office-suite application." Reference: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/manage- applications-in-a-policy/use-application-filters-in-policy
Question 45
Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?
Explanation:
1 - https://docs.paloaltonetworks.com/best-practices/8-1/dos-and-zone-protection-bestpractices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-bestpractices.html#:~:text=DoS%20and%20Zone%20Protection%20help,device%20at%20the%20internet%20perimeter.
2 - https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/zone-protection-and-dosprotection/zone-defense/take-baseline-cps-measurements-for-setting-flood-thresholds/how-tomeasure-cps.html
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dosprotection.html
Question 46
A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, / license and /software Why did the bootstrap process fail for the VM-Series firewall in Azure?
Explanation:
https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/bootstrap-the-vm- series-firewall/bootstrap-the-vm-series-firewall-in-azure The bootstrap process failed for the VM-Series firewall in Azure because the /content folder is missing from the bootstrap package 1. Reference: 1: Bootstrap the VM-Series Firewall on Azure - Palo Alto Networks
Question 47
A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (Cas) i. Enterprise-Trusted-CA; which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system ) ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate iii. Enterprise-lntermediate-CA iv. Enterprise-Root-CA which is verified only as Trusted Root CA An end-user visits https // www example-website com/ with a server certificate Common Name (CN) www example-website com The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall The end-user's browser will show that the certificate for www.example-website.com was issued by which of the following?
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward- proxyEnterprise-Trusted-CA is installed in the trusted store of the end-user browser and system. So it should not lead to any certificate issue.
The most possible that www.example-website.com is signed by not trusted certificate authority which leads to use Enterprise-Untrusted-CA, which is not trusted as well
Question 48
An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three remote networks.
What is the minimum amount of bandwidth the administrator could configure at the compute location?
Explanation:
The number you specify for the bandwidth applies to both the egress and ingress traffic for the remote network connection. If you specify a bandwidth of 50 Mbps, Prisma Access provides you with a remote network connection with 50 Mbps of bandwidth on ingress and 50 Mbps on egress. Your bandwidth speeds can go up to 10% over the specified amount without traffic being dropped; for a 50 Mbps connection, the maximum bandwidth allocation is 55 Mbps on ingress and 55
Mbps on egress (50 Mbps plus 10% overage allocation).
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prismaaccess-for-networks/how-to-calculate-network-bandwidth
Question 49
What best describes the HA Promotion Hold Time?
Explanation:
HA Promotion Hold Time is the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost 2. Reference: 2: PAN-OS Æ New Features Guide
Question 50
How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?
Explanation:
Reference: https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/take-packet-captures/take-a-packet-capture-on-the-management-interface.html
Question