ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 6

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?

Question 51

Report
Export
Collapse

What is the best description of the HA4 Keep-Alive Threshold (ms)?

A.
the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.
A.
the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.
Answers
B.
The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
B.
The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
Answers
C.
the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.
C.
the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.
Answers
D.
The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.
D.
The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.
Answers
Suggested answer: C

Question 52

Report
Export
Collapse

An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used. After looking at the configuration, the administrator believes that the firewall is not using a static route.

What are two reasons why the firewall might not use a static route? (Choose two.)

A.
no install on the route
A.
no install on the route
Answers
B.
duplicate static route
B.
duplicate static route
Answers
C.
path monitoring on the static route
C.
path monitoring on the static route
Answers
D.
disabling of the static route
D.
disabling of the static route
Answers
Suggested answer: A, C

Explanation:

Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/static-routes/static-route-removal-based-on-path-monitoring.html

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/static-routes/configure-a-static-route.html

Question 53

Report
Export
Collapse

An administrator has configured PAN-OS SD-WAN and has received a request to find out the reason for a session failover for a session that has already ended Where would you find this in Panorama or firewall logs?

A.
Traffic Logs
A.
Traffic Logs
Answers
B.
System Logs
B.
System Logs
Answers
C.
Session Browser
C.
Session Browser
Answers
D.
You cannot find failover details on closed sessions
D.
You cannot find failover details on closed sessions
Answers
Suggested answer: A

Explanation:

https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/configure-sd-wan/sd-wan-traffic- distribution-profiles

Question 54

Report
Export
Collapse

SSL Forward Proxy decryption is configured but the firewall uses Untrusted-CA to sign the website https //www important-website com certificate End-users are receiving me "security certificate isnot trusted is warning Without SSL decryption the web browser shows that the website certificate istrusted and signed by a well-known certificate chain Well-Known-lntermediate and Well-Known-Root- CA.

The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

1 End-users must not get the warning for the https://www.very-important-website.com website.

2 End-users should get the warning for any other untrusted website

Which approach meets the two customer requirements?

A.
Navigate to Device > Certificate Management > Certificates > Device Certificates import Well- Known-lntermediate-CA and Well-Known-Root-CA select the Trusted Root CA checkbox and commit the configuration
A.
Navigate to Device > Certificate Management > Certificates > Device Certificates import Well- Known-lntermediate-CA and Well-Known-Root-CA select the Trusted Root CA checkbox and commit the configuration
Answers
B.
Install the Well-Known-lntermediate-CA and Well-Known-Root-CA certificates on all end-user systems m the user and local computer stores
B.
Install the Well-Known-lntermediate-CA and Well-Known-Root-CA certificates on all end-user systems m the user and local computer stores
Answers
C.
Navigate to Device > Certificate Management - Certificates s Default Trusted Certificate Authorities import Well-Known-intermediate-CA and Well-Known-Root-CA select the Trusted Root CA check box and commit the configuration
C.
Navigate to Device > Certificate Management - Certificates s Default Trusted Certificate Authorities import Well-Known-intermediate-CA and Well-Known-Root-CA select the Trusted Root CA check box and commit the configuration
Answers
D.
Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration
D.
Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration
Answers
Suggested answer: B

Explanation:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device- certificate-management-certificates/manage-default-trusted-certificate-authorities

Question 55

Report
Export
Collapse

Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

A.
Yes. because the action is set to "allow ''
A.
Yes. because the action is set to "allow ''
Answers
B.
No because WildFire categorized a file with the verdict "malicious"
B.
No because WildFire categorized a file with the verdict "malicious"
Answers
C.
Yes because the action is set to "alert"
C.
Yes because the action is set to "alert"
Answers
D.
No because WildFire classified the seventy as "high."
D.
No because WildFire classified the seventy as "high."
Answers
Suggested answer: A

Explanation:

Threats that have the ability to become critical but have mitigating factors; for example, they may be difficult to exploit, do not result in elevated privileges, or do not have a large victim pool. WildFire Submissions log entries with a malicious verdict and an action set to allow are logged as High.https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/view-and-manage- logs/log-types-and-severity-levels/threat-logs#id5cea1511-a153-4005-9d5f-ab2482e838ae

Question 56

Report
Export
Collapse

Which configuration task is best for reducing load on the management plane?

A.
Disable logging on the default deny rule
A.
Disable logging on the default deny rule
Answers
B.
Enable session logging at start
B.
Enable session logging at start
Answers
C.
Disable pre-defined reports
C.
Disable pre-defined reports
Answers
D.
Set the URL filtering action to send alerts
D.
Set the URL filtering action to send alerts
Answers
Suggested answer: C

Explanation:

Report generation can also consume considerable resources, while some pre-defined reports may not be useful to the organization, or they've been replaced by a custom report. These pre-defined reports can be disabled from Device >

Setup > Logging and Reporting Settingshttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK

Question 57

Report
Export
Collapse

The UDP-4501 protocol-port is used between which two GlobalProtect components?

A.
GlobalProtect app and GlobalProtect gateway
A.
GlobalProtect app and GlobalProtect gateway
Answers
B.
GlobalProtect portal and GlobalProtect gateway
B.
GlobalProtect portal and GlobalProtect gateway
Answers
C.
GlobalProtect app and GlobalProtect satellite
C.
GlobalProtect app and GlobalProtect satellite
Answers
D.
GlobalProtect app and GlobalProtect portal
D.
GlobalProtect app and GlobalProtect portal
Answers
Suggested answer: A

Explanation:

UDP 4501 Used for IPSec tunnel connections between GlobalProtect apps and gateways.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/reference-port-number-usage/ports-used-for-globalprotect.html

Question 58

Report
Export
Collapse

A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?

A.
Create V-Wire objects with two V-Wire interfaces and define a range of "0-4096" in the "Tag Allowed" field of the V-Wire object.
A.
Create V-Wire objects with two V-Wire interfaces and define a range of "0-4096" in the "Tag Allowed" field of the V-Wire object.
Answers
B.
Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/ sub interface to a unique zone.
B.
Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/ sub interface to a unique zone.
Answers
C.
Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface tA. unique zone. Do not assign any interface an IP address.
C.
Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface tA. unique zone. Do not assign any interface an IP address.
Answers
D.
Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface to a unique zone.
D.
Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface to a unique zone.
Answers
Suggested answer: B

Explanation:

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/vlan-tagged-trafficVirtual wire interfaces by default allow all untagged traffic. You can, however, use a virtual wire toconnect two interfaces and configure either interface to block or allow traffic based on the virtualLAN (VLAN) tags. VLAN tag 0 indicates untagged traffic.

You can also create multiple subinterfaces, add them into different zones, and then classify traffic according to a VLAN tag or a combination of a VLAN tag with IP classifiers (address, range, or subnet) to apply granular policy control for specific VLAN tags or for VLAN tags from a specific source IP address, range, or subnet.

Question 59

Report
Export
Collapse

In a Panorama template which three types of objects are configurable? (Choose three)

A.
certificate profiles
A.
certificate profiles
Answers
B.
HIP objects
B.
HIP objects
Answers
C.
QoS profiles
C.
QoS profiles
Answers
D.
security profiles
D.
security profiles
Answers
E.
interface management profiles
E.
interface management profiles
Answers
Suggested answer: A, C, E

Question 60

Report
Export
Collapse

An enterprise information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems However a recent phisning campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets For users that need to access these systems Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What should the enterprise do to use PAN-OS MFA?

A.
Configure a Captive Porta1 authentication policy that uses an authentication profile that references a RADIUS profile
A.
Configure a Captive Porta1 authentication policy that uses an authentication profile that references a RADIUS profile
Answers
B.
Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy
B.
Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy
Answers
C.
Configure a Captive Portal authentication policy that uses an authentication sequence
C.
Configure a Captive Portal authentication policy that uses an authentication sequence
Answers
D.
Use a Credential Phishing agent to detect prevent and mitigate credential phishing campaigns
D.
Use a Credential Phishing agent to detect prevent and mitigate credential phishing campaigns
Answers
Suggested answer: C

Explanation:


Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms