PCNSE(201-248)

46問 • 2年前

問題一覧

A customer wants to set up a VLAN interface for a Layer 2 Ethernet port. Which two mandatory options are used to configure a VLAN interface ? Choose two

Virtual router, Security zone

A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone. Which options differentiates multiple VLAN into separate zones ?

Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the "Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to unique zone

Which statement accurately describes service routes and virtual systems ?

Virtual systems that do not have a specific service routes configured inherit the global service and service route settings for the firewall.

An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same firewall. The update contains an application that matches the same traffic signatures as the custom application. Which application will be used to identify traffic traversing the firewall ?

Custom application

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust Certificate ?

A self-signed Certificate Authority certificate generated by the firewall

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any". There is one link group configured containing member interfaces ethernet1/1 and ethernet 1/2 with a Group Failure Condition set to "all". Which HA state will the Active firewall go into if ethernet1/1 link goes down due to failure ?

Active

Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group. NYC-DC has NYC-FW as a member of the NYC-DC device-group. What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama ?

Address Objects -Shared Address 1 -Shared Address 2 -Branch Address 1 Policies -Shared Policy 1 -Branch Policy 1

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is in the Threat logs. What should the administrator do to allow the tool to scan through the firewall ?

Add the IP address to the reconnaissance protection source address exclusion in the DoS protection profile

- - -. The USB flash drive has been inserted in the firewall's USB port, and the firewall has been restarted using command :> request resort system Upon restart, the firewall fails to begin the bootstrapping process. The failure ls caused because

The USB must be formatted using the ext3 file system, FAT32 is not supported

Which three items are import considerations during SD-WAN configuration planning ? Choose three

link requirements, IP Addresses, branch and hub locations

An administrator is seeing one of the firewalls in a HA active/passive pair moved to "suspended" state due to Non-functional loop. Which three actions will help the administrator troubleshooting this issue ? Choose three

Use the CLI command show high-availability flap-statistics, Check the HA Link Monitoring interface cables, Check the High Availability > Link and Path Monitoring seeings

An engineer must configure the Decryption Broker feature. Which Decryption Broker security chain supports bi-directional traffic flow ?

Layer 3 security chain

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices ?

verify and install, upload and install, install and reboot

A network administrator plans a Prisma Access deployment with three service connections, each with a BGP peering to a CPE. The administrator needs to minimize the BGP configuration and management overhead on on-premise network devices. What should the administrator implement ?

hot potato routing

When you navigate to Network: > GrobalProtect > Portals > Method section, which three options are available ? Choose three

on-demand (manual user initiated connection), user-logon (always on), pre-logon then on-demand

An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications QoS natively integrates with which feature to provide service quality ?

App-ID

Which statement is true regarding a Best Practice Assessment ?

It shows how your current configuration compares to PaloAlto Networks recommendations

An administrator wants to configure the PaloAlto Networks Windows User-ID agent to map IP addresses to usernames. The company uses four Microsoft Active Directory servers and two Microsoft Exchange servers, which can provide logs for login events. All six servers have IP addresses assigned from the following subnet : 192.168.28.32/27. The Microsoft Active Directory servers reside in 192.168.28.32/28. and the Microsoft Exchange servers reside in 192.168.28.48/28. What information does the administrator need to provide in the User Identification > Discovery section ?

The IP-address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for each of the six servers

When an in-band data port is set up to provide access to require services, what is required for an interface that is assigned to service routes ?

You must use a static IP address

A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business application uptime requirements ?

Change the HA timer profile to "user-defined" and manually set the timers

A network administrator wants to use a certificate for SSL/TLS Service Profile. Which type of certificate should the administrator use ?

server certificate

Users at internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.15.1. In order to reach the SSH server only from the Trust zoue, which Security rule and NAT rule must be configured on the firewall ?

NAT Rule : Source Zone : Trust Source IP : Any Destination Zone : Server Destination IP : 172.16.15.10 Source Translation : dynamic-ip-and-port ethernet1/4 Security Rule : Security Zone : Trust Source IP : Any Destination Zone : Server Destination IP : 172.16.15.10 Application : SSH

An administrator analyzes the following portion of a VPN system log and notices the following issue. "Reviced local id 10.10.1.4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0." What is the cause of the issue ?

mismatched Proxy-IDs

A network security engineer wants to prevent resource-consumption issues on the firewall. Which strategy is consistent with decryption best practice to ensure consistent performance ?

Use PFS in a Decryption for higher-priority and higher risk traffic, and use the less processor-intensive decryption for lower-risk traffic

A company is looking to increase redundancy in their network. Which interface type could help accomplish this ?

Aggregate ethernet

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration. Place the steps in order. ① ② ③ ④ ⑤

①In eitherthe NGFW or in Panorama, on the Operations/Support tab, download the technical support file, ②Log in the Customer Support Portal(CSP) and negotiate to Tools > Best Practice Assessment, Upload or drag and drop the technical support file, Map the zone type and area of the architecture to each zone, Follow the steps to download the BPA report bundle

How can administrator use the Panorama device-deployment option to update the apps and threat version of an HA pair of managed firewalls ?

Choose the download and install action for both members of the HA pair in the Schedule object

An enterprise information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However a recent phishing campaign against the organization has promoted Information Security to look for more controls that can secure access to critical assets. For users that needs to access there systems Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA. What should the enterprise do to use PAN-OS MFA1 ?

Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy

Which statement regarding HA timer settings is true ?

Use the Recommended profile for typical failover timer settings

What is a key step in implementing WildFire best practices ?

Ensure that a Threat Prevention subscription is active

An administrator wants to multiple web servers in the DMZ to receive connections initiated from the Internet. Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22. Based on the image, which NAT rule will forward web-browsing traffic correctly ?

Source IP : Any Destination IP : 206.15.22.9 Source Zone : Internet Destination Zone : Internet Destination Service : 80/TCP Action : Destination NAT Translated IP : 10.1.1.22 Translated Port : Zone

A network security engineer attempted to configure a bootstrap package on Microsoft Azure, but virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, /license and / software. Why did the bootstrap process fail for the VM-Series firewall in Azure ?

The /content folder is missing from the bootstrap package

An engineer configures SSL decryption in order to have more visibility to the internal users' traffic when it is regressing the firewall. Which three types of interfaces support SSL Forward Proxy ? Choose three

Layer, Virtual Wire, Layer 3

An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task ? (Choose two)

System logs, Task Manager

Which GrobalProtect component must be configured to enable Clientless VPN ?

GrobalProtect portal

An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network. What is a common obstacle for decrypting traffic from guest devices ?

Guest devices may not trust the CA certificate used for the forward trust certificate

What are three reasons for excluding a site from SSL decryption ? Choose three

unsupported ciphers, mutual authentication, certificate pinning

Which configuration task is best for reducing load on the management plane ?

Disable pre-defined reports

A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS(Perfect Forward Security) needs to be enabled What action should the engineer take ?

Enable PFS under the IKE gateway advanced options

Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL1 ?

PAN-DB URL category in URL filtering profile

Which profile generates a packet threat type found in threat logs ?

Zone Protection

A remote administrator needs firewall access on a untrusted interface. Which two components are required on the firewall to configure certificate-based administrator authentication to the Web UI ? Choose two

certificate profile, certificate authority (CA) certificate

WildFire will submit for analysis blocked that match which profile settings ?

files matching Anti-Virus signatures

An engineer is pushing configuration from Panorama to a managed firewall. What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall ?

The firewall rejects the pushed configuration, and the commit fails

place the steps in the WildFire process workflow in their correct order ① ② ③ ④

①The firewall hashes the firewall and looks up a verdict in the WildFire database. However, the firewall does not find a match, ②WildFire uses static analysis based on machine learning to analyze the file, in order to classify malicious features, ③Regardless of the verdict, WildFire uses a heuristic engine to examine the file and determines that the file exhibits suspicious behavior, ④WildFire genrates a new DNS, URL categorization, and antivirus signatures for the new threat

A customer is replacing thier legacy remote access VPN solution. The current solution is in place to secure only internet egress for the connected clients. Prisma Access has been selected to replace the current remote access VPN solution. During onboarding the following options and licenses were selected and enabled. -Prisma Access for Remote Networks 300Mbps -Prisma Access for Mobile Users 1500 Users -Cortex Data lake 2 TB -Trusted Zones trust -Untreated Zones untrust -Parent Device Group shared How can you configure Prisma Access to provide the same level of access as the current VPN solution ?

Configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic outbound to the internet, Configure mobile users with a service connection and trust-to-trust Security policy rules to allow the desired traffic outbound to the internet, Configure remote networks with a service connection and trust-to-untrust Security policy rules to allow the desired traffic outbound to the internet, Configure remote networks with trust-to-trust Security policy rules to allow the desired traffic outbound to the internet