Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 9
List of questions
Related questions
Question 81
An administrator has configured the Palo Alto Networks NGFW's management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?
Explanation:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-dynamic-updates
Question 82
Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?
Explanation:
1 - https://docs.paloaltonetworks.com/best-practices/8-1/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-bestpractices.html#:~:text=DoS%20and%20Zone%20Protection%20help,device%20at%20the%20internet%20perimeter.
2 - https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/zone-protection-and-dosprotection/zone-defense/take-baseline-cps-measurements-for-setting-flood-thresholds/how-to-measure-cps.html
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dosprotection.html
Question 83
An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet gateway and wants to be sure of the functions that are supported on the vwire interface What are three supported functions on the VWire interface? (Choose three )
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces"The virtual wire supports blocking or allowing traffic based on virtual LAN (VLAN) tags, in addition to supporting security policy rules, App-ID, Content-ID, User-ID, decryption, LLDP, active/passive and active/active HA, QoS, zone protection (with some exceptions), non-IP protocol protection, DoS protection, packet buffer protection, tunnel content inspection, and NAT."
Question 84
Where is information about packet buffer protection logged?
Explanation:
Question 85
An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?
Question 86
Which statement is true regarding a Best Practice Assessment?
Explanation:
The Best Practice Assessment (BPA) tool compares the configuration of firewalls and Panorama to the Palo Alto Networks best practice recommendations. Run the BPA periodically to identify security weaknesses, see the best practice settings, and implement them to improve your security posture.https://docs.paloaltonetworks.com/best-practices/10-2/bpa-getting-started
Question 87
A network administrator plans a Prisma Access deployment with three service connections, each with a BGP peering to a CPE. The administrator needs to minimize the BGP configuration and management overhead on on-prem network devices.
What should the administrator implement?
Explanation:
The best way to minimize the BGP configuration and management overhead on on-prem network devices is to summarize BGP routes before advertising them. Route summarization is a technique that reduces the number of routes in a routing table by aggregating multiple routes into a single route with a less specific prefix. This reduces the size of routing updates and the memory and CPUusage of routers. Prisma Access supports route summarization for service connections and remotenetwork connections that use BGP routing1. You should not implement target service connection for traffic steering, as this is a feature that allows you to select a specific service connection for traffic from a remote network connection or a mobile user based on destination IP address orapplication. This does not affect the BGP configuration or management on on-prem networkdevices2. You should not implement hot potato routing, as this is a routing technique that selects the closest exit point to the destination network based on the number of hops or the lowest IGPmetric. This does not affect the BGP configuration or management on on-prem network devices3.You should not implement default routing, as this is a routing technique that uses a default route to forward packets to an unknown destination. This does not affect the BGP configuration ormanagement on on-prem network devices, and it may not provide optimal routing for Prisma Access traffic4. Reference: 1: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access- panorama-admin/prepare-the-prisma-access-infrastructure/service-connection-overview/configure- route-summarization-for-service-connections 2: https://docs.paloaltonetworks.com/prisma/prisma- access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/service- connection-overview/target-service-connection-for-traffic-steering 3: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed- admin/prisma-access-service-connections/service-connection-routing 4:https://docs.paloaltonetworks.com/prisma/prisma-access/ prisma-access-cloud-managed- admin/prisma-access-service-connections/service-connection-routing/routing-for-service-connection-traffic-cloud-management.html
Question 88
Which function is handled by the management plane (control plane) of a Palo Alto Networks firewall?
Explanation:
Logging is a function that is handled by the management plane (control plane) of a Palo Alto Networks firewall. The management plane is responsible for managing and configuring the firewall, as well as generating and storing logs and reports. The management plane communicates with the data plane (also known as the packet forwarding plane) through an internal backplane interface.Signature matching for content inspection, IPSec tunnel standup, and Quality of Service are functions that are handled by the data plane of a Palo Alto Networks firewall. The data plane is responsible for processing and forwarding packets, as well as applying security policies and features to the traffic.The data plane consists of multiple dedicated hardware components, such as the Single-Pass Parallel Processing (SP3) engine, the Security Processing Unit (SPU), and the Network Processing Unit (NPU).Reference: : https://docs.paloaltonetworks.com/ pan-os/10-2/pan-os-admin/firewall- administration/manage-firewall-administrators/firewall-management-interfaces :https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/firewall- concepts/firewall-overview
Question 89
In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-forward-proxy.html
Question 90
An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network.
What is a common obstacle for decrypting traffic from guest devices?
Explanation:
https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best-practices/decryption-best- practices/plan-ssl-decryption-best-practice-deployment https://live.paloaltonetworks.com/t5/general-topics/decrypt-guest-network-traffic/td-p/119388
Question