Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 8
List of questions
Related questions
Question 71

What is the best description of the HA4 Keep-Alive Threshold (ms)?
Question 72

What is the function of a service route?
Explanation:
A service route is the path from an interface on the firewall to a service on a server. Service routesprovide access to external services such as DNS servers, external authentication servers or Palo Alto Networks services like the Customer Support Portal1. By default, the firewall uses the management (MGT) interface to access these services, but you can configure a data port (a regular interface) as analternative2. A service route is not related to the firewall's management plane or the port assignedfor the external service. A service route does not affect how the server sends its response to the firewall. Reference: 1: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking- admin/service-routes/ service-routes-overview 2: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/service-routes/configure-service-routes
Question 73

Which three items are import considerations during SD-WAN configuration planning? (Choose three.)
Explanation:
https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/plan-sd-wan-configuration
Question 74

What is considered the best practice with regards to zone protection?
Explanation:
The best practice with regards to zone protection is to review DoS threat activity (ACC > BlockActivity) and look for patterns of abuse. This way, you can identify the sources and types of DoS attacks that target your network zones and adjust your zone protection profiles and policies accordingly1. You can also use the DoS Protection dashboard widget to monitor the number of sessions that match DoS protection policies2. You do not need to use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs, as you can use a single log-forwarding profile to forward different types of logs to different destinations3. You shouldnot disable zone protection if the levels of zone and DoS protection consume too many firewall resources, as this would expose your network zones to potential DoS attacks. Instead, you shouldoptimize your zone protection profiles and policies to reduce the resource consumption4. You shouldnot set the Alarm Rate threshold for event-log messages to high severity or critical severity, as this would limit the visibility into DoS attacks that have lower severity levels. Instead, you should set theAlarm Rate threshold to a value that is appropriate for your network environment and traffic patterns. Reference: 1: https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection- best-practices/dos-and-zone-protection-best-practices/follow-post-deployment-dos-and-zone- protection-best-practices 2: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os- admin/monitoring/use-the-acc-to-monitor-network-activity/use-the-acc-to-monitor-dos- protection 3: https:// docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/configure-log-forwarding/log-forwarding-profiles 4: https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-best-practices : https://docs.paloaltonetworks.com/pan-os/10-2/pan-os- admin/networking/network-profiles/zone-protection-profiles/configure-a-zone-protection-profile
Question 75

In the screenshot above which two pieces of information can be determined from the ACC configuration shown? (Choose two )
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/threat-signature
Question 76

A firewall has been assigned to a new template stack that contains both "Global" and "Local" templates in Panorama, and a successful commit and push has been performed. While validating the configuration on the local firewall, the engineer discovers that some settings are not being applied as intended.
The setting values from the "Global" template are applied to the firewall instead of the "Local" template that has different values for the same settings.
What should be done to ensure that the settings in the "Local" template are applied while maintaining settings from both templates?
Explanation:
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama- overview/centralized-firewall-configuration-and-update-management/templates-and-template- stacks
Question 77

WildFire will submit for analysis blocked files that match which profile settings?
Explanation:
https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/latest-wildfire-cloud- features/wildfire-analysis-of-blocked-files
Question 78

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory What must be configured in order to select users and groups for those rules from Panorama?
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web- interface/panorama-device-groups
Question 79

What can you use with Global Protect to assign user-specific client certificates to each GlobalProtect user?
Explanation:
If you have a Simple Certificate Enrollment Protocol (SCEP) server in your enterprise PKI, you can configure a SCEP profile to automate the generation and distribution of unique client certificates.https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/obtain- certificates/deploy-certificates-using-scep
Question 80

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-exclusions Traffic that breaks decryption for technical reasons, such as using a pinned certificate, an incomplete certificate chain, unsupported ciphers, or mutual authentication (attempting to decrypt the traffic results in blocking the traffic). Palo Alto Networks provides a predefined SSL Decryption Exclusion list (DeviceCertificate ManagementSSL Decryption Exclusion) that excludes hosts with applications and services that are known to break decryption technically from SSL Decryption by default. If you encounter sites that break decryption technically and are not on the SSL Decryption Exclusion list, you can add them to list manually by server hostname. The firewall blocks sites whose applications and services break decryption technically unless you add them to the SSL Decryption Exclusion list.
Question