Special Discount Limited Time 65% Offer - Ends in 0d 00h 00m 00s - Coupon code: netdisc

Paloalto Networks PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.0 Exam Practice Test

Page: 1 / 15
Total 152 questions

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.0 Questions and Answers

Question 1

An administrator analyzes the following portion of a VPN system log and notices the following issue

"Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0."

What is the cause of the issue?

Options:

A.

IPSec crypto profile mismatch

B.

IPSec protocol mismatch

C.

mismatched Proxy-IDs

D.

bad local and peer identification IP addresses in the IKE gateway

Question 2

What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain'?

Options:

A.

a Security policy with 'known-user" selected in the Source User field

B.

an Authentication policy with 'unknown' selected in the Source User field

C.

a Security policy with 'unknown' selected in the Source User field

D.

an Authentication policy with 'known-user' selected in the Source User field

Question 3

A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (Cas)

i. Enterprise-Trusted-CA; which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system )

ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate

iii. Enterprise-lntermediate-CA

iv. Enterprise-Root-CA which is verified only as Trusted Root CA

An end-user visits https //www example-website com/ with a server certificate Common Name (CN) www example-website com The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall

The end-user's browser will show that the certificate for www.example-website.com was issued by which of the following?

Options:

A.

Enterprise-Untrusted-CA which is a self-signed CA

B.

Enterprise-Trusted-CA which is a self-signed CA

C.

Enterprise-lntermediate-CA which was. in turn, issued by Enterprise-Root-CA

D.

Enterprise-Root-CA which is a self-signed CA

Question 4

Which statement accurately describes service routes and virtual systems?

Options:

A.

Virtual systems that do not have specific service routes configured inherit the global service and service route settings for the firewall.

B.

Virtual systems can only use one interface for all global service and service routes of the firewall.

C.

Virtual systems cannot have dedicated service routes configured; and virtual systems always use the global service and service route settings for the firewall.

D.

The interface must be used for traffic to the required external services.

Question 5

An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three remote networks.

What is the minimum amount of bandwidth the administrator could configure at the compute location?

Options:

A.

90Mbps

B.

300 Mbps

C.

75Mbps

D.

50Mbps

Question 6

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Path Monitoring has been enabled with a Failure Condition of "any." A path group is configured with Failure Condition of "all" and contains a destination IP of 8.8.8.8 and 4.2.2.2 with a Ping Interval of 500ms and a Ping count of 3.

Which scenario will cause the Active firewall to fail over?

Options:

A.

IP address 8.8.8.8 is unreachable for 1 second.

B.

IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 1 second.

C.

IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 2 seconds

D.

IP address 4.2.2.2 is unreachable for 2 seconds.

Question 7

Which three items are import considerations during SD-WAN configuration planning? (Choose three.)

Options:

A.

link requirements

B.

the name of the ISP

C.

IP Addresses

D.

branch and hub locations

Question 8

An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks Which sessions does Packet Buffer Protection apply to?

Options:

A.

It applies to existing sessions and is not global

B.

It applies to new sessions and is global

C.

It applies to new sessions and is not global

D.

It applies to existing sessions and is global

Question 9

A customer is replacing their legacy remote access VPN solution The current solution is in place to secure only internet egress for the connected clients Prisma Access has been selected to replace the current remote access VPN solution During onboarding the following options and licenses were selected and enabled

- Prisma Access for Remote Networks 300Mbps

- Prisma Access for Mobile Users 1500 Users

- Cortex Data Lake 2TB

- Trusted Zones trust

- Untrusted Zones untrust

- Parent Device Group shared

How can you configure Prisma Access to provide the same level of access as the current VPN solution?

Options:

A.

Configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic outbound to the internet

B.

Configure mobile users with a service connection and trust-to-trust Security policy rules to allow the desired traffic outbound to the internet

C.

Configure remote networks with a service connection and trust-to-untrust Security policy rules to allow the desired traffic outbound to the internet

D.

Configure remote networks with trust-to-trust Security policy rules to allow the desired traffic outbound to the internet

Question 10

A remote administrator needs firewall access on an untrusted interface. Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two)

Options:

A.

client certificate

B.

certificate profile

C.

certificate authority (CA) certificate

D.

server certificate

Question 11

An engineer is configuring SSL Inbound Inspection for public access to a company's application. Which certificate(s) need to be installed on the firewall to ensure that inspection is performed successfully?

Options:

A.

Self-signed CA and End-entity certificate

B.

Root CA and Intermediate CA(s)

C.

Self-signed certificate with exportable private key

D.

Intermediate CA (s) and End-entity certificate

Question 12

A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.

Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?

Options:

A.

Syslog listener

B.

agentless User-ID with redistribution

C.

standalone User-ID agent

D.

captive portal

Question 13

WildFire will submit for analysis blocked files that match which profile settings?

Options:

A.

files matching Anti-Spyware signatures

B.

files that are blocked by URL filtering

C.

files that are blocked by a File Blocking profile

D.

files matching Anti-Virus signatures

Question 14

What is the best description of the HA4 Keep-Alive Threshold (ms)?

Options:

A.

the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.

B.

The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

C.

the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.

D.

The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.

Question 15

Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

Options:

A.

Create a no-decrypt Decryption Policy rule.

B.

Configure an EDL to pull IP addresses of known sites resolved from a CRL.

C.

Create a Dynamic Address Group for untrusted sites

D.

Create a Security Policy rule with vulnerability Security Profile attached.

E.

Enable the “Block sessions with untrusted issuers” setting.

Question 16

What is the best description of the HA4 Keep-Alive Threshold (ms)?

Options:

A.

the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.

B.

The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

C.

the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.

D.

The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.

Question 17

What best describes the HA Promotion Hold Time?

Options:

A.

the time that is recommended to avoid an HA failover due to the occasional flapping of neighboring devices

B.

the time that is recommended to avoid a failover when both firewalls experience the same link/path monitor failure simultaneously

C.

the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost

D.

the time that a passive firewall with a low device priority will wait before taking over as the active firewall if the firewall is operational again

Question 18

Cortex XDR notifies an administrator about grayware on the endpoints. There are no entries about grayware in any of the logs of the corresponding firewall. Which setting can the administrator configure on the firewall to log grayware verdicts?

Options:

A.

within the log forwarding profile attached to the Security policy rule

B.

within the log settings option in the Device tab

C.

in WildFire General Settings, select "Report Grayware Files"

D.

in Threat General Settings, select "Report Grayware Files"

Question 19

Which GlobalProtect component must be configured to enable Clientless VPN?

Options:

A.

GlobalProtect satellite

B.

GlobalProtect app

C.

GlobalProtect portal

D.

GlobalProtect gateway

Question 20

The firewall identifies a popular application as an unKnown-tcp.

Which two options are available to identify the application? (Choose two.)

Options:

A.

Create a custom application.

B.

Submit an App-ID request to Palo Alto Networks.

C.

Create a custom object for the application server.

D.

Create a Security policy to identify the custom application.

Question 21

A user at an internal system queries the DNS server for their web server with a private IP of 10 250 241 131 in the. The DNS server returns an address of the web server's public address, 200.1.1.10.

In order to reach the web server, which security rule and U-Turn NAT rule must be configured on the firewall?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 22

Match each GlobalProtect component to the purpose of that component

Options:

Page: 1 / 15
Total 152 questions