ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSE

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 9

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?
Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?
A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?
DRAG DROP An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue?
Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?
An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?

Question 81

Report
Export
Collapse

An administrator has configured the Palo Alto Networks NGFW's management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.

Which configuration setting or step will allow the firewall to get automatic application signature updates?

A.
A scheduler will need to be configured for application signatures.
A.
A scheduler will need to be configured for application signatures.
Answers
B.
A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers.
B.
A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers.
Answers
C.
A Threat Prevention license will need to be installed.
C.
A Threat Prevention license will need to be installed.
Answers
D.
A service route will need to be configured.
D.
A service route will need to be configured.
Answers
Suggested answer: A

Explanation:

Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-dynamic-updates

Question 82

Report
Export
Collapse

Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

A.
Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection
A.
Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection
Answers
B.
Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN. ICMP ICMPv6, UDP. and other IP flood attacks
B.
Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN. ICMP ICMPv6, UDP. and other IP flood attacks
Answers
C.
Add a WildFire subscription to activate DoS and zone protection features
C.
Add a WildFire subscription to activate DoS and zone protection features
Answers
D.
Replace the hardware firewall because DoS and zone protection are not available with VM-Series systems
D.
Replace the hardware firewall because DoS and zone protection are not available with VM-Series systems
Answers
Suggested answer: A

Explanation:

1 - https://docs.paloaltonetworks.com/best-practices/8-1/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-bestpractices.html#:~:text=DoS%20and%20Zone%20Protection%20help,device%20at%20the%20internet%20perimeter.

2 - https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/zone-protection-and-dosprotection/zone-defense/take-baseline-cps-measurements-for-setting-flood-thresholds/how-to-measure-cps.html

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dosprotection.html

Question 83

Report
Export
Collapse

An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet gateway and wants to be sure of the functions that are supported on the vwire interface What are three supported functions on the VWire interface? (Choose three )

A.
NAT
A.
NAT
Answers
B.
QoS
B.
QoS
Answers
C.
IPSec
C.
IPSec
Answers
D.
OSPF
D.
OSPF
Answers
E.
SSL Decryption
E.
SSL Decryption
Answers
Suggested answer: A, B, E

Explanation:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces"The virtual wire supports blocking or allowing traffic based on virtual LAN (VLAN) tags, in addition to supporting security policy rules, App-ID, Content-ID, User-ID, decryption, LLDP, active/passive and active/active HA, QoS, zone protection (with some exceptions), non-IP protocol protection, DoS protection, packet buffer protection, tunnel content inspection, and NAT."

Question 84

Report
Export
Collapse

Where is information about packet buffer protection logged?

A.
Alert entries are in the Alarms log. Entries for dropped traffic, discarded sessions, and blocked IP address are in the Threat log
A.
Alert entries are in the Alarms log. Entries for dropped traffic, discarded sessions, and blocked IP address are in the Threat log
Answers
B.
All entries are in the System log
B.
All entries are in the System log
Answers
C.
Alert entries are in the System log. Entries for dropped traffic, discarded sessions and blocked IP addresses are in the Threat log
C.
Alert entries are in the System log. Entries for dropped traffic, discarded sessions and blocked IP addresses are in the Threat log
Answers
D.
All entries are in the Alarms log
D.
All entries are in the Alarms log
Answers
Suggested answer: D

Explanation:

Question 85

Report
Export
Collapse

An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?

A.
A.
Answers
B.
B.
Answers
C.
C.
Answers
D.
D.
Answers
E.
Option A
E.
Option A
Answers
F.
Option B
F.
Option B
Answers
G.
Option C
G.
Option C
Answers
H.
Option D
H.
Option D
Answers
Suggested answer: C

Question 86

Report
Export
Collapse

Which statement is true regarding a Best Practice Assessment?

A.
It shows how your current configuration compares to Palo Alto Networks recommendations
A.
It shows how your current configuration compares to Palo Alto Networks recommendations
Answers
B.
It runs only on firewalls
B.
It runs only on firewalls
Answers
C.
When guided by an authorized sales engineer, it helps determine the areas of greatest risk where you should focus prevention activities.
C.
When guided by an authorized sales engineer, it helps determine the areas of greatest risk where you should focus prevention activities.
Answers
D.
It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture
D.
It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture
Answers
Suggested answer: A

Explanation:

The Best Practice Assessment (BPA) tool compares the configuration of firewalls and Panorama to the Palo Alto Networks best practice recommendations. Run the BPA periodically to identify security weaknesses, see the best practice settings, and implement them to improve your security posture.https://docs.paloaltonetworks.com/best-practices/10-2/bpa-getting-started

Question 87

Report
Export
Collapse

A network administrator plans a Prisma Access deployment with three service connections, each with a BGP peering to a CPE. The administrator needs to minimize the BGP configuration and management overhead on on-prem network devices.

What should the administrator implement?

A.
target service connection for traffic steering
A.
target service connection for traffic steering
Answers
B.
summarized BGP routes before advertising
B.
summarized BGP routes before advertising
Answers
C.
hot potato routing
C.
hot potato routing
Answers
D.
default routing
D.
default routing
Answers
Suggested answer: B

Explanation:

The best way to minimize the BGP configuration and management overhead on on-prem network devices is to summarize BGP routes before advertising them. Route summarization is a technique that reduces the number of routes in a routing table by aggregating multiple routes into a single route with a less specific prefix. This reduces the size of routing updates and the memory and CPUusage of routers. Prisma Access supports route summarization for service connections and remotenetwork connections that use BGP routing1. You should not implement target service connection for traffic steering, as this is a feature that allows you to select a specific service connection for traffic from a remote network connection or a mobile user based on destination IP address orapplication. This does not affect the BGP configuration or management on on-prem networkdevices2. You should not implement hot potato routing, as this is a routing technique that selects the closest exit point to the destination network based on the number of hops or the lowest IGPmetric. This does not affect the BGP configuration or management on on-prem network devices3.You should not implement default routing, as this is a routing technique that uses a default route to forward packets to an unknown destination. This does not affect the BGP configuration ormanagement on on-prem network devices, and it may not provide optimal routing for Prisma Access traffic4. Reference: 1: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access- panorama-admin/prepare-the-prisma-access-infrastructure/service-connection-overview/configure- route-summarization-for-service-connections 2: https://docs.paloaltonetworks.com/prisma/prisma- access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/service- connection-overview/target-service-connection-for-traffic-steering 3: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed- admin/prisma-access-service-connections/service-connection-routing 4:https://docs.paloaltonetworks.com/prisma/prisma-access/ prisma-access-cloud-managed- admin/prisma-access-service-connections/service-connection-routing/routing-for-service-connection-traffic-cloud-management.html

Question 88

Report
Export
Collapse

Which function is handled by the management plane (control plane) of a Palo Alto Networks firewall?

A.
signature matching for content inspection
A.
signature matching for content inspection
Answers
B.
IPSec tunnel standup
B.
IPSec tunnel standup
Answers
C.
Quality of Service
C.
Quality of Service
Answers
D.
logging
D.
logging
Answers
Suggested answer: D

Explanation:

Logging is a function that is handled by the management plane (control plane) of a Palo Alto Networks firewall. The management plane is responsible for managing and configuring the firewall, as well as generating and storing logs and reports. The management plane communicates with the data plane (also known as the packet forwarding plane) through an internal backplane interface.Signature matching for content inspection, IPSec tunnel standup, and Quality of Service are functions that are handled by the data plane of a Palo Alto Networks firewall. The data plane is responsible for processing and forwarding packets, as well as applying security policies and features to the traffic.The data plane consists of multiple dedicated hardware components, such as the Single-Pass Parallel Processing (SP3) engine, the Security Processing Unit (SPU), and the Network Processing Unit (NPU).Reference: : https://docs.paloaltonetworks.com/ pan-os/10-2/pan-os-admin/firewall- administration/manage-firewall-administrators/firewall-management-interfaces :https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/firewall- concepts/firewall-overview

Question 89

Report
Export
Collapse

In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

A.
wildcard server certificate
A.
wildcard server certificate
Answers
B.
enterprise CA certificate
B.
enterprise CA certificate
Answers
C.
client certificate
C.
client certificate
Answers
D.
server certificate
D.
server certificate
Answers
E.
self-signed CA certificate
E.
self-signed CA certificate
Answers
Suggested answer: B, E

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-forward-proxy.html

Question 90

Report
Export
Collapse

An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network.

What is a common obstacle for decrypting traffic from guest devices?

A.
Guest devices may not trust the CA certificate used for the forward untrust certificate.
A.
Guest devices may not trust the CA certificate used for the forward untrust certificate.
Answers
B.
Guests may use operating systems that can't be decrypted.
B.
Guests may use operating systems that can't be decrypted.
Answers
C.
The organization has no legal authority to decrypt their traffic.
C.
The organization has no legal authority to decrypt their traffic.
Answers
D.
Guest devices may not trust the CA certificate used for the forward trust certificate.
D.
Guest devices may not trust the CA certificate used for the forward trust certificate.
Answers
Suggested answer: D

Explanation:

https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best-practices/decryption-best- practices/plan-ssl-decryption-best-practice-deployment https://live.paloaltonetworks.com/t5/general-topics/decrypt-guest-network-traffic/td-p/119388

Total 426 questions
Go to page: of 43
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms