Page: 1
/ 14
Total 60 questions
Palo Alto Networks Certified Network Security Consultant PCNSC Exam Questions
Question 1
An existing customer who has deployed several Palo Alto Networks Next-Generation Firewalls would like to start using Device-ID to obtain policy rule recommendations They have also purchased a Support license, a Threat license a URL Filtering license, and a WildFire license for each firewall
What additional license do they need to purchase"?
Answer : A
To start using Device-ID to obtain policy rule recommendations, the customer needs to purchase:
A . a Cortex Data Lake license
The Cortex Data Lake is a cloud-based logging service that aggregates data from all Palo Alto Networks products and services. Device-ID uses this data to provide insights and recommendations for policy rules based on the identities of devices on the network.
Palo Alto Networks - Cortex Data Lake: https://docs.paloaltonetworks.com/cortex/cortex-data-lake
Palo Alto Networks - Device-ID Overview: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/use-device-id-to-enforce-policy
Question 2
Your customer has asked you to set up tunnel monitoring on an IPsec VPN tunnel between two offices What three steps are needed to set up tunnel monitoring? (Choose three)
Answer : A, B, E
To set up tunnel monitoring on an IPsec VPN tunnel between two offices, the following steps are needed:
A . Create a monitoring profile: This profile defines the criteria for monitoring, such as the IP address to ping and the failure condition.
B . Add an IP address to each tunnel interface: Tunnel monitoring requires an IP address on each tunnel interface to send and receive monitoring pings.
E . Enable tunnel monitoring on each IPsec tunnel: This step activates the monitoring profile on the IPsec tunnel, ensuring that the tunnel is actively monitored and can trigger alerts or failover mechanisms if the tunnel goes down.
These steps ensure that the tunnel is properly monitored, allowing for proactive detection and response to connectivity issues.
Palo Alto Networks - Configuring IPsec Tunnel Monitoring: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/vpns/site-to-site-vpn/configure-ipsec-tunnel-monitoring
Question 3
Examine the configured Security policy rule Which day one/Iron Skillet Security Profile Group is used to secure the traffic that is permitted through this rule?
Answer : C
The security policy rule shown in the image is configured to permit traffic from a source zone LAN-User-Zone to a destination zone Server-Zone. The applications allowed include tftp, ssl, and web-browsing, and the action is allow. According to Iron Skillet day one configurations, which provide best practice security profiles for immediate deployment, the relevant security profile group used to secure internal traffic like this is the Internal profile group.
Iron Skillet provides predefined configuration templates including security profile groups like Internal, External, and others to quickly secure traffic according to typical deployment scenarios.
Palo Alto Networks - Iron Skillet Documentation: https://github.com/PaloAltoNetworks/iron-skillet
Question 4
Which interface deployments support the Aggregate Ethernet Active configuration? (Choose three.)
Answer : B, C, D
The interface deployments that support the Aggregate Ethernet (AE) Active configuration are:
B . LACP in Layer 3: Link Aggregation Control Protocol (LACP) can be used in Layer 3 interfaces to bundle multiple physical interfaces into a single logical interface for redundancy and increased bandwidth.
C . LACP in Layer 2: LACP can be used in Layer 2 interfaces to aggregate multiple Ethernet interfaces, enhancing throughput and providing failover capabilities within a Layer 2 network.
D . LACP in Virtual Wire: LACP can also be configured in Virtual Wire mode, which allows the firewall to aggregate interfaces while operating in a transparent mode, bridging traffic between interfaces without routing.
These configurations leverage LACP to improve network performance and reliability by combining multiple physical links into a single logical link.
Palo Alto Networks - Aggregate Interfaces: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/aggregate-ethernet/aggregate-ethernet-overview
Palo Alto Networks - LACP and LLDP Support: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/aggregate-ethernet/lacp-and-lldp-support
Question 5
Where and how is Expedition installed^
Answer : A
Expedition, the migration tool provided by Palo Alto Networks, is installed on an Ubuntu server. The installation process involves running a script that automatically downloads and installs all necessary dependencies.
A . On an Ubuntu server, by running an installation script that will automatically download all dependencies
This method simplifies the installation process by automating the download and configuration of all required components, ensuring that the installation is straightforward and minimizes the potential for errors related to missing dependencies.
Palo Alto Networks - Expedition Installation Guide: https://live.paloaltonetworks.com/t5/expedition-migration-tool/ct-p/migration_tool
Palo Alto Networks - Expedition User Guide: https://live.paloaltonetworks.com/t5/expedition-documentation/ct-p/migration_tool_docs
Question 6
Instead of disabling App-IDs regularly, a security policy rule is going to be configured to temporarily allow new App-IDs. In which two circumstances is it valid to disable App-IDs as part of content update-?
(Choose two)
Answer : B, D
Disabling App-IDs as part of a content update can be valid in the following circumstances:
B . When you want to immediately benefit from the latest threat prevention: Disabling certain App-IDs can help ensure that the latest threat prevention measures are applied without waiting for the App-IDs to be fully tested in a specific environment. This can be crucial in quickly addressing emerging threats.
D . When an organization operates a mission-critical network and has zero tolerance for downtime: In such environments, administrators might temporarily disable new or modified App-IDs to avoid potential disruptions caused by unverified or untested App-IDs. This ensures that the network remains stable and functional while the new App-IDs are evaluated in a controlled manner.
Palo Alto Networks - Best Practices for Application and Threat Content Updates: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/app-id/manage-app-id/application-and-threat-content-updates
Palo Alto Networks - Application and Threat Content Release Notes: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-release-notes/application-and-threat-content-release-notes
Question 7
Which CLI command should you use to verify whether all SFP SFP*, or QSFP modules are installed in a firewall?
Answer : C
To verify whether all SFP, SFP+, or QSFP modules are installed in a firewall, you should use the following CLI command:
C . show system state filter sys.s-phy*
This command provides detailed information about the physical state of the system, including the status of SFP, SFP+, and QSFP modules installed in the firewall.
Palo Alto Networks - CLI Commands for Troubleshooting Hardware Issues: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-cli-quick-start/troubleshooting-hardware-issues
Palo Alto Networks - Understanding Hardware and Interface Details via CLI: https://knowledgebase.paloaltonetworks.com
All Official Question Types