Nest 0 Cart
Nest Account
Popular Exams
All Categories...
Nest
Nest 0
Contact
Log In / Sign Up
Copyright 2024 © store. All rights reserved.
Home Palo Alto Networks PCNSE

Palo Alto Networks PCNSE Exam Practice Questions (P. 3)

  • Full Access (619 questions)
  • Six months of Premium Access
  • Access to one million comments
  • Seamless ChatGPT Integration
  • Ability to download PDF files
  • Anki Flashcard files for revision
  • No Captcha & No AdSense
  • Advanced Exam Configuration
Get Contributor Access
Question #21
What are two benefits of nested device groups in Panorama? (Choose two.)
  1. A
    Reuse of the existing Security policy rules and objects
  2. B
    Requires configuring both function and location for every device
  3. C
    All device groups inherit settings from the Shared group
  4. D
    Overwrites local firewall configuration

Correct Answer:
AC
chatbot-img GPT-4o - Answer
The benefits of nested device groups in Panorama, specifically points A and C, involve significant efficiency in security management. Utilizing nested device group structures allows for the reusing of security policy rules and objects across multiple firewalls, significantly reducing administrative overhead and enhancing consistency. Additionally, all device groups inheriting settings from the shared group streamline processes and ensure uniform policy enforcement, making management scalable and less error-prone. This structure supports a centralized yet customizable control over policies and objects, crucial in larger or more complex network environments.

Question #22
Which Captive Portal mode must be configured to support MFA authentication?
  1. A
    NTLM
  2. B
    Redirect
  3. C
    Single Sign-On
  4. D
    Transparent

Correct Answer:
B
Reference:
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-multi-factor-authentication

Question #23
An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required.
Which interface type would support this business requirement?
  1. A
    Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ
  2. B
    Layer 3 or Aggregate Ethernet interfaces, but configuring EIGRP on subinterfaces only
  3. C
    Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel (with the GlobalProtect License to support LSVPN and EIGRP protocols)
  4. D
    Layer 3 interfaces, but configuring EIGRP on the attached virtual router

Correct Answer:
A
chatbot-img GPT-4o - Answer
The correct choice, A, using Virtual Wire interfaces, adequately addresses the requirement due to the limitations in protocol support by Palo Alto Networks devices. Virtual Wire interfaces function in a transparent manner, allowing existing configurations like EIGRP—which is Cisco proprietary and not natively supported on Palo Alto Networks—to continue operating without hindrance. This setup ensures that EIGRP routes between the Core and DMZ are maintained without requiring direct integration of the routing protocol into the Palo Alto Networks environment.

Question #24
A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port to which it connects.
How would an administrator configure the interface to 1Gbps?
  1. A
    set deviceconfig interface speed-duplex 1Gbps-full-duplex
  2. B
    set deviceconfig system speed-duplex 1Gbps-duplex
  3. C
    set deviceconfig system speed-duplex 1Gbps-full-duplex
  4. D
    set deviceconfig Interface speed-duplex 1Gbps-half-duplex

Correct Answer:
C
Reference:
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-Speed-and-Duplex-of-the-Management-Port/ta-p/59034

Question #25
A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.
Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080?
  1. A
    application: web-browsing; service: application-default
  2. B
    application: web-browsing; service: service-https
  3. C
    application: ssl; service: any
  4. D
    application: web-browsing; service: (custom with destination TCP port 8080)

Correct Answer:
D
chatbot-img GPT-4o - Answer
The selection of "web-browsing" as the application and a custom service with TCP port 8080 is correct for enabling cleartext (HTTP) web browsing traffic to a server set on this non-standard port. This setup directly addresses the requirement of targeting HTTP traffic specifically on port 8080, where typical configurations, such as application-default for web-browsing, would not suffice since it covers only the well-known HTTP port 80. By creating a custom service to specify the exact port, we ensure that the policy properly aligns with the server’s listening configuration and the security needs.

Question #26
If the firewall has the following link monitoring configuration, what will cause a failover?

  1. A
    ethernet1/3 and ethernet1/6 going down
  2. B
    ethernet1/3 going down
  3. C
    ethernet1/3 or ethernet1/6 going down
  4. D
    ethernet1/6 going down

Correct Answer:
A

Question #27
In the image, what caused the commit warning?

  1. A
    The CA certificate for FWDtrust has not been imported into the firewall.
  2. B
    The FWDtrust certificate has not been flagged as Trusted Root CA.
  3. C
    SSL Forward Proxy requires a public certificate to be imported into the firewall.
  4. D
    The FWDtrust certificate does not have a certificate chain.

Correct Answer:
A
Reference:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs/repair-incomplete- certificate-chains

Question #28
Which method does an administrator use to integrate all non-native MFA platforms in PAN-OSֲ® software?
  1. A
    Okta
  2. B
    DUO
  3. C
    RADIUS
  4. D
    PingID

Correct Answer:
C
chatbot-img GPT-4o - Answer
RADIUS is the method to utilize when integrating any MFA platforms that are not natively supported by PAN-OS. It acts as a universal solution to link with various third-party MFA providers, which is not possible through direct integrations like Okta, DUO, or PingID that only support specific platforms. This capability of RADIUS to offer extensive compatibility makes it essential for a flexible and inclusive network security environment.

Question #29
How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?
  1. A
    Use the debug dataplane packet-diag set capture stage firewall file command.
  2. B
    Enable all four stages of traffic capture (TX, RX, DROP, Firewall).
  3. C
    Use the debug dataplane packet-diag set capture stage management file command.
  4. D
    Use the tcpdump command.

Correct Answer:
D
Reference:
https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390

Question #30
An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications.
QoS natively integrates with which feature to provide service quality?
  1. A
    Port Inspection
  2. B
    Certificate revocation
  3. C
    Content-ID
  4. D
    App-ID

Correct Answer:
D
Reference:
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/quality-of-service/qos-concepts/qos-for-applications-and-users#idaed4e749-80b4-
4641-a37c-c741aba562e9

Previous Questions Next Questions

All Pages