ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 7

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?

Question 61

Report
Export
Collapse

PBF can address which two scenarios? (Select Two)

A.
forwarding all traffic by using source port 78249 to a specific egress interface
A.
forwarding all traffic by using source port 78249 to a specific egress interface
Answers
B.
providing application connectivity the primary circuit fails
B.
providing application connectivity the primary circuit fails
Answers
C.
enabling the firewall to bypass Layer 7 inspection
C.
enabling the firewall to bypass Layer 7 inspection
Answers
D.
routing FTP to a backup ISP link to save bandwidth on the primary ISP link
D.
routing FTP to a backup ISP link to save bandwidth on the primary ISP link
Answers
Suggested answer: B, D

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/policy-based-forwarding/use- case-pbf-for-outbound-access-with-dual-isps

Question 62

Report
Export
Collapse

Which data flow describes redistribution of user mappings?

A.
User-ID agent to firewall
A.
User-ID agent to firewall
Answers
B.
firewall to firewall
B.
firewall to firewall
Answers
C.
Domain Controller to User-ID agent
C.
Domain Controller to User-ID agent
Answers
D.
User-ID agent to Panorama
D.
User-ID agent to Panorama
Answers
Suggested answer: B

Explanation:

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/configure-firewalls-to-redistribute-user-mapping-information

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/deploy-user-id-in-a-large-scale-network/redistribute-user-mappings-and-authentication-timestamps/firewall-deployment-for-user-id-redistribution.html#ide3661b46-4722-4936-bb9b-181679306809

Question 63

Report
Export
Collapse

What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

A.
IP Netmask
A.
IP Netmask
Answers
B.
IP Wildcard Mask
B.
IP Wildcard Mask
Answers
C.
IP Address
C.
IP Address
Answers
D.
IP Range
D.
IP Range
Answers
Suggested answer: B

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-address-object-to- represent-ip-addresses/address-objectsAn IP Wildcard Mask address object is useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram. An IP Wildcard Mask address object specifies which source or destination addresses are subject to a Security policy rule. A zero ( 0 ) bit in the mask indicates that the bit being compared must match the bit in the IP addressthat is covered by the zero. A one ( 1 ) bit in the mask (a wildcard bit) indicates that the bit being compared need not match the bit in the IP address1. For example, if you want to match all cash registers in the northeastern U.S., you can use an IP Wildcard Mask address object of 10.132.1.0/0.0.2.255, which will match any IP address from 10.132.1.0 to 10.132.3.255. Reference: 1: https://docs.paloaltonetworks.com/network-security/security-policy/objects/addresses

Question 64

Report
Export
Collapse

What are two best practices for incorporating new and modified App-IDs? (Choose two.)

A.
Run the latest PAN-OS version in a supported release tree to have the best performance for the new App-IDs
A.
Run the latest PAN-OS version in a supported release tree to have the best performance for the new App-IDs
Answers
B.
Configure a security policy rule to allow new App-IDs that might have network-wide impact
B.
Configure a security policy rule to allow new App-IDs that might have network-wide impact
Answers
C.
Perform a Best Practice Assessment to evaluate the impact of the new or modified App-IDs
C.
Perform a Best Practice Assessment to evaluate the impact of the new or modified App-IDs
Answers
D.
Study the release notes and install new App-IDs if they are determined to have low impact
D.
Study the release notes and install new App-IDs if they are determined to have low impact
Answers
Suggested answer: B, D

Explanation:

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-ids-introduced-in-content-releases/app-id-updates-workflow.html

Question 65

Report
Export
Collapse

An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group.

How should the administrator identify the configuration changes?

A.
review the configuration logs on the Monitor tab
A.
review the configuration logs on the Monitor tab
Answers
B.
click Preview Changes under Push Scope
B.
click Preview Changes under Push Scope
Answers
C.
use Test Policy Match to review the policies in Panorama
C.
use Test Policy Match to review the policies in Panorama
Answers
D.
context-switch to the affected firewall and use the configuration audit tool
D.
context-switch to the affected firewall and use the configuration audit tool
Answers
Suggested answer: A

Explanation:

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/panorama-web-interface/panorama-commit-operations.html

Question 66

Report
Export
Collapse

An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate based, secure authentication to the web Ul? (Choose two )

A.
certificate profile
A.
certificate profile
Answers
B.
server certificate
B.
server certificate
Answers
C.
SSH Service Profile
C.
SSH Service Profile
Answers
D.
SSL/TLS Service Profile
D.
SSL/TLS Service Profile
Answers
Suggested answer: A, B

Explanation:

To configure certificate-based, secure authentication to the web UI, two components are required: acertificate profile and a server certificate. A certificate profile defines the trusted certificate authorities (CAs) for verifying client certificates and server certificates1. A server certificate is a digital certificate that identifies the firewall to clients and servers2. The firewall can use a self-signed certificate or a certificate signed by an external CA as the server certificate for web UI access3. The server certificate must be assigned to an SSL/TLS service profile, which specifies the SSL/TLS protocol version and cipher suites for secure communication4. The SSL/TLS service profile must be selected in the general settings of the firewall management interface. Reference: 1: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/certificate- profiles 2: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/ certificate- management/generate-a-certificate-on-the-firewall 3: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFGCA0 4:https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/ssl-tls-service-profiles : https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall- administration/manage-firewall-administrators/configure-administrative-accounts-and- authentication/configure-certificate-based-administrator-authentication-to-the-web-interface

Question 67

Report
Export
Collapse

Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

A.
Create a no-decrypt Decryption Policy rule.
A.
Create a no-decrypt Decryption Policy rule.
Answers
B.
Configure an EDL to pull IP addresses of known sites resolved from a CRL.
B.
Configure an EDL to pull IP addresses of known sites resolved from a CRL.
Answers
C.
Create a Dynamic Address Group for untrusted sites
C.
Create a Dynamic Address Group for untrusted sites
Answers
D.
Create a Security Policy rule with vulnerability Security Profile attached.
D.
Create a Security Policy rule with vulnerability Security Profile attached.
Answers
E.
Enable the "Block sessions with untrusted issuers" setting.
E.
Enable the "Block sessions with untrusted issuers" setting.
Answers
Suggested answer: A, D

Explanation:

You can use the No Decryption tab to enable settings to block traffic that is matched to a decryption policy configured with the No Decrypt action ( Policies > Decryption > Action). Use these options to control server certificates for the session, though the firewall does not decrypt and inspect the session traffic. https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/ objects/objects-decryption-profile

Question 68

Report
Export
Collapse

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67

A.
The PanGPS process failed to connect to the PanGPA process on port 4767
A.
The PanGPS process failed to connect to the PanGPA process on port 4767
Answers
B.
The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767
B.
The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767
Answers
C.
The PanGPA process failed to connect to the PanGPS process on port 4767
C.
The PanGPA process failed to connect to the PanGPS process on port 4767
Answers
D.
The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767
D.
The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767
Answers
Suggested answer: C

Explanation:

https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD The PanGPA log on the GlobalProtect app records the events related to the user interface of the app, such as user actions, messages, and notifications1. The PanGPS log records the events related to the service or daemon process of the app, such as connection attempts, authentication, and tunnel establishment2. The PanGPA process communicates with the PanGPS process on port 47673.Therefore, the message "Failed to connect to server at port:4767" indicates that the PanGPA process failed to connect to the PanGPS process on port 4767. This could be caused by various factors, suchas firewall blocking, antivirus interference, corrupted files, or incorrect permissions4. Reference: 1: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUkCAK 2: https://knowledgebase.paloaltonetworks.com/ KCSArticleDetail?id=kA10g000000ClcCCAS 3: https://live.paloaltonetworks.com/t5/general-topics/pangps-vs-pangpa-logs-on-globalprotect/td-p/298259 4: https://live.paloaltonetworks.com/t5/globalprotect-discussions/pangpa-and-pangps-logs/td-p/459846

Question 69

Report
Export
Collapse

Which GlobalProtect component must be configured to enable Clientless VPN?

A.
GlobalProtect satellite
A.
GlobalProtect satellite
Answers
B.
GlobalProtect app
B.
GlobalProtect app
Answers
C.
GlobalProtect portal
C.
GlobalProtect portal
Answers
D.
GlobalProtect gateway
D.
GlobalProtect gateway
Answers
Suggested answer: C

Explanation:

Creating the GlobalProtect portal is as simple as letting it know if you have accessed it already. A new gateway for accessing the GlobalProtect portal will appear. Client authentication can be used with an existing one.

https://www.nstec.com/how-to-configure-clientless-vpn-in-palo-alto/#5

Question 70

Report
Export
Collapse

A customer is replacing their legacy remote access VPN solution The current solution is in place to secure only internet egress for the connected clients Prisma Access has been selected to replace the current remote access VPN solution

During onboarding the following options and licenses were selected and enabled

- Prisma Access for Remote Networks 300Mbps

- Prisma Access for Mobile Users 1500 Users

- Cortex Data Lake 2TB

- Trusted Zones trust

- Untrusted Zones untrust

- Parent Device Group shared

How can you configure Prisma Access to provide the same level of access as the current VPN solution?

A.
Configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic outbound to the internet
A.
Configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic outbound to the internet
Answers
B.
Configure mobile users with a service connection and trust-to-trust Security policy rules to allow the desired traffic outbound to the internet
B.
Configure mobile users with a service connection and trust-to-trust Security policy rules to allow the desired traffic outbound to the internet
Answers
C.
Configure remote networks with a service connection and trust-to-untrust Security policy rules to allow the desired traffic outbound to the internet
C.
Configure remote networks with a service connection and trust-to-untrust Security policy rules to allow the desired traffic outbound to the internet
Answers
D.
Configure remote networks with trust-to-trust Security policy rules to allow the desired traffic outbound to the internet
D.
Configure remote networks with trust-to-trust Security policy rules to allow the desired traffic outbound to the internet
Answers
Suggested answer: A

Explanation:

To provide the same level of access as the current VPN solution, which is to secure only Internet egress for the connected clients, you can configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic outbound to the Internet. This way, the mobile users will beassigned an IP address from a pool that belongs to the trust zone, and they will be able to access the Internet through Prisma Access using a gateway that belongs to the untrust zone1. You do not need to configure a service connection for this scenario, as a service connection is used to enable access between mobile users and remote networks or private apps2. You also do not need to configure trust-to-trust Security policy rules, as they are used to enable access between mobile users and other trusted resources3. Reference: 1: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma- access-panorama-admin/prepare-the-prisma-access-infrastructure/service-connection- overview/create-a-service-connection-to-enable-access-between-users-and-networks 2: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/prisma-access-service-connections 3: https://docs.paloaltonetworks.com/prisma/prisma- access/prisma-access-cloud-managed-admin/prisma-access-mobile-users/mobile-users- globalprotect/globalprotect-features-for-prisma-access.html

Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms