ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 8

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?

Question 71

Report
Export
Collapse

What is the best description of the HA4 Keep-Alive Threshold (ms)?

A.
the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.
A.
the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.
Answers
B.
The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
B.
The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
Answers
C.
the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.
C.
the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.
Answers
D.
The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.
D.
The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.
Answers
Suggested answer: C

Question 72

Report
Export
Collapse

What is the function of a service route?

A.
The service route is the method required to use the firewall's management plane to provide services to applications
A.
The service route is the method required to use the firewall's management plane to provide services to applications
Answers
B.
The service packets enter the firewall on the port assigned from the external service. The server sends its response to the configured destination interface and destination IP address
B.
The service packets enter the firewall on the port assigned from the external service. The server sends its response to the configured destination interface and destination IP address
Answers
C.
The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source interface and source IP address
C.
The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source interface and source IP address
Answers
D.
Service routes provide access to external services such as DNS servers external authentication servers or Palo Alto Networks services like the Customer Support Portal
D.
Service routes provide access to external services such as DNS servers external authentication servers or Palo Alto Networks services like the Customer Support Portal
Answers
Suggested answer: D

Explanation:

A service route is the path from an interface on the firewall to a service on a server. Service routesprovide access to external services such as DNS servers, external authentication servers or Palo Alto Networks services like the Customer Support Portal1. By default, the firewall uses the management (MGT) interface to access these services, but you can configure a data port (a regular interface) as analternative2. A service route is not related to the firewall's management plane or the port assignedfor the external service. A service route does not affect how the server sends its response to the firewall. Reference: 1: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking- admin/service-routes/ service-routes-overview 2: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/service-routes/configure-service-routes

Question 73

Report
Export
Collapse

Which three items are import considerations during SD-WAN configuration planning? (Choose three.)

A.
link requirements
A.
link requirements
Answers
B.
the name of the ISP
B.
the name of the ISP
Answers
C.
IP Addresses
C.
IP Addresses
Answers
D.
branch and hub locations
D.
branch and hub locations
Answers
Suggested answer: A, C, D

Explanation:

https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/plan-sd-wan-configuration

Question 74

Report
Export
Collapse

What is considered the best practice with regards to zone protection?

A.
Review DoS threat activity (ACC > Block Activity) and look for patterns of abuse
A.
Review DoS threat activity (ACC > Block Activity) and look for patterns of abuse
Answers
B.
Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs
B.
Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs
Answers
C.
If the levels of zone and DoS protection consume too many firewall resources, disable zone protection
C.
If the levels of zone and DoS protection consume too many firewall resources, disable zone protection
Answers
D.
Set the Alarm Rate threshold for event-log messages to high severity or critical severity
D.
Set the Alarm Rate threshold for event-log messages to high severity or critical severity
Answers
Suggested answer: A

Explanation:

The best practice with regards to zone protection is to review DoS threat activity (ACC > BlockActivity) and look for patterns of abuse. This way, you can identify the sources and types of DoS attacks that target your network zones and adjust your zone protection profiles and policies accordingly1. You can also use the DoS Protection dashboard widget to monitor the number of sessions that match DoS protection policies2. You do not need to use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs, as you can use a single log-forwarding profile to forward different types of logs to different destinations3. You shouldnot disable zone protection if the levels of zone and DoS protection consume too many firewall resources, as this would expose your network zones to potential DoS attacks. Instead, you shouldoptimize your zone protection profiles and policies to reduce the resource consumption4. You shouldnot set the Alarm Rate threshold for event-log messages to high severity or critical severity, as this would limit the visibility into DoS attacks that have lower severity levels. Instead, you should set theAlarm Rate threshold to a value that is appropriate for your network environment and traffic patterns. Reference: 1: https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection- best-practices/dos-and-zone-protection-best-practices/follow-post-deployment-dos-and-zone- protection-best-practices 2: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os- admin/monitoring/use-the-acc-to-monitor-network-activity/use-the-acc-to-monitor-dos- protection 3: https:// docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/configure-log-forwarding/log-forwarding-profiles 4: https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-best-practices : https://docs.paloaltonetworks.com/pan-os/10-2/pan-os- admin/networking/network-profiles/zone-protection-profiles/configure-a-zone-protection-profile

Question 75

Report
Export
Collapse

In the screenshot above which two pieces of information can be determined from the ACC configuration shown? (Choose two )

A.
The Network Activity tab will display all applications, including FTP.
A.
The Network Activity tab will display all applications, including FTP.
Answers
B.
Threats with a severity of "high" are always listed at the top of the Threat Name list
B.
Threats with a severity of "high" are always listed at the top of the Threat Name list
Answers
C.
Insecure-credentials, brute-force and protocol-anomaly are all a part of the vulnerability Threat Type
C.
Insecure-credentials, brute-force and protocol-anomaly are all a part of the vulnerability Threat Type
Answers
D.
The ACC has been filtered to only show the FTP application
D.
The ACC has been filtered to only show the FTP application
Answers
Suggested answer: C, D

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/threat-signature

Question 76

Report
Export
Collapse

A firewall has been assigned to a new template stack that contains both "Global" and "Local" templates in Panorama, and a successful commit and push has been performed. While validating the configuration on the local firewall, the engineer discovers that some settings are not being applied as intended.

The setting values from the "Global" template are applied to the firewall instead of the "Local" template that has different values for the same settings.

What should be done to ensure that the settings in the "Local" template are applied while maintaining settings from both templates?

A.
Move the "Global" template above the "Local" template in the template stack.
A.
Move the "Global" template above the "Local" template in the template stack.
Answers
B.
Perform a commit and push with the "Force Template Values" option selected.
B.
Perform a commit and push with the "Force Template Values" option selected.
Answers
C.
Move the "Local" template above the "Global" template in the template stack.
C.
Move the "Local" template above the "Global" template in the template stack.
Answers
D.
Override the values on the local firewall and apply the correct settings for each value.
D.
Override the values on the local firewall and apply the correct settings for each value.
Answers
Suggested answer: C

Explanation:

https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama- overview/centralized-firewall-configuration-and-update-management/templates-and-template- stacks

Question 77

Report
Export
Collapse

WildFire will submit for analysis blocked files that match which profile settings?

A.
files matching Anti-Spyware signatures
A.
files matching Anti-Spyware signatures
Answers
B.
files that are blocked by URL filtering
B.
files that are blocked by URL filtering
Answers
C.
files that are blocked by a File Blocking profile
C.
files that are blocked by a File Blocking profile
Answers
D.
files matching Anti-Virus signatures
D.
files matching Anti-Virus signatures
Answers
Suggested answer: D

Explanation:

https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/latest-wildfire-cloud- features/wildfire-analysis-of-blocked-files

Question 78

Report
Export
Collapse

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory What must be configured in order to select users and groups for those rules from Panorama?

A.
The Security rules must be targeted to a firewall in the device group and have Group Mapping configured
A.
The Security rules must be targeted to a firewall in the device group and have Group Mapping configured
Answers
B.
A master device with Group Mapping configured must be set in the device group where the Security rules are configured
B.
A master device with Group Mapping configured must be set in the device group where the Security rules are configured
Answers
C.
User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings
C.
User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings
Answers
D.
A User-ID Certificate profile must be configured on Panorama
D.
A User-ID Certificate profile must be configured on Panorama
Answers
Suggested answer: B

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web- interface/panorama-device-groups

Question 79

Report
Export
Collapse

What can you use with Global Protect to assign user-specific client certificates to each GlobalProtect user?

A.
SSL/TLS Service profile
A.
SSL/TLS Service profile
Answers
B.
Certificate profile
B.
Certificate profile
Answers
C.
SCEP
C.
SCEP
Answers
D.
OCSP Responder
D.
OCSP Responder
Answers
Suggested answer: C

Explanation:

If you have a Simple Certificate Enrollment Protocol (SCEP) server in your enterprise PKI, you can configure a SCEP profile to automate the generation and distribution of unique client certificates.https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/obtain- certificates/deploy-certificates-using-scep

Question 80

Report
Export
Collapse

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?

A.
Allow the firewall to block the sites to improve the security posture
A.
Allow the firewall to block the sites to improve the security posture
Answers
B.
Add the sites to the SSL Decryption Exclusion list to exempt them from decryption
B.
Add the sites to the SSL Decryption Exclusion list to exempt them from decryption
Answers
C.
Install the unsupported cipher into the firewall to allow the sites to be decrypted
C.
Install the unsupported cipher into the firewall to allow the sites to be decrypted
Answers
D.
Create a Security policy to allow access to those sites
D.
Create a Security policy to allow access to those sites
Answers
Suggested answer: B

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-exclusions Traffic that breaks decryption for technical reasons, such as using a pinned certificate, an incomplete certificate chain, unsupported ciphers, or mutual authentication (attempting to decrypt the traffic results in blocking the traffic). Palo Alto Networks provides a predefined SSL Decryption Exclusion list (DeviceCertificate ManagementSSL Decryption Exclusion) that excludes hosts with applications and services that are known to break decryption technically from SSL Decryption by default. If you encounter sites that break decryption technically and are not on the SSL Decryption Exclusion list, you can add them to list manually by server hostname. The firewall blocks sites whose applications and services break decryption technically unless you add them to the SSL Decryption Exclusion list.

Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms