Winter Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ecus65

Paloalto Networks PCNSE - Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0

Paloalto Networks PCNSE Premium Access     Download Demo    
Page: 6 / 12
Total 374 questions

Based on the images below, and with no configuration inside the Template Stack itself, what access will the device permit on its management port?

A.

The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet.1 and $permitted-subnet-2.

B.

The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2.

C.

The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

D.

The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1.

Which protocol is supported by Global Protect clientless VPN

A.

FTP

B.

SSH

C.

HTTPS

D.

RDP

Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.

In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?

A.

NAT Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Server -Destination IP: 172.16.15.10 -Source Translation: Static IP / 172.16.15.1Security Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Trust -Destination IP: 172.16.15.10 -Application: ssh

B.

NAT Rule:Source Zone: Trust -Source IP: 192.168.15.0/24 -Destination Zone: Trust -Destination IP: 192.168.15.1 -Destination Translation: Static IP / 172.16.15.10Security Rule:Source Zone: Trust -Source IP: 192.168.15.0/24 -Destination Zone: Server -Destination IP: 172.16.15.10 -Application: ssh

C.

NAT Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Trust -Destination IP: 192.168.15.1 -Destination Translation: Static IP /172.16.15.10Security Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Server -Destination IP: 172.16.15.10 -Application: ssh

D.

NAT Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Server -Destination IP: 172.16.15.10 -Source Translation: dynamic-ip-and-port / ethernet1/4Security Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Server -Destination IP: 172.16.15.10 -Application: ssh

Which Panorama feature protects logs against data loss if a Panorama server fails?

A.

Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.

B.

Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.

C.

Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.

D.

Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group

An engineer troubleshoots a Panorama-managed firewall that is unable to reach the DNS servers configured via a global template. As a troubleshooting step, the engineer needs to configure a local DNS server in place of the template value.

Which two actions can be taken to ensure that only the specific firewall is affected during this process? (Choose two )

A.

Configure the DNS server locally on the firewall.

B.

Change the DNS server on the global template.

C.

Override the DNS server on the template stack.

D.

Configure a service route for DNS on a different interface.

A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.

How can this be achieved?

A.

By configuring Data Redistribution Client in Panorama > Data Redistribution

B.

By configuring User-ID group mapping in Panorama > User Identification

C.

By configuring User-ID source device in Panorama > Managed Devices

D.

By configuring Master Device in Panorama > Device Groups

What action does a firewall take when a Decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?

A.

It blocks all communication with the server indefinitely.

B.

It downgrades the protocol to ensure compatibility.

C.

It automatically adds the server to the SSL Decryption Exclusion list.

D.

It generates an decryption error message but allows the traffic to continue decryption.

How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

A.

Configure the option for “Threshold”.

B.

Disable automatic updates during weekdays.

C.

Automatically “download only” and then install Applications and Threats later, after the administrator approves the update.

D.

Automatically “download and install” but with the “disable new applications” option used.

A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules.

What is the engineer's next step?

A.

Create a Group Mapping with 800 groups in the Group Include List.

B.

Create two Group Include Lists, each with 400 Active Directory groups.

C.

Create a Group Include List with the 800 Active Directory groups.

D.

Create two Group Mappings, each with 400 groups in the Group Include List.

An administrator pushes a new configuration from Panorama to a par of firewalls that are configured as an active/passive HA pair. Which NGFW receives the from Panorama?

A.

The active firewall which then synchronizes to the passive firewall

B.

The passive firewall, which then synchronizes to the active firewall

C.

Both the active and passive firewalls which then synchronize with each other

D.

Both the active and passive firewalls independently, with no synchronization afterward