ExamGecko
Home / Palo Alto Networks / PCNSE / List of questions
Ask Question

Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 12

List of questions

Question 111

Report
Export
Collapse

During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.

Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.
Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.
Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.
Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.
Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust
Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust
Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.
Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.
Suggested answer: B

Explanation:

Generate a CA certificate for Forward Trust (step 2) a self-signed CA for Forward Untrust (step 4)https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward- proxy

asked 23/09/2024
Carole Pie
46 questions

Question 112

Report
Export
Collapse

How would an administrator configure a Bidirectional Forwarding Detection profile for BGP after enabling the Advance Routing Engine run on PAN-OS 10.2?

create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD profile under Network > Virtual Router > BGP > BFD
create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD profile under Network > Virtual Router > BGP > BFD
create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD profile under Network > Virtual Router > BGP > General > Global BFD Profile
create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD profile under Network > Virtual Router > BGP > General > Global BFD Profile
create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD profile under Network > Routing > Logical Routers > BGP > General > Global BFD Profile
create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD profile under Network > Routing > Logical Routers > BGP > General > Global BFD Profile
create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD profile under Network > Routing > Logical Routers > BGP > BFD
create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD profile under Network > Routing > Logical Routers > BGP > BFD
Suggested answer: B

Explanation:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/advanced- routing/create-bfd-profiles#idf2ccda44-0678-4df3-ad1d-2ec8f47cec7b then https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/advanced- routing/configure-bgp-on-an-advanced-routing-engine

asked 23/09/2024
carlos baptista
34 questions

Question 113

Report
Export
Collapse

An administrator has configured a pair of firewalls using high availability in Active/Passive mode.

Path Monitoring has been enabled with a Failure Condition of "any." A path group is configured with Failure Condition of "all" and contains a destination IP of 8.8.8.8 and 4.2.2.2 with a Ping Interval of 500ms and a Ping count of 3.

Which scenario will cause the Active firewall to fail over?

IP address 8.8.8.8 is unreachable for 1 second.
IP address 8.8.8.8 is unreachable for 1 second.
IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 1 second.
IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 1 second.
IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 2 seconds
IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 2 seconds
IP address 4.2.2.2 is unreachable for 2 seconds.
IP address 4.2.2.2 is unreachable for 2 seconds.
Suggested answer: C

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/device/device-high- availability/ha-link-and-path-monitoring

asked 23/09/2024
Peter Urban
42 questions

Question 114

Report
Export
Collapse

With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?

Palo Alto Networks PCNSE image Question 114 54351 09232024001219000000

Incomplete
Incomplete
unknown-udp
unknown-udp
Insufficient-data
Insufficient-data
not-applicable
not-applicable
Suggested answer: B

Explanation:

UDP connection on port 443. This would trigger unknown-udp. Incomplete is used in TCP connections only.https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC

asked 23/09/2024
Shafqat Balouch
29 questions

Question 115

Report
Export
Collapse

Which profile generates a packet threat type found in threat logs?

Zone Protection
Zone Protection
WildFire
WildFire
Anti-Spyware
Anti-Spyware
Antivirus
Antivirus
Suggested answer: A

Explanation:

"Threat/Content Type (subtype) Subtype of threat log." "packetóPacket-based attack protectiontriggered by a Zone Protection profile." https://docs.paloaltonetworks.com/pan-os/10-2/pan-os- admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fieldshttps://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for- monitoring/syslog-field-descriptions/threat-log-fields packetóPacket-based attack protection triggered by a Zone Protection profile.

asked 23/09/2024
Kwame Kankam-Boadu
34 questions

Question 116

Report
Export
Collapse

A client wants to detect the use of weak and manufacturer-default passwords for loT devices. Which option will help the customer?

Configure a Data Filtering profile with alert mode.
Configure a Data Filtering profile with alert mode.
Configure an Antivirus profile with alert mode.
Configure an Antivirus profile with alert mode.
Configure a Vulnerability Protection profile with alert mode
Configure a Vulnerability Protection profile with alert mode
Configure an Anti-Spyware profile with alert mode.
Configure an Anti-Spyware profile with alert mode.
Suggested answer: C

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/security-profiles

asked 23/09/2024
Rebekah Midkiff
34 questions

Question 117

Report
Export
Collapse

A firewall administrator notices that many Host Sweep scan attacks are being allowed through the firewall sourced from the outside zone. What should the firewall administrator do to mitigate this type of attack?

Create a DOS Protection profile with SYN Flood protection enabled and apply it to all rules allowing traffic from the outside zone
Create a DOS Protection profile with SYN Flood protection enabled and apply it to all rules allowing traffic from the outside zone
Enable packet buffer protection in the outside zone.
Enable packet buffer protection in the outside zone.
Create a Security rule to deny all ICMP traffic from the outside zone.
Create a Security rule to deny all ICMP traffic from the outside zone.
Create a Zone Protection profile, enable reconnaissance protection, set action to Block, and apply it to the outside zone.
Create a Zone Protection profile, enable reconnaissance protection, set action to Block, and apply it to the outside zone.
Suggested answer: D

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos- protection/configure-zone-protection-to-increase-network-security/configure-reconnaissance- protection

asked 23/09/2024
Maurice Nicholson
33 questions

Question 118

Report
Export
Collapse

An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 subinterface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.

Without changing the existing access to the management interface, how can the engineer fulfill this request?

Specify the subinterface as a management interface in Setup > Device > Interfaces.
Specify the subinterface as a management interface in Setup > Device > Interfaces.
Enable HTTPS in an Interface Management profile on the subinterface.
Enable HTTPS in an Interface Management profile on the subinterface.
Add the network segment's IP range to the Permitted IP Addresses list
Add the network segment's IP range to the Permitted IP Addresses list
Configure a service route for HTTP to use the subinterface
Configure a service route for HTTP to use the subinterface
Suggested answer: B

Explanation:

An interface management profile defines which services are available on an interface, such as HTTPS, SSH, ping, or SNMP. By enabling HTTPS in an interface management profile on the subinterface, the engineer can allow XML API access to the firewall for automation on the network segment that is routed through the subinterface. Specifying the subinterface as a management interface in Setup > Device > Interfaces is not possible, as only physical interfaces can be designated as management interfaces. Adding the network segment's IP range to the Permitted IP Addresses list will not help, as this list only applies to the dedicated management interface. Configuring a service route for HTTP to use the subinterface will not help, as this will only affect the outbound traffic from the firewall to external services, not the inbound traffic to the firewall for XML API access. Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/ networking/configure- interfaces/configure-interface-management-profiles https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/enable-api-access

asked 23/09/2024
Miroslav Burzinskij
36 questions

Question 119

Report
Export
Collapse

An engineer needs to see how many existing SSL decryption sessions are traversing a firewall What command should be used?

show dataplane pool statistics I match proxy
show dataplane pool statistics I match proxy
debug dataplane pool statistics I match proxy
debug dataplane pool statistics I match proxy
debug sessions I match proxy
debug sessions I match proxy
show sessions all
show sessions all
Suggested answer: B

Explanation:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhdCAC

asked 23/09/2024
Easwari Lakshminarayanan
43 questions

Question 120

Report
Export
Collapse

Which steps should an engineer take to forward system logs to email?

Create a new email profile under Device > server profiles; then navigate to Objects > Log Forwarding profile > set log type to system and the add email profile.
Create a new email profile under Device > server profiles; then navigate to Objects > Log Forwarding profile > set log type to system and the add email profile.
Enable log forwarding under the email profile in the Objects tab.
Enable log forwarding under the email profile in the Objects tab.
Create a new email profile under Device > server profiles: then navigate to Device > Log Settings > System and add the email profile under email.
Create a new email profile under Device > server profiles: then navigate to Device > Log Settings > System and add the email profile under email.
Enable log forwarding under the email profile in the Device tab.
Enable log forwarding under the email profile in the Device tab.
Suggested answer: C

Explanation:

An email profile defines the email server and sender address for sending email notifications from the firewall or Panorama. To forward system logs to email, the engineer needs to create a new email profile under Device > Server Profiles > Email and configure the required settings, such as SMTP server, sender email address, and recipient email address. Then, the engineer needs to navigate to Device > Log Settings > System and select the email profile under Email for each severity level of system logs that need to be forwarded. Enabling log forwarding under the email profile in the Objects tab or in the Device tab is not possible, as log forwarding profiles are configured under Objects > Log Forwarding. Log forwarding profiles are used for forwarding threat, traffic, URL filtering, data filtering, HIP match, configuration, and correlation logs, not system logs. Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/configure-email-alerts https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/configure-log-forwarding

asked 23/09/2024
Salah Dabwan
46 questions
Total 470 questions
Go to page: of 47
Search

Related questions