Palo Alto Networks PCNSE Exam Practice Test Instant Access

Question 1

Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS 8.0? (Choose two.)

AKVM

BVMware ESX

CVMware NSX

DAWS

Answer : A, B

Question 2

Which two actions are required to make Microsoft Active Directory users appear in a firewall traffic log? (Choose two.)

ARun the User-ID Agent using an Active Directory account that has 'event log viewer' permissions

BEnable User-ID on the zone object for the destination zone

CRun the User-ID Agent using an Active Directory account that has 'domain administrator' permissions

DEnable User-ID on the zone object for the source zone

EConfigure a RADIUS server profile to point to a domain controller

Answer : A, D

Question 3

A distributed log collection deployment has dedicated log Collectors. A developer needs a device to send logs to Panorama instead of sending logs to the Collector Group.

What should be done first?

ARemove the cable from the management interface, reload the log Collector and then re-connect that cable

BContact Palo Alto Networks Support team to enter kernel mode commands to allow adjustments

Cremove the device from the Collector Group

DRevert to a previous configuration

Answer : C

Question 4

Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

AMaster

BUniversal

CShared

DGlobal

Answer : C

Question 5

Refer to Exhibit:

A firewall has three PDF rules and a default route with a next hop of 172.29.19.1 that is configured in the default VR. A user named XX-bes a PC with a 192.168.101.10 IP address.

He makes an HTTPS connection to 172.16.10.29.

What is the next hop IP address for the HTTPS traffic from Wills PC.

A172.20.30.1

B172.20.20.1

C172.20.10.1

D172.20.40.1

Answer : B

Question 6

Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.

Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?

ACreate a custom Application without signatures, then create an Application Override policy that includes the source, Destination, Destination Port/Protocol and Custom Application of the traffic.

BWait until an official Application signature is provided from Palo Alto Networks.

CModify the session timer settings on the closest referanced application to meet the needs of the in-house application

DCreate a Custom Application with signatures matching unique identifiers of the in-house application traffic

Answer : D

Question 7

A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule.

Given the following zone information:

* DMZ zone: DMZ-L3

* Public zone: Untrust-L3

* Guest zone: Guest-L3

* Web server zone: Trust-L3

* Public IP address (Untrust-L3): 1.1.1.1

* Private IP address (Trust-L3): 192.168.1.50

What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?

AUntrust-L3

BDMZ-L3

CGuest-L3

DTrust-L3

Answer : A