ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCNSC
Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A customer's Palo Alto Networks NGFW currently has only one security policy allowing all traffic They have identified that this is a substantial security risk and have heard that the Expedition tool can help them extract security policies from an 'allow any' rule What should the consultant say about Expedition?
An existing customer who has deployed several Palo Alto Networks Next-Generation Firewalls would like to start using Device-ID to obtain policy rule recommendations They have also purchased a Support license, a Threat license a URL Filtering license, and a WildFire license for each firewall What additional license do they need to purchase'?
Instead of disabling App-IDs regularly, a security policy rule is going to be configured to temporarily allow new App-IDs. In which two circumstances is it valid to disable App-IDs as part of content update-? (Choose two)
How can you verify that a new security policy is correctly blocking traffic without disrupting the network?
What is the maximum number of virtual systems supported by a Palo Alto Networks VM-300 firewall?
You are hosting a public-facing web server on your DMZ and access to that server is through a Palo Alto Networks firewall Both internal clients and internet clients access this web server using the FQDN public webserver acme com which resolves to the public address of 99.99 99.2 Which combination of NAT policies is necessary to enable access to the web server for both internal and internet clients? A) B) C) D)
Which two log types are necessary to fully investigate a network intrusion? (Choose two)
Which GlobalProtect feature ensures that only trusted endpoints can connect to the network?
Which CLI command should you use to verify whether all SFP SFP*, or QSFP modules are installed in a firewall?
A customer has a five-year-old firewall in production in the time since the firewall was installed, the IT team deleted unused security policies on a regular basis but they did not remove the address objects and groups that were part of these security policies. What is the best way to delete all of the unused address objects on the firewall?

Question 20 - PCNSC discussion

Report
Export

A customer is adding a new site-to-site tunnel from a Palo Alto Networks NGFW to a third party with a policy based VPN peer After the initial configuration is completed and the changes are committed, phase 2 fails to establish

Which two changes may be required to fix the issue? (Choose two)

A.
Verity that the certificate used tor authentication is installed.
Answers
A.
Verity that the certificate used tor authentication is installed.
B.
Verify that PFS is enabled on both ends
Answers
B.
Verify that PFS is enabled on both ends
C.
Enable the NAT Traversal advanced option.
Answers
C.
Enable the NAT Traversal advanced option.
D.
Add proxy IDs to the iPsec tunnel configuration
Answers
D.
Add proxy IDs to the iPsec tunnel configuration
Suggested answer: B, D

Explanation:

When configuring a site-to-site VPN between a Palo Alto Networks Next-Generation Firewall (NGFW) and a third-party device with a policy-based VPN peer, Phase 2 failures can often be attributed to configuration mismatches or missing parameters. Here are the two changes that may be required to fix the issue:

B . Verify that PFS is enabled on both ends: Perfect Forward Secrecy (PFS) is a method that ensures the security of cryptographic keys. Both ends of the VPN tunnel need to agree on whether PFS is used. If PFS is enabled on one side but not the other, Phase 2 will fail. Verify the PFS settings and ensure they are matched on both the Palo Alto firewall and the third-party VPN device.

D . Add proxy IDs to the IPsec tunnel configuration: Proxy IDs (or traffic selectors) define the specific local and remote IP ranges that are allowed to communicate through the VPN tunnel. They are particularly crucial when dealing with policy-based VPNs. If the proxy IDs are not correctly configured, Phase 2 negotiations will fail. Add the appropriate proxy IDs to the IPsec tunnel configuration to match the policy-based VPN settings of the third-party device.

Palo Alto Networks - Configuring Site-to-Site VPN Between Palo Alto Networks and a Third-Party Firewall: https://docs.paloaltonetworks.com

Palo Alto Networks - VPN Configuration Guidelines: https://knowledgebase.paloaltonetworks.com

Show Answer
asked 23/09/2024
Kees den Dekker
43 questions
PreviousPreviousNextNext
User
Your answer:
0 comments
Sorted by

Leave a comment first

ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms