Ask Question
Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 7
List of questions
Question 61
PBF can address which two scenarios? (Select Two)
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/policy-based-forwarding/use- case-pbf-for-outbound-access-with-dual-isps
Question 62
Which data flow describes redistribution of user mappings?
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/configure-firewalls-to-redistribute-user-mapping-information
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/deploy-user-id-in-a-large-scale-network/redistribute-user-mappings-and-authentication-timestamps/firewall-deployment-for-user-id-redistribution.html#ide3661b46-4722-4936-bb9b-181679306809
Question 63
What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-address-object-to- represent-ip-addresses/address-objectsAn IP Wildcard Mask address object is useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram. An IP Wildcard Mask address object specifies which source or destination addresses are subject to a Security policy rule. A zero ( 0 ) bit in the mask indicates that the bit being compared must match the bit in the IP addressthat is covered by the zero. A one ( 1 ) bit in the mask (a wildcard bit) indicates that the bit being compared need not match the bit in the IP address1. For example, if you want to match all cash registers in the northeastern U.S., you can use an IP Wildcard Mask address object of 10.132.1.0/0.0.2.255, which will match any IP address from 10.132.1.0 to 10.132.3.255. Reference: 1: https://docs.paloaltonetworks.com/network-security/security-policy/objects/addresses
Question 64
What are two best practices for incorporating new and modified App-IDs? (Choose two.)
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-ids-introduced-in-content-releases/app-id-updates-workflow.html
Question 65
An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group.
How should the administrator identify the configuration changes?
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/panorama-web-interface/panorama-commit-operations.html
Question 66
An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate based, secure authentication to the web Ul? (Choose two )
To configure certificate-based, secure authentication to the web UI, two components are required: acertificate profile and a server certificate. A certificate profile defines the trusted certificate authorities (CAs) for verifying client certificates and server certificates1. A server certificate is a digital certificate that identifies the firewall to clients and servers2. The firewall can use a self-signed certificate or a certificate signed by an external CA as the server certificate for web UI access3. The server certificate must be assigned to an SSL/TLS service profile, which specifies the SSL/TLS protocol version and cipher suites for secure communication4. The SSL/TLS service profile must be selected in the general settings of the firewall management interface. Reference: 1: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/certificate- profiles 2: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/ certificate- management/generate-a-certificate-on-the-firewall 3: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFGCA0 4:https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/ssl-tls-service-profiles : https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall- administration/manage-firewall-administrators/configure-administrative-accounts-and- authentication/configure-certificate-based-administrator-authentication-to-the-web-interface
Question 67
Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)
You can use the No Decryption tab to enable settings to block traffic that is matched to a decryption policy configured with the No Decrypt action ( Policies > Decryption > Action). Use these options to control server certificates for the session, though the firewall does not decrypt and inspect the session traffic. https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/ objects/objects-decryption-profile
Question 68
Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?
Failed to connect to server at port:47 67
https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD The PanGPA log on the GlobalProtect app records the events related to the user interface of the app, such as user actions, messages, and notifications1. The PanGPS log records the events related to the service or daemon process of the app, such as connection attempts, authentication, and tunnel establishment2. The PanGPA process communicates with the PanGPS process on port 47673.Therefore, the message "Failed to connect to server at port:4767" indicates that the PanGPA process failed to connect to the PanGPS process on port 4767. This could be caused by various factors, suchas firewall blocking, antivirus interference, corrupted files, or incorrect permissions4. Reference: 1: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUkCAK 2: https://knowledgebase.paloaltonetworks.com/ KCSArticleDetail?id=kA10g000000ClcCCAS 3: https://live.paloaltonetworks.com/t5/general-topics/pangps-vs-pangpa-logs-on-globalprotect/td-p/298259 4: https://live.paloaltonetworks.com/t5/globalprotect-discussions/pangpa-and-pangps-logs/td-p/459846
Question 69
Which GlobalProtect component must be configured to enable Clientless VPN?
Creating the GlobalProtect portal is as simple as letting it know if you have accessed it already. A new gateway for accessing the GlobalProtect portal will appear. Client authentication can be used with an existing one.
https://www.nstec.com/how-to-configure-clientless-vpn-in-palo-alto/#5
Question 70
A customer is replacing their legacy remote access VPN solution The current solution is in place to secure only internet egress for the connected clients Prisma Access has been selected to replace the current remote access VPN solution
During onboarding the following options and licenses were selected and enabled
- Prisma Access for Remote Networks 300Mbps
- Prisma Access for Mobile Users 1500 Users
- Cortex Data Lake 2TB
- Trusted Zones trust
- Untrusted Zones untrust
- Parent Device Group shared
How can you configure Prisma Access to provide the same level of access as the current VPN solution?
To provide the same level of access as the current VPN solution, which is to secure only Internet egress for the connected clients, you can configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic outbound to the Internet. This way, the mobile users will beassigned an IP address from a pool that belongs to the trust zone, and they will be able to access the Internet through Prisma Access using a gateway that belongs to the untrust zone1. You do not need to configure a service connection for this scenario, as a service connection is used to enable access between mobile users and remote networks or private apps2. You also do not need to configure trust-to-trust Security policy rules, as they are used to enable access between mobile users and other trusted resources3. Reference: 1: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma- access-panorama-admin/prepare-the-prisma-access-infrastructure/service-connection- overview/create-a-service-connection-to-enable-access-between-users-and-networks 2: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/prisma-access-service-connections 3: https://docs.paloaltonetworks.com/prisma/prisma- access/prisma-access-cloud-managed-admin/prisma-access-mobile-users/mobile-users- globalprotect/globalprotect-features-for-prisma-access.html
Related questions
Export
If you didn't receive an email within 5 minutes, you should submit a support request to [email protected].
|
BASIC - 1 Month
$
10
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
|
PLUS - 2 Months
$
15
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
|
PRO - 6 Months
$
40
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
|
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
Selling illegal goods, money scams etc.
Serious attack on a group.
Harassing an individual (including doxing)
Threatening or glorifying violence or serious harm, including self-harm
Nudity/Sexual content
Sexually explicit or suggestive imagery or writing involving minors
Sexually explicit or suggestive imagery or writing involving non-consenting adults or non-humans
Reusing content without attribution (link and blockquotes)
Not in English or has very bad formatting, grammar, and spelling
Author's credential is offensive, spam, or impersonation
Ex. Illegal content, incomplete question...
Practice Tests
Vendor:
Exam Questions:
Learners
Last Updated
Language
Question