ExamGecko
Login
Home / Palo Alto Networks / PCNSE / List of questions
Ask Question

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 6

List of questions

Question 51

Report Export Collapse

What is the best description of the HA4 Keep-Alive Threshold (ms)?

the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.
the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.
The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.
the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.
The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.
The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.
Suggested answer: C
asked 23/09/2024
PKE Holding AG Leitgeb
40 questions

Question 52

Report Export Collapse

An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used. After looking at the configuration, the administrator believes that the firewall is not using a static route.

What are two reasons why the firewall might not use a static route? (Choose two.)

no install on the route
no install on the route
duplicate static route
duplicate static route
path monitoring on the static route
path monitoring on the static route
disabling of the static route
disabling of the static route
Suggested answer: A, C
Explanation:

Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/static-routes/static-route-removal-based-on-path-monitoring.html

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/static-routes/configure-a-static-route.html

asked 23/09/2024
Srinivasan Kumaresan
40 questions

Question 53

Report Export Collapse

An administrator has configured PAN-OS SD-WAN and has received a request to find out the reason for a session failover for a session that has already ended Where would you find this in Panorama or firewall logs?

Traffic Logs
Traffic Logs
System Logs
System Logs
Session Browser
Session Browser
You cannot find failover details on closed sessions
You cannot find failover details on closed sessions
Suggested answer: A
Explanation:

https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/configure-sd-wan/sd-wan-traffic- distribution-profiles

asked 23/09/2024
Trung Phan
50 questions

Question 54

Report Export Collapse

SSL Forward Proxy decryption is configured but the firewall uses Untrusted-CA to sign the website https //www important-website com certificate End-users are receiving me "security certificate isnot trusted is warning Without SSL decryption the web browser shows that the website certificate istrusted and signed by a well-known certificate chain Well-Known-lntermediate and Well-Known-Root- CA.

The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

1 End-users must not get the warning for the https://www.very-important-website.com website.

2 End-users should get the warning for any other untrusted website

Which approach meets the two customer requirements?

Navigate to Device > Certificate Management > Certificates > Device Certificates import Well- Known-lntermediate-CA and Well-Known-Root-CA select the Trusted Root CA checkbox and commit the configuration
Navigate to Device > Certificate Management > Certificates > Device Certificates import Well- Known-lntermediate-CA and Well-Known-Root-CA select the Trusted Root CA checkbox and commit the configuration
Install the Well-Known-lntermediate-CA and Well-Known-Root-CA certificates on all end-user systems m the user and local computer stores
Install the Well-Known-lntermediate-CA and Well-Known-Root-CA certificates on all end-user systems m the user and local computer stores
Navigate to Device > Certificate Management - Certificates s Default Trusted Certificate Authorities import Well-Known-intermediate-CA and Well-Known-Root-CA select the Trusted Root CA check box and commit the configuration
Navigate to Device > Certificate Management - Certificates s Default Trusted Certificate Authorities import Well-Known-intermediate-CA and Well-Known-Root-CA select the Trusted Root CA check box and commit the configuration
Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration
Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration
Suggested answer: B
Explanation:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device- certificate-management-certificates/manage-default-trusted-certificate-authorities

asked 23/09/2024
Joice Lira
34 questions

Question 55

Report Export Collapse

Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

Palo Alto Networks PCNSE image Question 55 54292 09232024001219000000

Yes. because the action is set to "allow ''
Yes. because the action is set to "allow ''
No because WildFire categorized a file with the verdict "malicious"
No because WildFire categorized a file with the verdict "malicious"
Yes because the action is set to "alert"
Yes because the action is set to "alert"
No because WildFire classified the seventy as "high."
No because WildFire classified the seventy as "high."
Suggested answer: A
Explanation:

Threats that have the ability to become critical but have mitigating factors; for example, they may be difficult to exploit, do not result in elevated privileges, or do not have a large victim pool. WildFire Submissions log entries with a malicious verdict and an action set to allow are logged as High.https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/view-and-manage- logs/log-types-and-severity-levels/threat-logs#id5cea1511-a153-4005-9d5f-ab2482e838ae

asked 23/09/2024
Garvey Butler
50 questions

Question 56

Report Export Collapse

Which configuration task is best for reducing load on the management plane?

Disable logging on the default deny rule
Disable logging on the default deny rule
Enable session logging at start
Enable session logging at start
Disable pre-defined reports
Disable pre-defined reports
Set the URL filtering action to send alerts
Set the URL filtering action to send alerts
Suggested answer: C
Explanation:

Report generation can also consume considerable resources, while some pre-defined reports may not be useful to the organization, or they've been replaced by a custom report. These pre-defined reports can be disabled from Device >

Setup > Logging and Reporting Settingshttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK

asked 23/09/2024
Vimal Varughese
45 questions

Question 57

Report Export Collapse

The UDP-4501 protocol-port is used between which two GlobalProtect components?

GlobalProtect app and GlobalProtect gateway
GlobalProtect app and GlobalProtect gateway
GlobalProtect portal and GlobalProtect gateway
GlobalProtect portal and GlobalProtect gateway
GlobalProtect app and GlobalProtect satellite
GlobalProtect app and GlobalProtect satellite
GlobalProtect app and GlobalProtect portal
GlobalProtect app and GlobalProtect portal
Suggested answer: A
Explanation:

UDP 4501 Used for IPSec tunnel connections between GlobalProtect apps and gateways.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/reference-port-number-usage/ports-used-for-globalprotect.html

asked 23/09/2024
ANDREA SIMONELLI
42 questions

Question 58

Report Export Collapse

A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?

Create V-Wire objects with two V-Wire interfaces and define a range of "0-4096" in the "Tag Allowed" field of the V-Wire object.
Create V-Wire objects with two V-Wire interfaces and define a range of "0-4096" in the "Tag Allowed" field of the V-Wire object.
Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/ sub interface to a unique zone.
Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/ sub interface to a unique zone.
Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface tA. unique zone. Do not assign any interface an IP address.
Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface tA. unique zone. Do not assign any interface an IP address.
Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface to a unique zone.
Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface to a unique zone.
Suggested answer: B
Explanation:

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/vlan-tagged-trafficVirtual wire interfaces by default allow all untagged traffic. You can, however, use a virtual wire toconnect two interfaces and configure either interface to block or allow traffic based on the virtualLAN (VLAN) tags. VLAN tag 0 indicates untagged traffic.

You can also create multiple subinterfaces, add them into different zones, and then classify traffic according to a VLAN tag or a combination of a VLAN tag with IP classifiers (address, range, or subnet) to apply granular policy control for specific VLAN tags or for VLAN tags from a specific source IP address, range, or subnet.

asked 23/09/2024
matteo vadagnini
48 questions

Question 59

Report Export Collapse

In a Panorama template which three types of objects are configurable? (Choose three)

certificate profiles
certificate profiles
HIP objects
HIP objects
QoS profiles
QoS profiles
security profiles
security profiles
interface management profiles
interface management profiles
Suggested answer: A, C, E
asked 23/09/2024
sangilipandy Arumugam
27 questions

Question 60

Report Export Collapse

An enterprise information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems However a recent phisning campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets For users that need to access these systems Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What should the enterprise do to use PAN-OS MFA?

Configure a Captive Porta1 authentication policy that uses an authentication profile that references a RADIUS profile
Configure a Captive Porta1 authentication policy that uses an authentication profile that references a RADIUS profile
Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy
Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy
Configure a Captive Portal authentication policy that uses an authentication sequence
Configure a Captive Portal authentication policy that uses an authentication sequence
Use a Credential Phishing agent to detect prevent and mitigate credential phishing campaigns
Use a Credential Phishing agent to detect prevent and mitigate credential phishing campaigns
Suggested answer: C
Explanation:


asked 23/09/2024
antonio de simone
44 questions
Total 470 questions
Go to page: of 47
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?
Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration. What part of the configuration should the engineer verify'?
During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?
If a URL is in multiple custom URL categories with different actions, which action will take priority?
What is a correct statement regarding administrative authentication using external services with a local authorization method?
You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles. For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)
An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices. What should an administrator configure to route interesting traffic through the VPN tunnel?
A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?