PCNSE (Palo Alto) Mock-up Test – 6 (Paid) (45questions)

Post Views: 46

Please enter your email:

1. An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?

A. Enable and configure the Packet Buffer Protection thresholds. Enable Packet Buffer Protection per ingress zone.

B. Enable and then configure Packet Buffer thresholds. Enable Interface Buffer protection.

C. Create and Apply Zone Protection Profiles in all ingress zones. Enable Packet Buffer Protection per ingress zone.

D. Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits. Enable Zone Buffer Protection per zone.

2. Based on the following image, what is the correct path of root, intermediate, and end-user certificate?

A. Palo Alto Networks > Symantec > VeriSign

B. VeriSign > Symantec > Palo Alto Networks

C. Symantec > VeriSign > Palo Alto Networks

D. VeriSign > Palo Alto Networks > Symantec

3. Which log file can be used to identify SSL decryption failures?

A. Traffic

B. ACC

C. Configuration

D. Threats

4. A company wants to install a NGFW firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone.

Which option differentiates multiple VLANs into separate zones?

A. Create V-Wire objects with two V-Wire interfaces and define a range of “0-4096” in the “Tag Allowed” field of the V-Wire object.

B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the “Tag Allowed” field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.

C. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. 1ssign each interface/subinterface to a unique zone. Do not assign any interface an IP address.

D. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.

5. An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)

C. https://www.networkjourney.com/wp-content/uploads/2020/06/Q-145-C.png

6. Which event will happen if an administrator uses an Application Override Policy?

A. Threat-ID processing time is decreased.

B. The Palo Alto Networks NGFW stops App-A4 processing at Layer 4.

C. The application name assigned to the traffic by the security rule is written to the Traffic log.

D. App-ID processing time is increased.

7. Which feature can provide NGFWs with User-ID mapping information?

A. Web Captcha

B. Native 802.1q authentication

C. GlobalProtect

D. Native 802.1x authentication

8. An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port.

Which log entry can the administrator use to verify that sessions are being decrypted?

A. In the details of the Traffic log entries

B. Decryption log

C. Data Filtering log

D. In the details of the Threat log entries

9. A firewall administrator has been asked to configure a Palo Alto Networks NGFW to prevent against compromised hosts trying to phone-home or beacon out to external command-and-control (C2) servers.

Which Security Profile type will prevent these behaviors?

A. Anti-Spyware

B. WildFire

C. Vulnerability Protection

D. Antivirus

10. In which two types of deployment is active/active HA configuration supported? (Choose two.)

A. Layer 3 mode

B. TAP mode

C. Virtual Wire mode

D. Layer 2 mode

11. Which feature can be configured on VM-Series firewalls?

A. aggregate interfaces

B. machine learning

C. multiple virtual systems

D. GlobalProtect

12. Which menu item enables a firewall administrator to see details about traffic that is currently active through the NGFW?

A. ACC

B. System Logs

C. App Scope

d. Session Browser

13. Which logs enable a firewall administrator to determine whether a session was decrypted?

A. Traffic

B. Security Policy

C. Decryption

D. Correlated 1vent

14. The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router.

Which two options would help the administrator troubleshoot this issue? (Choose two.)

A. The administrator has enabled 1GP on a virtual router on the Palo 1lto Networks NG1W, but new routes do not seem to be populating the virtual router.

Which two options would help the administrator troubleshoot this issue? (Choose two.)

B. Perform a traffic pcap on the NGFW to see any BGP problems.

C. View the Runtime Stats and look for problems with BGP configuration.

D. 1. View the ACC tab to isolate routing issues.

15. The firewall identifies a popular application as an unknown-tcp.

Which two options are available to identify the application? (Choose two.)

A. Create a custom application.

B. Create a custom object for the custom application server to identify the custom application.

C. Submit an Apple-ID request to Palo Alto Networks.

D. Create a Security policy to identify the custom application.

16. Which option enables a Palo Alto Networks NGDW administrator to schedule 1pplication and Threat updates while applying only new content-IDs to traffic?

A. Select download-and-install

B. Select download-only

C. Select download-and-install, with “Disable new apps in content update” selected

D. Select disable application updates and select “Install only Threat updates”

17. Where can an administrator see both the management plane and data plane CPU utilization in the WebUI?

A. System Utilization log

B. System log

C. Resources widget

D. CPU Utilization widget

18. Which three file types can be forwarded to Wild1ire for analysis as a part of the basic Wild1ire service? (Choose three.)

a. .dll

b. .exe

c. .fon

d. .apk

e. .pdf

f. .jar

19. What will be the egress interface if the traffic’s ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image?

A. ethernet1/7

B. ethernet1/5

C. Nethernet1/6

D. 1. ethernet1/3

20. Which CLI command enables an administrator to check the CPU utilization of the dataplane?

A. show running resource_monitor

B. debug data_plan dp_ cpu

C. show system resource

D. debug running resource

21. Which three firewall states are valid? (Choose three.)

A. Active

B. Functional

C. Pending

D. Passive

E. Suspended

22. An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third- party, deep-level packet inspection appliance.

Which interface type and license feature are necessary to meet the requirement?

A. . Decryption Mirror interface with the Threat 1nalysis license

B. Virtual Wire interface with the Decryption Port Export license

C. Tap interface with the Decryption Port Mirror license

D. Decryption Mirror interface with the associated Decryption Port Mirror license

23. Which operation will impact the performance of the management plane?

a. DoS protection

b. Wild1ire submissions

C. generating a SaaS Application report

d. decrypting SSL sessions

24. The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?

A. 6-tuple match:
Source IP 1ddress, Destination IP Address, Source Port, Destination Port, Protocol, and Source Security Zone

B. 5-tuple match:
Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol

C. 7-tuple match:
Source IP Address, Destination IP Address, Source Port, Destination Port, Source User, URL Category, and Source Security Zone

D. 9-tuple match:
Source IP Address, 1estination IP Address, Source Port, Destination Port, Source User, Source Security Zone, Destination Security Zone, Application, and URL Category

25. In a virtual router, which object contains all potential routes?

A. MIB

B. RIB

C. SIB

D. FIB

26.

A. Certificate from Default Trust Certificate Authorities

B. Domain Sub-CA

C. Forward_Trust

D. Domain-Root-Cert

27. Which three authentication factors does PAN-OS® software support for MFA? (Choose three.)

A. Push

B. Pull

C. Okta Adaptive

D. Voice

E. SMS

28. An administrator creates a custom application containing Layer 1 signatures. The latest application and threat dynamic update is downloaded to the same NGFW. The update contains an application that matches the same traffic signatures as the custom application.

Which application should be used to identify traffic traversing the NGFW?

A. . Custom application

B. System logs show an application error and neither signature is used.

C. Downloaded application

D. Custom and downloaded application signature files are merged and both are used

29. SAML SLO is supported for which two firewall features? (Choose two.)

A. GlobalProtect Portal

B. CaptivePortal

C. WebUI

D. CLI

30. Which CLI command can be used to export the tcpdump capture?

A. scp export tcpdump from mgmt.pcap to

B. scp extract mgmt-pcap from mgmt.pcap to

C. scp export mgmt-pcap from mgmt.pcap to

D. download mgmt-pcap

31. When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

a. Load configuration version

b. Save candidate config

C. export device state

d. Load named configuration snapshot

32. If an administrator does not possess a website’s certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic when users browse to HTTP(S) websites?

A. SSL Forward Proxy

B. SSL Inbound Inspection

C. TLS Bidirectional proxy

D. SSL Outbound Inspection

33. Which two benefits come from assigning a Decryption Profile to a 1ecryption policy rule with a “No Decrypt” action? (Choose two.)

A. Block sessions with expired certificates

B. Block sessions with client authentication

C. Block sessions with unsupported cipher suites

D. Block sessions with untrusted issuers

E. Block credential phishing

34. Which Zone Pair and Rule Type will allow a successful connection for a user on the Internet zone to a web server hosted on the DMZ zone? The web server is reachable using a 1estination NAT policy in the Palo Alto Networks firewall.

B. https://www.networkjourney.com/wp-content/uploads/2020/06/Q-107-B.jpg

C. https://www.networkjourney.com/wp-content/uploads/2020/06/Q-107-C.jpg

D. https://www.networkjourney.com/wp-content/uploads/2020/06/Q-107-D.jpg

35. During the packet flow process, which two processes are performed in application identification? (Choose two.)

A. Pattern based application identification

B. Application override policy match

C. Application changed from content inspection

D. Session application identified.

36. Which three user authentication services can be modified to provide the Palo Alto Networks NGfW with both usernames and role names? (Choose three.)

A. TACACS+

B. Kerberos

C. PAP

D. LADP

E. SAML

F. RADIUS

37. Which feature must you configure to prevent users from accidentally submitting their corporate credentials to a phishing website?

A. URL Filtering profile

B. Zone Protection profile

C. Anti-Spyware profile

D. Vulnerability Protection profile

38. A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server.

Which solution in PAN-OS® software would help in this case?

A. application override

B. Virtual Wire mode

C. content inspection

D. redistribution of user mappings

39. A client has a sensitive application server in their data center and is particularly concerned about session flooding because of denial-of-service attacks.

How can the Palo Alto Networks NGFW be configured to specifically protect this server against session floods originating from a single IP address?

A. Add an Anti-Spyware Profile to block attacking IP address

B. Define a custom App-ID to ensure that only legitimate application traffic reaches the server

C. Add QoS Profiles to throttle incoming requests

D. Add a tuned DoS Protection Profile

40. Which feature prevents the submission of corporate login information into website forms?

A. Data filtering

B. . User-ID

C. File blocking

D. Credential phishing prevention

41. Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)

a. CRL

b. CRT

C. OCSP

d. Cert-Validation-Profile

e. SSL/TLS Service Profile

42. A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers.

Which option will protect the individual servers?

A. Enable packet buffer protection on the Zone Protection Profile.B.

B. Apply an Anti-Spyware Profile with DNS sinkholing.

C. Use the DNS App-ID with application-default.

D. Apply a classified DoS Protection Profile.

43. An administrator has users accessing network resources through Citrix Xen1pp 7.x.

Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources?

A. Client Probing

B. Terminal Services agent

C. GlobalProtect

D. Syslog Monitoring

44. Which version of GlobalProtect supports split tunneling based on destination domain, client process, and

HTTP/HTTPS video streaming application?

A. GlobalProtect version 4.0 with PAN-OS 8.1

B. GlobalProtect version 4.1 with PAN-OS 8.1

C. GlobalProtect version 4.1 with PAN-OS 8.0

D. GlobalProtect version 4.0 with PAN-OS 8.0

45. A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks.

How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)?

A. Aefine a custom App-ID to ensure that only legitimate application traffic reaches the server.

B. Add a Vulnerability Protection Profile to block the attack.

C. Add DoS Profiles to throttle incoming requests.

D. Add a DoS Protection Profile with defined session count.

Question 1 of 45

Dhawan Sagar

Hi all,
Good to see you here.
I'm your Trainer for CCIE, CCNP, CCNA, Firewall batches and many more courses coming up!
Stay tuned for latest updates!
Keep me posted over Whatsapp/Email about your experience learning from us.
Thanks for being part of - "Network Journey - A journey towards packet-life!!!"

21 DAYS CCNA BOOTCAMP	Click to Watch
PYTHON3/ANSIBLE for NETWORK AUTOMATION	Click to Watch
"FIREWALL MASTERY" : PA + FGT+ CP + ASA/FTD + F5 LTM	Click to Watch
OSPF+BGP+MPLS	Click to Watch
SDN ORCHESTRATION	Click to Watch

PYTHON NETWORK AUTOMATION	Read Course Outline
CCNA + CCNP ENTERPRISE	Read Course Outline
CCNA to CCIE SECURITY	Read Course Outline
CISCO DEVNET + DEVCOR	Read Course Outline
"MASTER CLOUD" : AZ700 + AWS + GCP	Read Course Outline
"FIREWALL MASTERY" : PA + FGT+ CP + ASA/FTD + F5 LTM	Read Course Outline
CISCO DNAC	Read Course Outline
CISCO ISE	Read Course Outline
MULTI-VENDOR TRAINING	Read Course Outline
SDN ORCHESTRATION	Read Course Outline

Dhawan Sagar

PCNSE (Palo Alto) Mock-up Test – 5 (Paid) (35questions)

What Are Benefits to-do CCNP First and Not CCNA in 2020??

About Us

Quick Links

Support Links

Have Questions?

PCNSE (Palo Alto) Mock-up Test – 6 (Paid) (45questions)

Dhawan Sagar

PCNSE (Palo Alto) Mock-up Test – 5 (Paid) (35questions)

What Are Benefits to-do CCNP First and Not CCNA in 2020??

Related Posts

OSPF Protocol: in-depth Overview & Video Tutorials

PCNSE (Palo Alto) Mock-up Test – 3 (Free) (23questions)

Ticket#5 – OSPF Neighbor Stuck in INIT/2WAY – How to Diagnose and Resolve [CCNP ENTERPRISE]

The Hidden Superpower of Routers – Master Virtual Routing & VRF Today [CCNP ENTERPRISE]