Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ecus65

Paloalto Networks PCNSE - Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0

Paloalto Networks PCNSE Premium Access     Download Demo    
Page: 5 / 12
Total 346 questions

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances.

Which profile should be configured in order to achieve this?

A.

SSH Service profile

B.

SSL/TLS Service profile

C.

Certificate profile

D.

Decryption profile

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

A.

PAN-OS integrated User-ID agent

B.

GlobalProtect

C.

Windows-based User-ID agent

D.

LDAP Server Profile configuration

What action does a firewall take when a Decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?

A.

It blocks all communication with the server indefinitely.

B.

It downgrades the protocol to ensure compatibility.

C.

It automatically adds the server to the SSL Decryption Exclusion list.

D.

It generates an decryption error message but allows the traffic to continue decryption.

Which type of zone will allow different virtual systems to communicate with each other?

A.

Tap

B.

External

C.

Virtual Wire

D.

Tunnel

An engineer must configure a new SSL decryption deployment.

Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

A.

A Decryption profile must be attached to the Decryption policy that the traffic matches.

B.

A Decryption profile must be attached to the Security policy that the traffic matches.

C.

There must be a certificate with only the Forward Trust option selected.

D.

There must be a certificate with both the Forward Trust option and Forward Untrust option selected.

Which two components are required to configure certificate-based authentication to the web Ul when an administrator needs firewall access on a trusted interface'? (Choose two.)

A.

Server certificate

B.

SSL/TLS Service Profile

C.

Certificate Profile

D.

CA certificate

Based on the graphic which statement accurately describes the output shown in the Server Monitoring panel?

A.

The User-ID agent is connected to a domain controller labeled lab-client

B.

The host lab-client has been found by a domain controller

C.

The host lab-client has been found by the User-ID agent.

D.

The User-ID aaent is connected to the firewall labeled lab-client

An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.

What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?

A.

Configure a floating IP between the firewall pairs.

B.

Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.

C.

Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN.

D.

On one pair of firewalls, run the CLI command: set network interface vlan arp.

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.

The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?

A.

A web server certificate signed by the organization's PKI

B.

A self-signed certificate generated on the firewall

C.

A subordinate Certificate Authority certificate signed by the organization's PKI

D.

A web server certificate signed by an external Certificate Authority

Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?

A.

Yes, because the action is set to alert

B.

No, because this is an example from a defeated phishing attack

C.

No, because the severity is high and the verdict is malicious.

D.

Yes, because the action is set to allow.