PCNSE PRATICE TEST, PCNSE, PCSNA
What is the last step of packet processing in the firewall?
A. check allowed ports
B. check Security Profiles
C. check Security policy
D. forwarding lookup - Answer B
Which interface type requires you to configure where the next hop is for various
addresses?
A. tap
B. virtual wire
C. Layer 2
D. Layer 3 - Answer D
How do you enable the firewall to be managed through a data-plane interface?
A. You specify Web UI in the interface properties.
B. You specify Management in the interface properties.
C. You specify HTTPS in the Interface Management Profile, and then specify in the
interface properties to use that profile.
D. You specify Management in the Interface Management Profile, and then specify in
the interface properties to use that profile. - Answer C
Some devices managed by Panorama have their external interface on ethernet1/1,
some on ethernet1/2. However, the zone definitions for the external zone are identical.
What is the recommended solution in this case?
A. Create two templates: one for the ethernet1/1 devices, one for the ethernet1/2
devices. Use the same external zone definitions in both. Apply those two templates to
the appropriate devices.
B. Create three templates: one for the ethernet1/1 devices, one for the ethernet1/2
devices, and one with the external zone definitions. Use those templates to create two
template stacks, one with the ethernet1/1 and external zone, another with the
ethernet1/2 and external zone. Apply those two template stacks to the appropriate
devices.
C. Create three templates: one for the ethernet1/1 devices, one for the ethernet1/2
devices, and one with the external zone definitions. Apply the external zone template to
all devices, and the ethernet1/1 and ethernet1/2 as appropriate (you can apply up to five
templates per device).
D. Create three template stacks: one for the ethernet1/1 devices, one for the
ethernet1/2 devices, and one with the external zone definitions. Apply the external zone
template to all devices, and the ethernet1/1 and ethernet1/2 as appropriate (you can
apply up to five templates per device). - Answer A
In a Panorama managed environment, which two options show the correct order of
policy evaluation? (Choose two.)
,A. device group pre-rules, shared pre-rules, local firewall rules, intrazone-default,
interzone-default
B. device group pre-rules, local firewall rules, shared post-rules, device group post-
rules, intrazone-default, interzone-default
C. device group pre-rules, local firewall rules, device group post-rules, shared post-
rules, intrazone-default, interzone-default
D. device group pre-rules, local firewall rules, intrazone-default, interzone-default,
device group post-rules, shared post-rules
E. shared pre-rules, device group pre-rules, local firewall rules, intrazone-default,
interzone-default - Answer CE
When you deploy the Palo Alto Networks NGFW on NSX, how many virtual network
interfaces does a VM-Series firewall need?
A. two, one for traffic input and output and one for management traffic
B. four, two for traffic input and output and two for management traffic (for High
Availability)
C. three, one for traffic input, one for traffic output, and one for management traffic
D. six, two for traffic input, two for traffic output, and two for management traffic (for
High Availability) - Answer C
Which source of user information is not supported by the NGFW?
A. RACF
B. LDAP
C. Active Directory
D. SAML - Answer A
What is the main mechanism of packet-based vulnerability attacks?
A. malformed packets that trigger software bugs when they are received
B. excess packets that fill up buffers, thus preventing legitimate traffic from being
processed
C. packets that get responses that leak information about the system
D. packets that either fill up buffers or get responses that leak information - Answer A
Which method is not a PAN-OS software decryption method?
A. SSH Proxy
B. SSL Proxy
C. SSL Forward Proxy
D. SSL Inbound Inspection - Answer B
What type of identification does an Application Override policy override?
A. App-ID
B. User-ID
C. Content-ID
D. Service - Answer A
,Which two types of protocols can cause an insufficient data value in the Application field
in the Traffic log? (Choose two.)
A. UDP
B. TCP
C. ICMP
D. GRE
E. IGP - Answer AB
Which three profile types are used to prevent malware executables from entering the
network? (Choose three.)
A. Antivirus
B. Anti-Spyware
C. WildFire Analysis
D. File Blocking
E. Vulnerability Protection
F. Zone Protection - Answer ACD
Which user credential detection method does not require access to an external
directory?
A. group mapping
B. domain credential filter
C. LDAP
D. Certificate - Answer D
Which object type has a property to specify whether it can transfer files?
A. Application
B. Service
C. User
D. User group - Answer A
When destination NAT rules are configured, the associated security rule is matched
using which parameters?
A. pre-NAT source zone and post-NAT destination zone
B. post-NAT source zone and pre-NAT destination zone
C. pre-NAT source zone and post-NAT destination IP address
E. post-NAT source zone and post-NAT destination zone - Answer A
What is the initial IP address for the management interface?
A. 10.0.0.1
B. 172.16.0.1
C. 192.168.1.1
D. 192.168.255.254 - Answer C
In a new firewall, which port provides web interface access by default?
A. data port #1
B. any data port
, C. management port
D. console port - Answer C
Which application requires you to import private keys?
A. Captive Portal
B. Forward Trust
C. SSL Inbound Inspection
D. SSL Exclude Certificate - Answer C
Under which conditions can two Layer 3 interfaces have the same IP address?
A. They must be connected to a common VLAN object interface.
B. They must be connected to the same Ethernet network through a switch. This
configuration can be used only for High Availability.
C. They must be connected to different virtual routers.
D. They must be subinterfaces of the same physical interface.
E. This feature is not supported. - Answer E
Which two protocols are supported for site-to-site VPNs? (Choose two.)
A. Authentication Header (AH)
B. Secure Socket Layer (SSL)
C. Encapsulating Security Payload (ESP)
D. Transport Layer Security (TLS)
E. Secure Shell (SSH) - Answer AC
21. GlobalProtect Portal is responsible for which two functions? (Choose two.)
A. terminating SSL tunnels
B. authenticating GlobalProtect users
C. creating on-demand certificates to encrypt SSL
D. managing and updating GlobalProtect client configurations
E. managing GlobalProtect Gateway configurations - Answer BD
What is the preferred SYN flood defense action type?
A. Random Drop
B. Random Early Drop
C. SYN Proxy
D. SYN Cookies - Answer D
What would be a valid reason to allow non-SYN TCP packets at the start of a
connection?
A. Such packets could happen legitimately in the case of asymmetric routing.
B. Such packets could happen legitimately if there is load balancing across firewalls.
C. Such packets could happen legitimately because of either asymmetric routing or load
balancing across firewalls.
D. Such packets could happen because of router bugs. - Answer B
Where do you configure protection from malformed IP and TCP headers?
What is the last step of packet processing in the firewall?
A. check allowed ports
B. check Security Profiles
C. check Security policy
D. forwarding lookup - Answer B
Which interface type requires you to configure where the next hop is for various
addresses?
A. tap
B. virtual wire
C. Layer 2
D. Layer 3 - Answer D
How do you enable the firewall to be managed through a data-plane interface?
A. You specify Web UI in the interface properties.
B. You specify Management in the interface properties.
C. You specify HTTPS in the Interface Management Profile, and then specify in the
interface properties to use that profile.
D. You specify Management in the Interface Management Profile, and then specify in
the interface properties to use that profile. - Answer C
Some devices managed by Panorama have their external interface on ethernet1/1,
some on ethernet1/2. However, the zone definitions for the external zone are identical.
What is the recommended solution in this case?
A. Create two templates: one for the ethernet1/1 devices, one for the ethernet1/2
devices. Use the same external zone definitions in both. Apply those two templates to
the appropriate devices.
B. Create three templates: one for the ethernet1/1 devices, one for the ethernet1/2
devices, and one with the external zone definitions. Use those templates to create two
template stacks, one with the ethernet1/1 and external zone, another with the
ethernet1/2 and external zone. Apply those two template stacks to the appropriate
devices.
C. Create three templates: one for the ethernet1/1 devices, one for the ethernet1/2
devices, and one with the external zone definitions. Apply the external zone template to
all devices, and the ethernet1/1 and ethernet1/2 as appropriate (you can apply up to five
templates per device).
D. Create three template stacks: one for the ethernet1/1 devices, one for the
ethernet1/2 devices, and one with the external zone definitions. Apply the external zone
template to all devices, and the ethernet1/1 and ethernet1/2 as appropriate (you can
apply up to five templates per device). - Answer A
In a Panorama managed environment, which two options show the correct order of
policy evaluation? (Choose two.)
,A. device group pre-rules, shared pre-rules, local firewall rules, intrazone-default,
interzone-default
B. device group pre-rules, local firewall rules, shared post-rules, device group post-
rules, intrazone-default, interzone-default
C. device group pre-rules, local firewall rules, device group post-rules, shared post-
rules, intrazone-default, interzone-default
D. device group pre-rules, local firewall rules, intrazone-default, interzone-default,
device group post-rules, shared post-rules
E. shared pre-rules, device group pre-rules, local firewall rules, intrazone-default,
interzone-default - Answer CE
When you deploy the Palo Alto Networks NGFW on NSX, how many virtual network
interfaces does a VM-Series firewall need?
A. two, one for traffic input and output and one for management traffic
B. four, two for traffic input and output and two for management traffic (for High
Availability)
C. three, one for traffic input, one for traffic output, and one for management traffic
D. six, two for traffic input, two for traffic output, and two for management traffic (for
High Availability) - Answer C
Which source of user information is not supported by the NGFW?
A. RACF
B. LDAP
C. Active Directory
D. SAML - Answer A
What is the main mechanism of packet-based vulnerability attacks?
A. malformed packets that trigger software bugs when they are received
B. excess packets that fill up buffers, thus preventing legitimate traffic from being
processed
C. packets that get responses that leak information about the system
D. packets that either fill up buffers or get responses that leak information - Answer A
Which method is not a PAN-OS software decryption method?
A. SSH Proxy
B. SSL Proxy
C. SSL Forward Proxy
D. SSL Inbound Inspection - Answer B
What type of identification does an Application Override policy override?
A. App-ID
B. User-ID
C. Content-ID
D. Service - Answer A
,Which two types of protocols can cause an insufficient data value in the Application field
in the Traffic log? (Choose two.)
A. UDP
B. TCP
C. ICMP
D. GRE
E. IGP - Answer AB
Which three profile types are used to prevent malware executables from entering the
network? (Choose three.)
A. Antivirus
B. Anti-Spyware
C. WildFire Analysis
D. File Blocking
E. Vulnerability Protection
F. Zone Protection - Answer ACD
Which user credential detection method does not require access to an external
directory?
A. group mapping
B. domain credential filter
C. LDAP
D. Certificate - Answer D
Which object type has a property to specify whether it can transfer files?
A. Application
B. Service
C. User
D. User group - Answer A
When destination NAT rules are configured, the associated security rule is matched
using which parameters?
A. pre-NAT source zone and post-NAT destination zone
B. post-NAT source zone and pre-NAT destination zone
C. pre-NAT source zone and post-NAT destination IP address
E. post-NAT source zone and post-NAT destination zone - Answer A
What is the initial IP address for the management interface?
A. 10.0.0.1
B. 172.16.0.1
C. 192.168.1.1
D. 192.168.255.254 - Answer C
In a new firewall, which port provides web interface access by default?
A. data port #1
B. any data port
, C. management port
D. console port - Answer C
Which application requires you to import private keys?
A. Captive Portal
B. Forward Trust
C. SSL Inbound Inspection
D. SSL Exclude Certificate - Answer C
Under which conditions can two Layer 3 interfaces have the same IP address?
A. They must be connected to a common VLAN object interface.
B. They must be connected to the same Ethernet network through a switch. This
configuration can be used only for High Availability.
C. They must be connected to different virtual routers.
D. They must be subinterfaces of the same physical interface.
E. This feature is not supported. - Answer E
Which two protocols are supported for site-to-site VPNs? (Choose two.)
A. Authentication Header (AH)
B. Secure Socket Layer (SSL)
C. Encapsulating Security Payload (ESP)
D. Transport Layer Security (TLS)
E. Secure Shell (SSH) - Answer AC
21. GlobalProtect Portal is responsible for which two functions? (Choose two.)
A. terminating SSL tunnels
B. authenticating GlobalProtect users
C. creating on-demand certificates to encrypt SSL
D. managing and updating GlobalProtect client configurations
E. managing GlobalProtect Gateway configurations - Answer BD
What is the preferred SYN flood defense action type?
A. Random Drop
B. Random Early Drop
C. SYN Proxy
D. SYN Cookies - Answer D
What would be a valid reason to allow non-SYN TCP packets at the start of a
connection?
A. Such packets could happen legitimately in the case of asymmetric routing.
B. Such packets could happen legitimately if there is load balancing across firewalls.
C. Such packets could happen legitimately because of either asymmetric routing or load
balancing across firewalls.
D. Such packets could happen because of router bugs. - Answer B
Where do you configure protection from malformed IP and TCP headers?
