PCNSE : Palo Alto Networks Certified Network Security Engineer : Part 07
-
An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware passively monitors behavior without the user’s knowledge.
What is the expected verdict from WildFire?
- Malware
- Grayware
- Phishing
- Spyware
-
When configuring the firewall for packet capture, what are the valid stage types?
- receive, management, transmit, and non-syn
- receive, management, transmit, and drop
- receive, firewall, send, and non-syn
- receive, firewall, transmit, and drop
-
Which operation will impact the performance of the management plane?
- DoS protection
- WildFire submissions
- generating a SaaS Application report
- decrypting SSL sessions
-
Which User-ID method maps IP addresses to usernames for users connecting through a web proxy that has already authenticated the user?
- syslog listening
- server monitoring
- client probing
- port mapping
-
The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?
- 6-tuple match:
Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol, and Source Security Zone - 5-tuple match:
Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol - 7-tuple match:
Source IP Address, Destination IP Address, Source Port, Destination Port, Source User, URL Category, and Source Security Zone - 9-tuple match:
Source IP Address, Destination IP Address, Source Port, Destination Port, Source User, Source Security Zone, Destination Security Zone, Application, and URL Category
- 6-tuple match:
-
Which GlobalProtect Client connect method requires the distribution and use of machine certificates?
- At-boot
- Pre-logon
- User-logon (Always on)
- On-demand
-
Which feature can provide NGFWs with User-ID mapping information?
- Web Captcha
- Native 802.1q authentication
- GlobalProtect
- Native 802.1x authentication
-
Which Panorama administrator types require the configuration of at least one access domain? (Choose two.)
- Role Based
- Custom Panorama Admin
- Device Group
- Dynamic
- Template Admin
-
Which option enables a Palo Alto Networks NGFW administrator to schedule Application and Threat updates while applying only new content-IDs to traffic?
- Select download-and-install
- Select download-only
- Select download-and-install, with “Disable new apps in content update” selected
- Select disable application updates and select “Install only Threat updates”
-
Which is the maximum number of samples that can be submitted to WildFire per day, based on a WildFire subscription?
- 10,000
- 15,000
- 7,500
- 5,000
-
In which two types of deployment is active/active HA configuration supported? (Choose two.)
- Layer 3 mode
- TAP mode
- Virtual Wire mode
- Layer 2 mode
-
For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose two.)
- ingress processing errors
- rule match with action “deny”
- rule match with action “allow”
- equal-cost multipath
-
Which logs enable a firewall administrator to determine whether a session was decrypted?
- Traffic
- Security Policy
- Decryption
- Correlated Event
-
An administrator needs to upgrade an NGFW to the most current version of PAN-OS® software. The following is occurring:
– Firewall has internet connectivity through e 1/1.
– Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.
– Service route is configured, sourcing update traffic from e1/1.
– A communication error appears in the System logs when updates are performed.
– Download does not complete.What must be configured to enable the firewall to download the current version of PAN-OS software?
- Static route pointing application PaloAlto-updates to the update servers
- Security policy rule allowing PaloAlto-updates as the application
- Scheduler for timed downloads of PAN-OS software
- DNS settings for the firewall to use for resolution
-
A client has a sensitive application server in their data center and is particularly concerned about session flooding because of denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against session floods originating from a single IP address?
- Add an Anti-Spyware Profile to block attacking IP address
- Define a custom App-ID to ensure that only legitimate application traffic reaches the server
- Add QoS Profiles to throttle incoming requests
- Add a tuned DoS Protection Profile
-
An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing, and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS® software?
- Antivirus update package.
- Applications and Threats update package.
- User-ID agent.
- WildFire update package.
Explanation:
Reference:
https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/upgrade-to-pan-os-80/upgrade-the-firewall-to-pan-os-80/upgrade-an-ha-firewall-pair-to-pan-os-80
-
A firewall administrator has been asked to configure a Palo Alto Networks NGFW to prevent against compromised hosts trying to phone-home or beacon out to external command-and-control (C2) servers.
Which Security Profile type will prevent these behaviors?
- Anti-Spyware
- WildFire
- Vulnerability Protection
- Antivirus
Explanation:Reference:https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/anti-spyware-profiles -
What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1 version?
- Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or template stacks.
- An administrator must use the Expedition tool to adapt the configuration to the pre-PAN-OS 8.1 state.
- When Panorama is reverted to an earlier PAN-OS release, variables used in templates or template stacks will be removed automatically.
- Administrators need to manually update variable characters to those used in pre-PAN-OS 8.1.
Explanation:Reference:https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/upgrade-to-pan-os-81/upgradedowngrade-considerations -
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)
- CRL
- CRT
- OCSP
- Cert-Validation-Profile
- SSL/TLS Service Profile
Explanation:Reference:https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/certificate-management/set-up-verification-for-certificate-revocation-status -
Which administrative authentication method supports authorization by an external service?
- Certificates
- LDAP
- RADIUS
- SSH keys
Explanation:Reference:https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/firewall-administration/manage-firewall-administrators/administrative-authentication
Subscribe
0 Comments
Newest