Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

PCNSE > Block 3 > Flashcards

Block 3 Flashcards

1
Q

114-Which data flow describes redistribution of user mappings?
UserID&raquo_space;»»» FW1&raquo_space;»»>FW2&raquo_space;»»FW3

A. User-ID agent to firewall
B. Domain Controller to User-ID agent
C. User-ID agent to Panorama
D. firewall to firewall

A

D. firewall to firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

115-Where can an administrator see both the management plane and data plane CPU utilization in the WebUI?

A. System Utilization log
B. System log
C. Resources widget
D. CPU Utilization widget

A

C. Resources widget

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

116-Which four NGFW multi-factor authentication factors are supported by PAN-OSֲ®? (Choose four.)

A. Short message service
B. Push
C. User logon
D. Voice
E. SSH key
F. One-Time Password

A

A. Short message service
B. Push
D. Voice
F. One-Time Password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

117-Which two features does PAN-OSֲ® software use to identify applications? (Choose two.)

A. transaction characteristics
B. session number
C. port number
D. application layer payload

A

A. transaction characteristics

D. application layer payload

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

118-An administrator wants to upgrade a firewall from PAN-OSֲ® 9.1 to PAN-OSֲ® 10.0. The firewall is not a part of an HA pair. What needs to be updated first?

A. Applications and Threats
B. XML Agent
C. WildFire
D. PAN-OS Upgrade Agent

A

A. Applications and Threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

119-When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

A. Load configuration version
B. Save candidate config
C. Export device state
D. Load named configuration snapshot

A

C. Export device state

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

120-Which two settings can be configured only locally on the firewall and not pushed from a Panorama template or template stack? (Choose two.)

A. HA1 IP Address
B. Master Key
C. Zone Protection Profile
D. Network Interface Type

A

A. HA1 IP Address
B. Master Key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

121-An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware passively monitors behavior without the user’s knowledge.
What is the expected verdict from WildFire?

A. Malware
B. Grayware
C. Phishing
D. Spyware

A

B. Grayware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

122-When configuring the firewall for packet capture, what are the valid stage types?

A. receive, management, transmit, and non-syn
B. receive, management, transmit, and drop
C. receive, firewall, send, and non-syn
D. receive, firewall, transmit, and drop

A

D. receive, firewall, transmit, and drop

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

123-Which operation will impact the performance of the management plane?

A. DoS protection
B. WildFire submissions
C. generating a SaaS Application report
D. decrypting SSL sessions

A

C. generating a SaaS Application report

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

124-Which User-ID method maps IP addresses to usernames for users connecting through a web proxy that has already authenticated the user?

syslog listening
server monitoring
client probing
port mapping

A

syslog listening

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

125-The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?

A. 6-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol, and Source Security Zone
B. 5-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol
C. 7-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Source User, URL Category, and Source Security Zone
D. 9-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Source User, Source Security Zone, Destination Security Zone, Application, and URL Category

A

A. 6-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol, and Source Security Zone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

126-Which GlobalProtect Client connect method requires the distribution and use of machine certificates?

A. At-boot
B. Pre-logon
C. User-logon (Always on)
D. On-demand

A

B. Pre-logon

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

127-Which feature can provide NGFWs with User-ID mapping information?

A. Web Captcha
B. Native 802.1q authentication
C. GlobalProtect/
D. Native 802.1x authentication

A

C. GlobalProtect/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

128-Which Panorama administrator types require the configuration of at least one access domain? (Choose two.)

A. Role Based
B. Custom Panorama Admin
C. Device Group
D. Dynamic
E. Template Admin

A

C. Device Group

E. Template Admin

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

129- Which option enables a Palo Alto Networks NGFW administrator to schedule Application and Threat updates while applying only new content-IDs to traffic?

A. Select download-and-install
B. Select download-only
C. Select download-and-install, with Disable new apps in content update selected
D. Select disable application updates and select Install only Threat updates

A

C. Select download-and-install, with Disable new apps in content update selected

17
Q

130-Which is the maximum number of samples that can be submitted to WildFire per day, based on a WildFire subscription?

A. 10,000
B. 15,000
C. 7,500
D. 5,000

A

A. 10,000

18
Q

131- In which two types of deployment is active/active HA configuration supported? (Choose two.)

A. Layer 3 mode
B. TAP mode
C. Virtual Wire mode
D. Layer 2 mode

A

A. Layer 3 mode

C. Virtual Wire mode

19
Q

132- For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose two.)

A. ingress processing errors
B. rule match with action deny
C. rule match with action allow
D. equal-cost multipath

A

A. ingress processing errors
B. rule match with action deny

20
Q

133- Which logs enable a firewall administrator to determine whether a session was decrypted?
A. Traffic
B. Security Policy
C. Decryption
D. Correlated Event

A

A. Traffic

21
Q

134 - An administrator needs to upgrade an NGFW to the most current version of PAN-OSֲ® software. The following is occurring:
✑ Firewall has internet connectivity through e1/1.
✑ Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.
✑ Service route is configured, sourcing update traffic from e1/1.
✑ A communication error appears in the System logs when updates are performed.
✑ Download does not complete.
What must be configured to enable the firewall to download the current version of PAN-OS software?

A. Static route pointing application PaloAlto-updates to the update servers
B. Security policy rule allowing PaloAlto-updates as the application
C. Scheduler for timed downloads of PAN-OS software
D. DNS settings for the firewall to use for resolution

A

D. DNS settings for the firewall to use for resolution

22
Q

135- A client has a sensitive application server in their data center and is particularly concerned about session flooding because of denial-of-service attacks. How can the Palo Alto Networks NGFW be configured to specifically protect this server against session floods originating from a single IP address?

A. Add an Anti-Spyware Profile to block attacking IP address
B. Define a custom App-ID to ensure that only legitimate application traffic reaches the server
C. Add QoS Profiles to throttle incoming requests
D. Add a tuned DoS Protection Profile

A

D. Add a tuned DoS Protection Profile

23
Q

136- An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing, and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OSֲ® software?

A. Antivirus update package.
B. Applications and Threats update package.
C. User-ID agent.
D. WildFire update package.

A

B. Applications and Threats update package.

24
Q

137- A firewall administrator has been asked to configure a Palo Alto Networks NGFW to prevent against compromised hosts trying to phone-home or beacon out to external command-and-control (C2) servers.
Which Security Profile type will prevent these behaviors?

A. Anti-Spyware
B. WildFire
C. Vulnerability Protection
D. Antivirus

A

A. Anti-Spyware

25
Q

138- What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1 version?

A. Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or template stacks.
B. An administrator must use the Expedition tool to adapt the configuration to the pre-PAN-OS 8.1 state.
C. When Panorama is reverted to an earlier PAN-OS release, variables used in templates or template stacks will be removed automatically.
D. Administrators need to manually update variable characters to those used in pre-PAN-OS 8.1.

A

A. Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or template stacks.

26
Q

139 - Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)

A. CRL
B. CRT
C. OCSP
D. Cert-Validation-Profile
E. SSL/TLS Service Profile

A

A. CRL

C. OCSP

PCNSE (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions