ExamGecko
Home / Palo Alto Networks / PCNSE / List of questions
Ask Question

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 8

Question list
Search

Related questions











Question 71

Report
Export
Collapse

What is the best description of the HA4 Keep-Alive Threshold (ms)?

the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.
the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.
The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.
the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.
The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.
The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.
Suggested answer: C
asked 23/09/2024
Juy Juy
39 questions

Question 72

Report
Export
Collapse

What is the function of a service route?

The service route is the method required to use the firewall's management plane to provide services to applications
The service route is the method required to use the firewall's management plane to provide services to applications
The service packets enter the firewall on the port assigned from the external service. The server sends its response to the configured destination interface and destination IP address
The service packets enter the firewall on the port assigned from the external service. The server sends its response to the configured destination interface and destination IP address
The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source interface and source IP address
The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source interface and source IP address
Service routes provide access to external services such as DNS servers external authentication servers or Palo Alto Networks services like the Customer Support Portal
Service routes provide access to external services such as DNS servers external authentication servers or Palo Alto Networks services like the Customer Support Portal
Suggested answer: D

Explanation:

A service route is the path from an interface on the firewall to a service on a server. Service routesprovide access to external services such as DNS servers, external authentication servers or Palo Alto Networks services like the Customer Support Portal1. By default, the firewall uses the management (MGT) interface to access these services, but you can configure a data port (a regular interface) as analternative2. A service route is not related to the firewall's management plane or the port assignedfor the external service. A service route does not affect how the server sends its response to the firewall. Reference: 1: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking- admin/service-routes/ service-routes-overview 2: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/service-routes/configure-service-routes

asked 23/09/2024
Lourdhureddy Kommareddy
29 questions

Question 73

Report
Export
Collapse

Which three items are import considerations during SD-WAN configuration planning? (Choose three.)

link requirements
link requirements
the name of the ISP
the name of the ISP
IP Addresses
IP Addresses
branch and hub locations
branch and hub locations
Suggested answer: A, C, D

Explanation:

https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/plan-sd-wan-configuration

asked 23/09/2024
Mark Green
45 questions

Question 74

Report
Export
Collapse

What is considered the best practice with regards to zone protection?

Review DoS threat activity (ACC > Block Activity) and look for patterns of abuse
Review DoS threat activity (ACC > Block Activity) and look for patterns of abuse
Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs
Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs
If the levels of zone and DoS protection consume too many firewall resources, disable zone protection
If the levels of zone and DoS protection consume too many firewall resources, disable zone protection
Set the Alarm Rate threshold for event-log messages to high severity or critical severity
Set the Alarm Rate threshold for event-log messages to high severity or critical severity
Suggested answer: A

Explanation:

The best practice with regards to zone protection is to review DoS threat activity (ACC > BlockActivity) and look for patterns of abuse. This way, you can identify the sources and types of DoS attacks that target your network zones and adjust your zone protection profiles and policies accordingly1. You can also use the DoS Protection dashboard widget to monitor the number of sessions that match DoS protection policies2. You do not need to use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs, as you can use a single log-forwarding profile to forward different types of logs to different destinations3. You shouldnot disable zone protection if the levels of zone and DoS protection consume too many firewall resources, as this would expose your network zones to potential DoS attacks. Instead, you shouldoptimize your zone protection profiles and policies to reduce the resource consumption4. You shouldnot set the Alarm Rate threshold for event-log messages to high severity or critical severity, as this would limit the visibility into DoS attacks that have lower severity levels. Instead, you should set theAlarm Rate threshold to a value that is appropriate for your network environment and traffic patterns. Reference: 1: https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection- best-practices/dos-and-zone-protection-best-practices/follow-post-deployment-dos-and-zone- protection-best-practices 2: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os- admin/monitoring/use-the-acc-to-monitor-network-activity/use-the-acc-to-monitor-dos- protection 3: https:// docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/configure-log-forwarding/log-forwarding-profiles 4: https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-best-practices : https://docs.paloaltonetworks.com/pan-os/10-2/pan-os- admin/networking/network-profiles/zone-protection-profiles/configure-a-zone-protection-profile

asked 23/09/2024
Tural Pashayev
28 questions

Question 75

Report
Export
Collapse

Palo Alto Networks PCNSE image Question 75 54312 09232024001219000000

In the screenshot above which two pieces of information can be determined from the ACC configuration shown? (Choose two )

The Network Activity tab will display all applications, including FTP.
The Network Activity tab will display all applications, including FTP.
Threats with a severity of "high" are always listed at the top of the Threat Name list
Threats with a severity of "high" are always listed at the top of the Threat Name list
Insecure-credentials, brute-force and protocol-anomaly are all a part of the vulnerability Threat Type
Insecure-credentials, brute-force and protocol-anomaly are all a part of the vulnerability Threat Type
The ACC has been filtered to only show the FTP application
The ACC has been filtered to only show the FTP application
Suggested answer: C, D

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/threat-signature

asked 23/09/2024
Gift Thanyane
33 questions

Question 76

Report
Export
Collapse

A firewall has been assigned to a new template stack that contains both "Global" and "Local" templates in Panorama, and a successful commit and push has been performed. While validating the configuration on the local firewall, the engineer discovers that some settings are not being applied as intended.

The setting values from the "Global" template are applied to the firewall instead of the "Local" template that has different values for the same settings.

What should be done to ensure that the settings in the "Local" template are applied while maintaining settings from both templates?

Move the "Global" template above the "Local" template in the template stack.
Move the "Global" template above the "Local" template in the template stack.
Perform a commit and push with the "Force Template Values" option selected.
Perform a commit and push with the "Force Template Values" option selected.
Move the "Local" template above the "Global" template in the template stack.
Move the "Local" template above the "Global" template in the template stack.
Override the values on the local firewall and apply the correct settings for each value.
Override the values on the local firewall and apply the correct settings for each value.
Suggested answer: C

Explanation:

https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama- overview/centralized-firewall-configuration-and-update-management/templates-and-template- stacks

asked 23/09/2024
Vipul Mehra
34 questions

Question 77

Report
Export
Collapse

WildFire will submit for analysis blocked files that match which profile settings?

files matching Anti-Spyware signatures
files matching Anti-Spyware signatures
files that are blocked by URL filtering
files that are blocked by URL filtering
files that are blocked by a File Blocking profile
files that are blocked by a File Blocking profile
files matching Anti-Virus signatures
files matching Anti-Virus signatures
Suggested answer: D

Explanation:

https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/latest-wildfire-cloud- features/wildfire-analysis-of-blocked-files

asked 23/09/2024
Wilson Geneblazo
33 questions

Question 78

Report
Export
Collapse

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory What must be configured in order to select users and groups for those rules from Panorama?

The Security rules must be targeted to a firewall in the device group and have Group Mapping configured
The Security rules must be targeted to a firewall in the device group and have Group Mapping configured
A master device with Group Mapping configured must be set in the device group where the Security rules are configured
A master device with Group Mapping configured must be set in the device group where the Security rules are configured
User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings
User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings
A User-ID Certificate profile must be configured on Panorama
A User-ID Certificate profile must be configured on Panorama
Suggested answer: B

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web- interface/panorama-device-groups

asked 23/09/2024
Rick James
43 questions

Question 79

Report
Export
Collapse

What can you use with Global Protect to assign user-specific client certificates to each GlobalProtect user?

SSL/TLS Service profile
SSL/TLS Service profile
Certificate profile
Certificate profile
SCEP
SCEP
OCSP Responder
OCSP Responder
Suggested answer: C

Explanation:

If you have a Simple Certificate Enrollment Protocol (SCEP) server in your enterprise PKI, you can configure a SCEP profile to automate the generation and distribution of unique client certificates.https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/obtain- certificates/deploy-certificates-using-scep

asked 23/09/2024
Steve Nihan
39 questions

Question 80

Report
Export
Collapse

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?

Allow the firewall to block the sites to improve the security posture
Allow the firewall to block the sites to improve the security posture
Add the sites to the SSL Decryption Exclusion list to exempt them from decryption
Add the sites to the SSL Decryption Exclusion list to exempt them from decryption
Install the unsupported cipher into the firewall to allow the sites to be decrypted
Install the unsupported cipher into the firewall to allow the sites to be decrypted
Create a Security policy to allow access to those sites
Create a Security policy to allow access to those sites
Suggested answer: B

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-exclusions Traffic that breaks decryption for technical reasons, such as using a pinned certificate, an incomplete certificate chain, unsupported ciphers, or mutual authentication (attempting to decrypt the traffic results in blocking the traffic). Palo Alto Networks provides a predefined SSL Decryption Exclusion list (DeviceCertificate ManagementSSL Decryption Exclusion) that excludes hosts with applications and services that are known to break decryption technically from SSL Decryption by default. If you encounter sites that break decryption technically and are not on the SSL Decryption Exclusion list, you can add them to list manually by server hostname. The firewall blocks sites whose applications and services break decryption technically unless you add them to the SSL Decryption Exclusion list.

asked 23/09/2024
Gerhard Seher
28 questions
Total 470 questions
Go to page: of 47