ExamGecko
Login
Home / Palo Alto Networks / PCNSE / List of questions
Ask Question

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 5

Add to Whishlist

List of questions

Question 41

Report Export Collapse

An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0."

What is the cause of the issue?

IPSec crypto profile mismatch
IPSec crypto profile mismatch
IPSec protocol mismatch
IPSec protocol mismatch
mismatched Proxy-IDs
mismatched Proxy-IDs
bad local and peer identification IP addresses in the IKE gateway
bad local and peer identification IP addresses in the IKE gateway
Suggested answer: C
Explanation:

According to the Palo Alto Networks documentation, "A successful phase 2 negotiation requires not only that the security proposals match, but also the proxy-ids on either peer, be a mirror image of each other. So it is mandatory to configure the proxy-IDs whenever you establish a tunnel between the Palo Alto Network firewall and the firewalls configured for policy-based VPNs." The log message indicates that the local and remote IDs are identical, which means they are not mirrored.Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClW8CAK

asked 23/09/2024
shubha sunil
40 questions

Question 42

Report Export Collapse

When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

The interface must be used for traffic to the required services
The interface must be used for traffic to the required services
You must enable DoS and zone protection
You must enable DoS and zone protection
You must set the interface to Layer 2 Layer 3. or virtual wire
You must set the interface to Layer 2 Layer 3. or virtual wire
You must use a static IP address
You must use a static IP address
Suggested answer: D
Explanation:

According to the Palo Alto Networks documentation, "To configure a service route, you must specify a source interface and a source address. The source interface can be any data port (Ethernet interface) or a loopback interface. The source address must be a static IP address that is configured on the source interface." Reference: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/service- routes/service-routes-overview

asked 23/09/2024
Andrea Tria
47 questions

Question 43

Report Export Collapse

Refer to the image.

Palo Alto Networks PCNSE image Question 43 54280 09232024001219000000

An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the Global template NTP servers. The administrator needs to change the IP address to a preferable server for this template stack but cannot impact other template stacks.

How can the issue be corrected?

Override the value on the NYCFW template.
Override the value on the NYCFW template.
Override a template value using a template stack variable.
Override a template value using a template stack variable.
Override the value on the Global template.
Override the value on the Global template.
Enable "objects defined in ancestors will take higher precedence" under Panorama settings.
Enable "objects defined in ancestors will take higher precedence" under Panorama settings.
Suggested answer: B
Explanation:

Both templates and template stacks support variables. Variables allow you to create placeholder objects with their value specified in the template or template stack based on your configuration needs. Create a template or template stack variable to replace IP addresses, Group IDs, and interfaces in your configurations. https://docs.paloaltonetworks.com/panorama/10-0/panorama- admin/manage-firewalls/manage-templates-and-template-stacks/override-a-template-setting.html

asked 23/09/2024
Marcin CieΓ…›lak
49 questions

Question 44

Report Export Collapse

You need to allow users to access the office-suite applications of their choice. How should you configure the firewall to allow access to any office-suite application?

Create an Application Group and add Office 365, Evernote Google Docs and Libre Office
Create an Application Group and add Office 365, Evernote Google Docs and Libre Office
Create an Application Group and add business-systems to it.
Create an Application Group and add business-systems to it.
Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory.
Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory.
Create an Application Filter and name it Office Programs then filter on the business-systems category.
Create an Application Filter and name it Office Programs then filter on the business-systems category.
Suggested answer: C
Explanation:

According to the Palo Alto Networks documentation, "Application filters enable you to create groups of applications based on specific characteristics such as subcategory, technology, risk factor, and so on. You can then use these groups in Security policy rules to allow or block access to the applications.For example, you can create an application filter that includes all applications in the office-programs subcategory and use it in a Security policy rule to allow access to any office-suite application." Reference: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/manage- applications-in-a-policy/use-application-filters-in-policy

asked 23/09/2024
Ronald Stover
45 questions

Question 45

Report Export Collapse

Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection
Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection
Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN. ICMP ICMPv6, UDP. and other IP flood attacks
Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN. ICMP ICMPv6, UDP. and other IP flood attacks
Add a WildFire subscription to activate DoS and zone protection features
Add a WildFire subscription to activate DoS and zone protection features
Replace the hardware firewall because DoS and zone protection are not available with VM-Series systems
Replace the hardware firewall because DoS and zone protection are not available with VM-Series systems
Suggested answer: A
Explanation:

1 - https://docs.paloaltonetworks.com/best-practices/8-1/dos-and-zone-protection-bestpractices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-bestpractices.html#:~:text=DoS%20and%20Zone%20Protection%20help,device%20at%20the%20internet%20perimeter.

2 - https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/zone-protection-and-dosprotection/zone-defense/take-baseline-cps-measurements-for-setting-flood-thresholds/how-tomeasure-cps.html

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dosprotection.html

asked 23/09/2024
lagwendon Scott
40 questions

Question 46

Report Export Collapse

A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, / license and /software Why did the bootstrap process fail for the VM-Series firewall in Azure?

All public cloud deployments require the /plugins folder to support proper firewall native integrations
All public cloud deployments require the /plugins folder to support proper firewall native integrations
The /content folder is missing from the bootstrap package
The /content folder is missing from the bootstrap package
The VM-Series firewall was not pre-registered in Panorama and prevented the bootstrap process from successfully completing
The VM-Series firewall was not pre-registered in Panorama and prevented the bootstrap process from successfully completing
The /config or /software folders were missing mandatory files to successfully bootstrap
The /config or /software folders were missing mandatory files to successfully bootstrap
Suggested answer: B
Explanation:

https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/bootstrap-the-vm- series-firewall/bootstrap-the-vm-series-firewall-in-azure The bootstrap process failed for the VM-Series firewall in Azure because the /content folder is missing from the bootstrap package 1. Reference: 1: Bootstrap the VM-Series Firewall on Azure - Palo Alto Networks

asked 23/09/2024
Serhan Azdiken
40 questions

Question 47

Report Export Collapse

A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (Cas) i. Enterprise-Trusted-CA; which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system ) ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate iii. Enterprise-lntermediate-CA iv. Enterprise-Root-CA which is verified only as Trusted Root CA An end-user visits https // www example-website com/ with a server certificate Common Name (CN) www example-website com The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall The end-user's browser will show that the certificate for www.example-website.com was issued by which of the following?

Enterprise-Untrusted-CA which is a self-signed CA
Enterprise-Untrusted-CA which is a self-signed CA
Enterprise-Trusted-CA which is a self-signed CA
Enterprise-Trusted-CA which is a self-signed CA
Enterprise-lntermediate-CA which was. in turn, issued by Enterprise-Root-CA
Enterprise-lntermediate-CA which was. in turn, issued by Enterprise-Root-CA
Enterprise-Root-CA which is a self-signed CA
Enterprise-Root-CA which is a self-signed CA
Suggested answer: A
Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward- proxyEnterprise-Trusted-CA is installed in the trusted store of the end-user browser and system. So it should not lead to any certificate issue.

The most possible that www.example-website.com is signed by not trusted certificate authority which leads to use Enterprise-Untrusted-CA, which is not trusted as well

asked 23/09/2024
Aaaa ddsdss
28 questions

Question 48

Report Export Collapse

An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three remote networks.

What is the minimum amount of bandwidth the administrator could configure at the compute location?

90Mbps
90Mbps
300 Mbps
300 Mbps
75Mbps
75Mbps
50Mbps
50Mbps
Suggested answer: D
Explanation:

The number you specify for the bandwidth applies to both the egress and ingress traffic for the remote network connection. If you specify a bandwidth of 50 Mbps, Prisma Access provides you with a remote network connection with 50 Mbps of bandwidth on ingress and 50 Mbps on egress. Your bandwidth speeds can go up to 10% over the specified amount without traffic being dropped; for a 50 Mbps connection, the maximum bandwidth allocation is 55 Mbps on ingress and 55

Mbps on egress (50 Mbps plus 10% overage allocation).

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prismaaccess-for-networks/how-to-calculate-network-bandwidth

asked 23/09/2024
Jonathan Correa
48 questions

Question 49

Report Export Collapse

What best describes the HA Promotion Hold Time?

the time that is recommended to avoid an HA failover due to the occasional flapping of neighboring devices
the time that is recommended to avoid an HA failover due to the occasional flapping of neighboring devices
the time that is recommended to avoid a failover when both firewalls experience the same link/path monitor failure simultaneously
the time that is recommended to avoid a failover when both firewalls experience the same link/path monitor failure simultaneously
the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost
the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost
the time that a passive firewall with a low device priority will wait before taking over as the active firewall if the firewall is operational again
the time that a passive firewall with a low device priority will wait before taking over as the active firewall if the firewall is operational again
Suggested answer: C
Explanation:

HA Promotion Hold Time is the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost 2. Reference: 2: PAN-OS Γ† New Features Guide

asked 23/09/2024
Steven Prater
46 questions

Question 50

Report Export Collapse

How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?

Use the debug dataplane packet-diag set capture stage firewall file command.
Use the debug dataplane packet-diag set capture stage firewall file command.
Enable all four stages of traffic capture (TX, RX, DROP, Firewall).
Enable all four stages of traffic capture (TX, RX, DROP, Firewall).
Use the debug dataplane packet-diag set capture stage management file command.
Use the debug dataplane packet-diag set capture stage management file command.
Use the tcpdump command.
Use the tcpdump command.
Suggested answer: D
Explanation:

Reference: https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/take-packet-captures/take-a-packet-capture-on-the-management-interface.html

asked 23/09/2024
John Gevers
34 questions
Total 499 questions
Go to page: of 50
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?
Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration. What part of the configuration should the engineer verify'?
During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?
If a URL is in multiple custom URL categories with different actions, which action will take priority?
What is a correct statement regarding administrative authentication using external services with a local authorization method?
You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles. For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)
An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices. What should an administrator configure to route interesting traffic through the VPN tunnel?
A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?