Pcnse Updated Exam Questions And
Answers Graded A+!!!
What is the last step of packet processing in the firewall?
A. check allowed ports
B. check Security Profiles
C. check Security policy
D. forwarding lookup - ANS B
Which interface type requires you to configure where the next hop is for various addresses?
A. tap
B. virtual wire
C. Layer 2
D. Layer 3 - ANS D
How do you enable the firewall to be managed through a data-plane interface?
A. You specify Web UI in the interface properties.
B. You specify Management in the interface properties.
C. You specify HTTPS in the Interface Management Profile, and then specify in the interface
properties to use that profile.
D. You specify Management in the Interface Management Profile, and then specify in the
interface properties to use that profile. - ANS C
Some devices managed by Panorama have their external interface on ethernet1/1, some on
ethernet1/2. However, the zone definitions for the external zone are identical. What is the
recommended solution in this case?
A. Create two templates: one for the ethernet1/1 devices, one for the ethernet1/2 devices. Use
the same external zone definitions in both. Apply those two templates to the appropriate
devices.
B. Create three templates: one for the ethernet1/1 devices, one for the ethernet1/2 devices, and
one with the external zone definitions. Use those templates to create two template stacks, one
with the ethernet1/1 and external zone, another with the ethernet1/2 and external zone. Apply
those two template stacks to the appropriate devices.
C. Create three templates: one for the ethernet1/1 devices, one for the ethernet1/2 devices, and
one with the external zone definitions. Apply the external zone template to all device - ANS
A
,In a Panorama managed environment, which two options show the correct order of policy
evaluation? (Choose two.)
A. device group pre-rules, shared pre-rules, local firewall rules, intrazone-default,
interzone-default
B. device group pre-rules, local firewall rules, shared post-rules, device group post-rules,
intrazone-default, interzone-default
C. device group pre-rules, local firewall rules, device group post-rules, shared post-rules,
intrazone-default, interzone-default
D. device group pre-rules, local firewall rules, intrazone-default, interzone-default, device group
post-rules, shared post-rules
E. shared pre-rules, device group pre-rules, local firewall rules, intrazone-default,
interzone-default - ANS CE
When you deploy the Palo Alto Networks NGFW on NSX, how many virtual network interfaces
does a VM-Series firewall need?
A. two, one for traffic input and output and one for management traffic
B. four, two for traffic input and output and two for management traffic (for High Availability)
C. three, one for traffic input, one for traffic output, and one for management traffic
D. six, two for traffic input, two for traffic output, and two for management traffic (for High
Availability) - ANS C
Which source of user information is not supported by the NGFW?
A. RACF
B. LDAP
C. Active Directory
D. SAML - ANS A
What is the main mechanism of packet-based vulnerability attacks?
A. malformed packets that trigger software bugs when they are received
B. excess packets that fill up buffers, thus preventing legitimate traffic from being processed
C. packets that get responses that leak information about the system
D. packets that either fill up buffers or get responses that leak information - ANS A
Which method is not a PAN-OS software decryption method?
A. SSH Proxy
B. SSL Proxy
C. SSL Forward Proxy
D. SSL Inbound Inspection - ANS B
What type of identification does an Application Override policy override?
A. App-ID
B. User-ID
C. Content-ID
D. Service - ANS A
,Which two types of protocols can cause an insufficient data value in the Application field in the
Traffic log? (Choose two.)
A. UDP
B. TCP
C. ICMP
D. GRE
E. IGP - ANS AB
Which three profile types are used to prevent malware executables from entering the network?
(Choose three.)
A. Antivirus
B. Anti-Spyware
C. WildFire Analysis
D. File Blocking
E. Vulnerability Protection
F. Zone Protection - ANS ACD
Which user credential detection method does not require access to an external directory?
A. group mapping
B. domain credential filter
C. LDAP
D. Certificate - ANS D
Which object type has a property to specify whether it can transfer files?
A. Application
B. Service
C. User
D. User group - ANS A
When destination NAT rules are configured, the associated security rule is matched using which
parameters?
A. pre-NAT source zone and post-NAT destination zone
B. post-NAT source zone and pre-NAT destination zone
C. pre-NAT source zone and post-NAT destination IP address
E. post-NAT source zone and post-NAT destination zone - ANS A
What is the initial IP address for the management interface?
A. 10.0.0.1
B. 172.16.0.1
C. 192.168.1.1
D. 192.168.255.254 - ANS C
In a new firewall, which port provides web interface access by default?
, A. data port #1
B. any data port
C. management port
D. console port - ANS C
Which application requires you to import private keys?
A. Captive Portal
B. Forward Trust
C. SSL Inbound Inspection
D. SSL Exclude Certificate - ANS C
Under which conditions can two Layer 3 interfaces have the same IP address?
A. They must be connected to a common VLAN object interface.
B. They must be connected to the same Ethernet network through a switch. This configuration
can be used only for High Availability.
C. They must be connected to different virtual routers.
D. They must be subinterfaces of the same physical interface.
E. This feature is not supported. - ANS E
Which two protocols are supported for site-to-site VPNs? (Choose two.)
A. Authentication Header (AH)
B. Secure Socket Layer (SSL)
C. Encapsulating Security Payload (ESP)
D. Transport Layer Security (TLS)
E. Secure Shell (SSH) - ANS AC
21. GlobalProtect Portal is responsible for which two functions? (Choose two.)
A. terminating SSL tunnels
B. authenticating GlobalProtect users
C. creating on-demand certificates to encrypt SSL
D. managing and updating GlobalProtect client configurations
E. managing GlobalProtect Gateway configurations - ANS BD
What is the preferred SYN flood defense action type?
A. Random Drop
B. Random Early Drop
C. SYN Proxy
D. SYN Cookies - ANS D
What would be a valid reason to allow non-SYN TCP packets at the start of a connection?
A. Such packets could happen legitimately in the case of asymmetric routing.
B. Such packets could happen legitimately if there is load balancing across firewalls.
C. Such packets could happen legitimately because of either asymmetric routing or load
balancing across firewalls.
