Palo Alto Networks Certified Network Security Consultant PCNSC Exam Practice Test
Page: 1 / 14 Total 60 questions
Want more questions? Get Premium Access. ()
Question 1
Which three steps must an administrator perform to load only address objects from a PAN-OS saved configuration file into a VM-3C0 firewall that is in production? (Choose three)
Answer : C, D, E
To load only address objects from a PAN-OS saved configuration file into a VM-300 firewall that is in production, the administrator must follow these three steps:
C . Enter the configuration mode from the CLI: This step is necessary to prepare the firewall to accept the new configuration.
D . Use the load config partial command: This command allows the administrator to load only specific parts of the configuration, such as address objects, from a saved configuration file without overwriting the entire configuration. The command syntax typically looks like this: load config partial from <source-configuration> mode merge exclude everything but address objects.
E . Import named configuration snapshot through the web interface: This involves importing the configuration snapshot that contains the address objects through the web interface, but only after ensuring that the specific address objects are targeted and not the entire configuration.
Palo Alto Networks - How to Use the Partial Configuration Load Feature: https://knowledgebase.paloaltonetworks.com
Question 2
What configuration is necessary for Active/Active HA to synchronize sessions between peers?
Answer : A
Question 3
Where and how is Expedition installed^
Answer : A
Expedition, the migration tool provided by Palo Alto Networks, is installed on an Ubuntu server. The installation process involves running a script that automatically downloads and installs all necessary dependencies.
A . On an Ubuntu server, by running an installation script that will automatically download all dependencies
This method simplifies the installation process by automating the download and configuration of all required components, ensuring that the installation is straightforward and minimizes the potential for errors related to missing dependencies.
Palo Alto Networks - Expedition User Guide: https://live.paloaltonetworks.com/t5/expedition-documentation/ct-p/migration_tool_docs
Question 4
In Panorama, what is the correct order of precedence for security policies?
Answer : C
Question 5
A customer who has a multi-tenant environment needs the administrator to be restricted lo specific objects and policies in the virtual system within its tenant How can an administrators access be restricted?
Answer : A
To restrict an administrator's access to specific objects and policies in the virtual system within a multi-tenant environment, you should:
A . Define access domains for virtual systems in the environment
Access domains allow you to control administrator access to specific virtual systems, device groups, and templates. By defining access domains, you can restrict the administrator's permissions to only the relevant sections of the configuration, ensuring they can manage only the objects and policies within their assigned virtual systems.
Palo Alto Networks - Admin Role Profiles and Access Domains: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/administering-pan-os/admin-role-profiles-and-access-domains
What happens when a packet from an existing session is received by a firewall that
Answer : D
When a packet from an existing session is received by a firewall that is part of an HA (High Availability) pair:
D . The firewall takes ownership of the session from the peer firewall
In a high-availability configuration, if a firewall in an HA pair receives a packet for an existing session that it is not currently handling, it will take ownership of that session from the peer firewall. This ensures seamless continuity of the session and maintains the stateful nature of the firewall's session handling.
Palo Alto Networks - High Availability Concepts: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/high-availability/ha-concepts
Question 7
A customer is adding a new site-to-site tunnel from a Palo Alto Networks NGFW to a third party with a policy based VPN peer After the initial configuration is completed and the changes are committed, phase 2 fails to establish
Which two changes may be required to fix the issue? (Choose two)
Answer : B, D
When configuring a site-to-site VPN between a Palo Alto Networks Next-Generation Firewall (NGFW) and a third-party device with a policy-based VPN peer, Phase 2 failures can often be attributed to configuration mismatches or missing parameters. Here are the two changes that may be required to fix the issue:
B . Verify that PFS is enabled on both ends: Perfect Forward Secrecy (PFS) is a method that ensures the security of cryptographic keys. Both ends of the VPN tunnel need to agree on whether PFS is used. If PFS is enabled on one side but not the other, Phase 2 will fail. Verify the PFS settings and ensure they are matched on both the Palo Alto firewall and the third-party VPN device.
D . Add proxy IDs to the IPsec tunnel configuration: Proxy IDs (or traffic selectors) define the specific local and remote IP ranges that are allowed to communicate through the VPN tunnel. They are particularly crucial when dealing with policy-based VPNs. If the proxy IDs are not correctly configured, Phase 2 negotiations will fail. Add the appropriate proxy IDs to the IPsec tunnel configuration to match the policy-based VPN settings of the third-party device.
Palo Alto Networks - Configuring Site-to-Site VPN Between Palo Alto Networks and a Third-Party Firewall: https://docs.paloaltonetworks.com
An administrator needs to create a new Antivirus Profile to address a virus that is spreading internally over SMB.
To create a secure posture the administrator should choose which set of actions for the SMB decoder in an Antivirus Profile?
Answer : B
To create a secure Antivirus Profile to address a virus spreading internally over SMB, the administrator should choose the following set of actions for the SMB decoder:
B . Action - Reset-Both; Wildfire Action - Reset-Both
Choosing 'Reset-Both' for both the Antivirus Action and the Wildfire Action ensures that the connection is terminated on both the client and server sides whenever a virus is detected. This action helps prevent the spread of the virus by cutting off the infected connection immediately.
Palo Alto Networks - Antivirus Profile Best Practices: https://docs.paloaltonetworks.com/best-practices
Palo Alto Networks - Creating and Configuring Antivirus Profiles: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/antivirus-profiles
Question 9
Which log type would you consult to diagnose why a specific URL is being blocked?
Answer : B
Question 10
Which two log types are necessary to fully investigate a network intrusion? (Choose two)
Answer : B, C
Question 11
An existing customer who has deployed several Palo Alto Networks Next-Generation Firewalls would like to start using Device-ID to obtain policy rule recommendations They have also purchased a Support license, a Threat license a URL Filtering license, and a WildFire license for each firewall
What additional license do they need to purchase"?
Answer : A
To start using Device-ID to obtain policy rule recommendations, the customer needs to purchase:
A . a Cortex Data Lake license
The Cortex Data Lake is a cloud-based logging service that aggregates data from all Palo Alto Networks products and services. Device-ID uses this data to provide insights and recommendations for policy rules based on the identities of devices on the network.
Palo Alto Networks - Cortex Data Lake: https://docs.paloaltonetworks.com/cortex/cortex-data-lake
Which CLI command should you use to verify whether all SFP SFP*, or QSFP modules are installed in a firewall?
Answer : C
To verify whether all SFP, SFP+, or QSFP modules are installed in a firewall, you should use the following CLI command:
C . show system state filter sys.s-phy*
This command provides detailed information about the physical state of the system, including the status of SFP, SFP+, and QSFP modules installed in the firewall.
Palo Alto Networks - Understanding Hardware and Interface Details via CLI: https://knowledgebase.paloaltonetworks.com
Question 13
Which firewall interface type allows you to non-disruptively monitor traffic coming from a port operating in promiscuous mode?
Answer : D
To non-disruptively monitor traffic coming from a port operating in promiscuous mode, the appropriate firewall interface type is:
D . TAP
A TAP (Test Access Point) interface allows the firewall to passively monitor network traffic without interfering with the actual flow of traffic. It is used to capture and analyze traffic for inspection, logging, and threat detection.
Palo Alto Networks - TAP Mode: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/network-interface-configurations/tap-mode
Question 14
Which touting configuration should you recommend lo a customer who wishes lo actively use multiple pathways to the same destination?
Answer : B
For a customer who wishes to actively use multiple pathways to the same destination, the recommended routing configuration is:
B . ECMP (Equal-Cost Multi-Path)
ECMP allows the use of multiple paths to the same destination with equal cost metrics, enabling load balancing and redundancy. It is suitable for scenarios where multiple pathways are desired for traffic distribution and fault tolerance.
Your customer believes that the Panorama appliance is being overwhelmed by the logs from deployed Palo Alto Networks Next-Generation Firewalls. What CLl command can you run to determine the number of logs per second sent by each firewall?
Answer : D
To determine the number of logs per second sent by each firewall to a Panorama appliance, the appropriate CLI command to use is:
D . debug log-receiver statistics
This command provides detailed statistics about the logs being received by the Panorama, including the rate at which logs are being sent by each connected firewall. This information can help identify whether the Panorama is being overwhelmed by the volume of logs and which firewalls are contributing the most to the log traffic.
Palo Alto Networks - CLI Commands for Troubleshooting Panorama: https://docs.paloaltonetworks.com
Palo Alto Networks - Managing Logs and Log Forwarding: https://knowledgebase.paloaltonetworks.com
Question 16
Which interface deployments support the Aggregate Ethernet Active configuration? (Choose three.)
Answer : B, C, D
The interface deployments that support the Aggregate Ethernet (AE) Active configuration are:
B . LACP in Layer 3: Link Aggregation Control Protocol (LACP) can be used in Layer 3 interfaces to bundle multiple physical interfaces into a single logical interface for redundancy and increased bandwidth.
C . LACP in Layer 2: LACP can be used in Layer 2 interfaces to aggregate multiple Ethernet interfaces, enhancing throughput and providing failover capabilities within a Layer 2 network.
D . LACP in Virtual Wire: LACP can also be configured in Virtual Wire mode, which allows the firewall to aggregate interfaces while operating in a transparent mode, bridging traffic between interfaces without routing.
These configurations leverage LACP to improve network performance and reliability by combining multiple physical links into a single logical link.
Palo Alto Networks - LACP and LLDP Support: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/aggregate-ethernet/lacp-and-lldp-support
Question 17
Which three steps must an administrator perform to load only address objects from a PAN-OS saved configuration file into a VM-3C0 firewall that is in production? (Choose three)
Answer : C, D, E
To load only address objects from a PAN-OS saved configuration file into a VM-300 firewall that is in production, the administrator must follow these three steps:
C . Enter the configuration mode from the CLI: This step is necessary to prepare the firewall to accept the new configuration.
D . Use the load config partial command: This command allows the administrator to load only specific parts of the configuration, such as address objects, from a saved configuration file without overwriting the entire configuration. The command syntax typically looks like this: load config partial from <source-configuration> mode merge exclude everything but address objects.
E . Import named configuration snapshot through the web interface: This involves importing the configuration snapshot that contains the address objects through the web interface, but only after ensuring that the specific address objects are targeted and not the entire configuration.
Palo Alto Networks - How to Use the Partial Configuration Load Feature: https://knowledgebase.paloaltonetworks.com
Question 18
In Panorama, what is the correct order of precedence for security policies?
Answer : C
Question 19
Your customer has asked you to set up tunnel monitoring on an IPsec VPN tunnel between two offices What three steps are needed to set up tunnel monitoring? (Choose three)
Answer : A, B, E
To set up tunnel monitoring on an IPsec VPN tunnel between two offices, the following steps are needed:
A . Create a monitoring profile: This profile defines the criteria for monitoring, such as the IP address to ping and the failure condition.
B . Add an IP address to each tunnel interface: Tunnel monitoring requires an IP address on each tunnel interface to send and receive monitoring pings.
E . Enable tunnel monitoring on each IPsec tunnel: This step activates the monitoring profile on the IPsec tunnel, ensuring that the tunnel is actively monitored and can trigger alerts or failover mechanisms if the tunnel goes down.
These steps ensure that the tunnel is properly monitored, allowing for proactive detection and response to connectivity issues.
What is the default port used by the Terminal Services agent to communicate with a firewall?
Answer : A
The default port used by the Terminal Services agent to communicate with a Palo Alto Networks firewall is 5007. The Terminal Services agent (TS agent) integrates with Microsoft Terminal Services to associate user information with sessions, enabling User-ID to accurately map user identities to security policies. Reference: Palo Alto Networks Terminal Services Agent Documentation.
Question 21
A customer who has a multi-tenant environment needs the administrator to be restricted lo specific objects and policies in the virtual system within its tenant How can an administrators access be restricted?
Answer : A
To restrict an administrator's access to specific objects and policies in the virtual system within a multi-tenant environment, you should:
A . Define access domains for virtual systems in the environment
Access domains allow you to control administrator access to specific virtual systems, device groups, and templates. By defining access domains, you can restrict the administrator's permissions to only the relevant sections of the configuration, ensuring they can manage only the objects and policies within their assigned virtual systems.
Palo Alto Networks - Admin Role Profiles and Access Domains: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/administering-pan-os/admin-role-profiles-and-access-domains
Which log type would you consult to diagnose why a specific URL is being blocked?
Answer : B
Question 23
Which two log types are necessary to fully investigate a network intrusion? (Choose two)
Answer : B, C
Question 24
What configuration is necessary for Active/Active HA to synchronize sessions between peers?
Answer : A
Question 25
In a multi-tenant environment, what feature allows you to assign different administrators to different tenants?
Answer : C
Question 26
When creating a custom application signature, which field allows you to specify the layer 7 protocol details to match?
Answer : C
Question 27
A customer's Palo Alto Networks NGFW currently has only one security policy allowing all traffic They have identified that this is a substantial security risk and have heard that the Expedition tool can help them extract security policies from an "allow any" rule
What should the consultant say about Expedition?
Answer : B
The Expedition tool can help the customer extract security policies from an 'allow any' rule by using its Machine Learning feature:
B . By using the Machine Learning feature, Expedition can parse the traffic log files related to the policy and extract security rules for matching traffic
Expedition can analyze traffic log files and apply machine learning algorithms to suggest security policies that match the observed traffic patterns. This helps in creating a more secure and granular policy set from a broad 'allow any' rule.
Palo Alto Networks - Using Machine Learning in Expedition: https://live.paloaltonetworks.com/t5/expedition-articles/expedition-machine-learning-overview/ta-p/260401
Question 28
A customer is adding a new site-to-site tunnel from a Palo Alto Networks NGFW to a third party with a policy based VPN peer After the initial configuration is completed and the changes are committed, phase 2 fails to establish
Which two changes may be required to fix the issue? (Choose two)
Answer : B, D
When configuring a site-to-site VPN between a Palo Alto Networks Next-Generation Firewall (NGFW) and a third-party device with a policy-based VPN peer, Phase 2 failures can often be attributed to configuration mismatches or missing parameters. Here are the two changes that may be required to fix the issue:
B . Verify that PFS is enabled on both ends: Perfect Forward Secrecy (PFS) is a method that ensures the security of cryptographic keys. Both ends of the VPN tunnel need to agree on whether PFS is used. If PFS is enabled on one side but not the other, Phase 2 will fail. Verify the PFS settings and ensure they are matched on both the Palo Alto firewall and the third-party VPN device.
D . Add proxy IDs to the IPsec tunnel configuration: Proxy IDs (or traffic selectors) define the specific local and remote IP ranges that are allowed to communicate through the VPN tunnel. They are particularly crucial when dealing with policy-based VPNs. If the proxy IDs are not correctly configured, Phase 2 negotiations will fail. Add the appropriate proxy IDs to the IPsec tunnel configuration to match the policy-based VPN settings of the third-party device.
Palo Alto Networks - Configuring Site-to-Site VPN Between Palo Alto Networks and a Third-Party Firewall: https://docs.paloaltonetworks.com
All Official Question Types