Paloalto Networks PCNSE6

s@lm@n

Paloalto Networks Exam PCNSE6 Palo Alto Networks Certified Network Security Engineer 6.0 Version: 6.1

[ Total Questions: 153 ]

Paloalto Networks PCNSE6 : Practice Test Question No : 1 Configuring a pair of devices into an Active/Active HA pair provides support for: A. Higher session count B. Redundant Virtual Routers C. Asymmetric routing environments D. Lower fail-over times Answer: B

Question No : 2

As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candidate configuration. These changes may be undone by Device > Setup > Operations > Configuration Management>....and then what operation? A. Revert to Running Configuration B. Revert to last Saved Configuration C. Load Configuration Version D. Import Named Configuration Snapshot Answer: A

Question No : 3 HOTSPOT A company has a Palo Alto Networks firewall with a single VSYS that has both locally defined rules as well as shared and device-group rules pushed from Panorama. In what order are the policies evaluated?

A Composite Solution With Just One Click - Certification Guaranteed

2

Paloalto Networks PCNSE6 : Practice Test


3

Paloalto Networks PCNSE6 : Practice Test Answer:


4

Paloalto Networks PCNSE6 : Practice Test Question No : 4 A company hosts a publicly-accessible web server behind their Palo Alto Networks firewall, with this configuration information: Users outside the company are in the "Untrust-L3" zone.  The web server physically resides in the "Trust-L3" zone.  Web server public IP address: 1.1.1.1  Web server private IP address: 192.168.1.10 

Which NAT Policy rule will allow users outside the company to access the web server?

A. Option A B. Option B C. Option C D. Option D Answer: B

Question No : 5 Wildfire may be used for identifying which of the following types of traffic? A. URL content B. DHCP C. DNS D. Viruses Answer: D


5


Question No : 6 In PAN-OS 5.0, how is Wildfire enabled? A. Via the "Forward" and "Continue and Forward" File-Blocking actions B. A custom file blocking action must be enabled for all PDF and PE type files C. Wildfire is automatically enabled with a valid URL-Filtering license D. Via the URL-Filtering "Continue" Action. Answer: A

Question No : 7 The IT department has received complaints about VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter. Which feature can be used to identify, in real-time, the applications taking up the most bandwidth? A. Application Command Center (ACC) B. QoS Statistics C. QoS Log D. Applications Report Answer: A Reference: http://www.newnet66.org/Support/Resources/Using-The-ACC.pdf

Question No : 8 Which two steps are required to make Microsoft Active Directory users appear in the firewall’s traffic log? Choose 2 answers


6

Paloalto Networks PCNSE6 : Practice Test A. Enable User-ID on the zone object for the source zone. B. Enable User-ID on the zone object for the destination zone. C. Configure a RADIUS server profile to point to a domain controller. D. Run the User-ID Agent using an Active Directory account that has "domain administrator" permissions. E. Run the User-ID Agent using an Active Directory account that has "event log viewer" permissions. Answer: A,E

Question No : 9 Administrative Alarms can be enabled for which of the following except? A. Certificate Expirations B. Thresholds C. Security Security Violation Policy Tags D. Traffic Log capacity Answer: A

Question No : 10 Where in the firewall GUI can an administrator see how many sessions of web-browsing traffic have occurred in the last day? A. Monitor->Session Browser B. Monitor->App Scope->Summary C. Objects->Applications->web-browsing D. ACC->Application Answer: D Reference: http://www.newnet66.org/Support/Resources/Using-The-ACC.pdf

Question No : 11


7

Paloalto Networks PCNSE6 : Practice Test Which of the following are accurate statements describing the HA3 link in an Active-Active HA deployment? A. HA3 is used for session synchronization B. The HA3 link is used to transfer Layer 7 information C. HA3 is used to handle asymmetric routing D. HA3 is the control link Answer: A

Question No : 12 Which of the following would be a reason to use an XML API to communicate with a Palo Alto Networks firewall?

A. So that information can be pulled from other network resources for User-ID B. To allow the firewall to push UserID information to a Network Access Control (NAC) device. C. To permit sys logging of User Identification events Answer: B

Question No : 13 When Network Address Translation has been performed on traffic, Destination Zones in Security rules should be based on: A. Post-NAT addresses B. The same zones used in the NAT rules C. Pre-NAT addresses D. None of the above Answer: A

Question No : 14 Two firewalls are configured in an Active/Passive High Availability (HA) pair with the A Composite Solution With Just One Click - Certification Guaranteed

8

Paloalto Networks PCNSE6 : Practice Test following election settings:

Firewall 5050-B is presently in the "Active" state and 5050-A is presently in the "Passive" state. Firewall 5050-B reboots causing 5050-A to become Active. Which firewall will be in the "Active" state after firewall 5050-B has completed its reboot and is back online? A. Both firewalls are active (split brain) B. Firewall 5050-B C. Firewall 5050-A D. It could be either firewall Answer: B Reference: https://live.paloaltonetworks.com/docs/DOC-2926

Question No : 15 Which three engines are built into the Single-Pass Parallel Processing Architecture? Choose 3 answers A. Application Identification (App-ID) B. Group Identification (Group-ID) C. User Identification (User-ID) D. Threat Identification (Threat-ID) E. Content Identification (Content-ID) Answer: A,C,E Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/white-papers/single-pass-parallel-processing-architecture.pdf page 5


9


Question No : 16 In an Anti-Virus profile, changing the action to “Block” for IMAP or POP decoders will result in the following: A. The connection from the server will be reset B. The Anti-virus profile will behave as if “Alert” had been specified for the action C. The traffic will be dropped by the firewall D. Error 541 being sent back to the server Answer: B

Question No : 17 Subsequent to the installation of new licenses, the firewall must be rebooted A. True B. False Answer: B

Question No : 18 When setting up GlobalProtect, what is the job of the GlobalProtect Portal? Select the best answer A. To maintain the list of remote GlobalProtect Portals and list of categories for checking the client machine B. To maintain the list of GlobalProtect Gateways and list of categories for checking the client machine To load balance GlobalProtect client connections to GlobalProtect Gateways C. None of the above D. Answer: B


10


Question No : 19 Can multiple administrator accounts be configured on a single firewall? A. Yes B. No Answer: A

Question No : 20

Taking into account only the information in the screenshot above, answer the following question. In order for ping traffic to traverse this device from e1/2 to e1/1, what else needs to be configured? Select all that apply. A. Security policy from trust zone to Internet zone that allows ping B. Create the appropriate routes in the default virtual router C. Security policy from Internet zone to trust zone that allows ping D. Create a Management profile that allows ping. Assign that management profile to e1/1 and e1/2 Answer: A,D

Question No : 21 A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall.


11

Paloalto Networks PCNSE6 : Practice Test Which method will show the global counters associated with the traffic after configuring the appropriate packet filters? A. From the CLI, issue the show counter interface command for the egress interface. B. From the GUI, select "Show global counters" under the Monitor tab. C. From the CLI, issue the show counter global filter packet-filter yes command. D. From the CLI, issue the show counter interface command for the ingress interface. Answer: C Reference: https://live.paloaltonetworks.com/docs/DOC-7971

Question No : 22 Which feature can be configured with an IPv6 address? A. Static Route B. RIPv2 C. DHCP Server D. BGP Answer: A Reference: https://live.paloaltonetworks.com/docs/DOC-5493

Question No : 23 When creating an application filter, which of the following is true? A. They are used by malware B. Excessive bandwidth may be used as a filter match criteria C. adapt to new IP addresses D. They They are are called called dynamic dynamic because because they they automatically will automatically include new applications from an application signature update if the new application's type is included in the filter Answer: D


12

Paloalto Networks PCNSE6 : Practice Test Question No : 24 Which statement accurately reflects the functionality of using regions as objects in Security policies? A. Predefined regions are provided for countries, not but not for cities. The administrator can set up custom regions, including latitude and longitude, to specify the geographic position of that particular region. B. The administrator can set up custom regions, including latitude and longitude, to specify the geographic position of that particular region. These custom regions can be used in the "Source User" field of the Security Policies. C. Regions cannot be used in the "Source User" field of the Security Policies, unless the administrator has set up custom regions. D. The administrator can set up custom regions, including latitude and longitude, to specify the geographic position of that particular region. Both predefined regions and custom regions can be used in the "Source User" field. Answer: A

Question No : 25 In Active/Active HA environments, redundancy for the HA3 interface can be achieved by A. Configuring a corresponding HA4 interface B. Configuring HA3 as an Aggregate Ethernet bundle C. Configuring multiple HA3 interfaces D. Configuring HA3 in a redundant group Answer: B

Question No : 26 A Palo Alto Networks firewall has the following interface configuration;


13

Paloalto Networks PCNSE6 : Practice Test Hosts are directly connected on the following interfaces: Ethernet 1/6 - Host IP 192.168.62.2 Ethernet 1/3 - Host IP 10.46.40.63 The security administrator is investigating why ICMP traffic between the hosts is not working. She first ensures that ail traffic is allowed between zones based on the following security policy rule:

The routing table of the firewall shows the following output:

Which interface configuration change should be applied to ethernet1/6 to allow the two hosts to communicate based on this information? A. Change the Management Profile. B. Change the security policy to explicitly allow ICMP on this interface. C. Change the configured zone to DMZ. D. Change the Virtual Router setting to VR1. Answer: D


14

Paloalto Networks PCNSE6 : Practice Test Question No : 27 What can cause missing SSL packets when performing a packet capture on data plane interfaces? A. There is a hardware problem with the offloading FPGA on the management plane. B. The missing packets are offloaded to the management plane CPU. C. The packets are hardware offloaded to the offload processor on the data plane. D. The packets are not captured because they are encrypted. Answer: C Reference: https://live.paloaltonetworks.com/docs/DOC-8621

Question No : 28 Which three processor types are found on the data plane of a PA-5050? Choose 3 answers A. Multi-Core Security Processor B. Signature Match Processor C. Network Processor D. Protocol Decoder Processor E. Management Processor Answer: A,B,C Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/white-papers/single-pass-parallel-processing-architecture.pdf page 8

Question No : 29 What happens at the point of Threat Prevention license expiration? A. Threat Prevention no longer updated; existing database still effective B. Threat Prevention is no longer used; applicable traffic is allowed C. Threat Prevention no longer used; applicable traffic is blocked A Composite Solution With Just One Click - Certification Guaranteed

15

Paloalto Networks PCNSE6 : Practice Test D. Threat Prevention no longer used; traffic is allowed or blocked by configuration per Security Rule Answer: A

Question No : 30 Wildfire may be used for identifying which of the following types of traffic? A. Malware B. DNS C. DHCP D. URL Content Answer: A

Question No : 31 A company has purchased a WildFire subscription and would like to implement dynamic updates to download the most recent content as often as possible. What is the shortest time interval the company can configure their firewall to check for WildFire updates? A. Every 24 hours B. Every 30 minutes C. Every 15 minutes D. Every 1 hour E. Every 5 minutes Answer: C Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/60/wildfire/WF_Admin/section_1.pdf page 11

Question No : 32 A Composite Solution With Just One Click - Certification Guaranteed

16

Paloalto Networks PCNSE6 : Practice Test After configuring Captive Portal in Layer 3 mode, users in the Trust Zone are not receiving the Captive Portal authentication page when they launch their web browsers. How can this be corrected? A. Ensure that all users in the Trust Zone are using NTLM-capable browsers B. Enable "Response Pages" in the Interface Management Profile that is applied to the L3 Interface in the Trust Zone. C. Confirm that Captive Portal Timeout value is not set below 2 seconds D. Enable "Redirect " as the Mode type in the Captive Portal Settings Answer: A,B

Question No : 33 As the Palo Alto Networks administrator responsible for User Identification, you are looking for the simplest method mapping network that dofor notthese sign users, into LDAP. Which information source wouldofallow reliable User users ID mapping requiring the least amount of configuration? A. WMI Query B. Exchange CAS Security Logs C. Captive Portal D. Active Directory Security Logs Answer: C

Question No : 34 When creating a Security Policy to allow Facebook in PAN-OS 5.0, how can you be sure that no other web-browsing traffic is permitted? A. Ensure that the Service column is defined as "application-default" for this security rule. This will automatically include the implicit web-browsing application dependency. B. Create a subsequent rule which blocks all other traffic C. When creating the rule, ensure that web-browsing is added to the same rule. Both applications will be processed by the Security policy, allowing only Facebook to be accessed. Any other applications can be permitted in subsequent rules. D. No other configuration is required on the part of the administrator, since implicit application dependencies will be added automaticaly.


17

Paloalto Networks PCNSE6 : Practice Test Answer: D

Question No : 35 After migrating from an ASA firewall, the VPN connection between a remote network and the Palo Alto Networks firewall is not establishing correctly. The following entry is appearing in the logs: pfs group mismatched: my:0 peer:2 Which setting should be changed on the Palo Alto Firewall to resolve this error message? A. Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from group2 to no-pfs. B. Update the IKE Crypto profile for the Vendor IKE gateway from no-pfs to group2. C. Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from no-pfs to group2. D. Update the IKE Crypto profile for the Vendor IKE gateway from group2 to no-pfs. Answer: C Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/panos/vpns/interpret-vpn-error-messages.html

Question No : 36 Which best describes how Palo Alto Networks firewall rules are applied to a session? A. last match applied B. first match applied C. all matches applied D. most specific match applied Answer: B

Question No : 37


18

Paloalto Networks PCNSE6 : Practice Test It is discovered that WebandNetTrends Unlimited’s new web server software produces traffic that the Palo Alto Networks firewall sees as "unknown-tcp" traffic. Which two configurations would identify the application while preserving the ability of the firewall to perform content and threat detection on the traffic? Choose 2 answers

A. custom application, with a name properly describing the new web server s purpose B. A A custom application and an application override policy that assigns traffic going to and from the web server to the custom application C. An application override policy that assigns the new web server traffic to the built-in application "web-browsing" D. A custom application with content and threat detection enabled, which includes a signature, identifying the new web server s traffic Answer: A,B

Question No : 38 Which of the following must be configured when deploying User-ID to obtain information from an 802.1x authenticator? A. Terminal Server Agent B. An Agentless deployment of User-ID, employing only the Palo Alto Networks Firewall C. A User-ID agent, with the "Use for NTLM Authentication" option enabled. D. XML API for User-ID Agent Answer: D

Question No : 39 Users can be authenticated serially to multiple authentication servers by configuring: A. Multiple RADIUS Servers sharing a VSA configuration B. C. Authentication Authentication Sequence Profile D. A custom Administrator Profile Answer: B


19

Paloalto Networks PCNSE6 : Practice Test Question No : 40 Enabling "Highlight Unsused Rules" in the Security policy window will: A. Hightlight all rules that did not immmediately match traffic. B. Hightlight all rules that did not match traffic since the rule was created or since last reboot of the firewall C. Allows the administrator to troubleshoot rules when a validation error occurs at the time of commit. D. Allow the administrator to temporarily disable rules that do not match traffic, for testing purposes Answer: B

Question No : 41 Which of the following must be enabled in order for UserID to function? A. Captive Portal Policies must be enabled. B. UserID must be enabled for the source zone of the traffic that is to be identified. C. Captive Portal must be enabled. D. Security Policies must have the UserID option enabled. Answer: B

Question No : 42 What new functionality is provided in PAN-OS 5.0 by Palo Alto Networks URL Filtering Database (PAN-DB)? A. The "Log Container Page Only" option can be employed in a URL-Filtering policy to reduce the number of logging events. B. URL-Filtering can now be employed as a match condition in Security policy C. IP-Based Threat Exceptions can now be driven by custom URL categories D. Daily database downloads for updates are no longer required as devices stay in-sync with the cloud. Answer: D


20

Paloalto Networks PCNSE6 : Practice Test Question No : 43 How can a Palo Alto Networks firewall be configured to send syslog messages in a format compatible with nonstandard syslog servers? A. Enable support for non-standard syslog messages under device management. B. Select a non-standard syslog server profile. C. Create a custom log format under the syslog server profile. D. Check the custom-format checkbox in the syslog server profile. Answer: C Reference: https://live.paloaltonetworks.com/docs/DOC-2021 Page 16 of PDF available there.

Question No : 44 What are the three Security Policy rule Type classifications supported in PAN-OS 6.1? A. Security, NAT, Policy-Based Forwarding B. Intrazone, Interzone, Global C. Intrazone, Interzone, Universal D. Application, User, Content Answer: C https://www.paloaltonetworks.com/content/dam/paloaltonetworksReference: com/en_US/assets/pdf/framemaker/61/pan-os/NewFeaturesGuide.pdf page 18-19

Question No : 45 After pushing a security policy from Panorama to a PA-3020 firewall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in Panorama's traffic logs. What could be the problem?


21

Paloalto Networks PCNSE6 : Practice Test A. The firewall is not licensed for logging to this Panorama device. B. Panorama is not licensed to receive logs from this particular firewall. C. None of the firewall’s policies have been assigned a Log Forwarding profile. D. A Server Profile has not been configured for logging to this Panorama device. Answer: C

Question No : 46 WildFire Analysis Reports are available for the following Operating Systems (select all that apply) A. Windows XP B. Windows 7 C. Windows 8 D. Mac OS-X Answer: A,B,C

Question No : 47 A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens of thousands of bogus UDP connections per second to a single destination IP address and port. Which option, when enabled with the correct threshold, would mitigate this attack without dropping legitimate traffic to other hosts inside the network? A. Zone Protection Policy with UDP Flood Protection B. Classified DoS Protection Policy using destination IP only with a Protect action C. QoS Policy to throttle traffic below maximum limit D. Security Policy rule to deny traffic to the IP address and port that is under attack Answer: B Reference: https://live.paloaltonetworks.com/docs/DOC-1746


22

Paloalto Networks PCNSE6 : Practice Test Question No : 48 Company employees have been given access to the GlobalProtect Portal at https://portal.company.com:

Assume the following: 1. The firewall is configured to resolve DNS names using the internal DNS server. 2. The URL portal.company.com resolves to the external interface of the firewall on the company’s external DNS server and to the internal interface of the firewall on the company s internal DNS server. 3. The URL gatewayl.company.com resolves to the external interface of the firewall on the company’s external DNS server and to the internal interface of the firewall on the company s internal DNS server. This Gateway configuration will have which two outcomes? Choose 2 answers A. Clients outside the network will be able to connect to the external gateway Gateway1. B. Clients inside the network will be able to connect to the internal gateway Gateway1. C. Clients outside the network will NOT be able to connect to the external gateway Gateway1. D. Clients inside the network will NOT be able to connect to the internal gateway Gateway1. Answer: A,B


23


Question No : 49 Which of the following describes the sequence of the Global Protect agent connecting to a Gateway? A. The Agent connects to the Portal obtains a list of Gateways, and connects to the Gateway with the fastest SSL response time B. The agent connects to the closest Gateway and sends the HIP report to the portal C. The agent connects to the portal, obtains a list of gateways, and connects to the gateway with the fastest PING response time D. The agent connects to the portal and randomly establishes a connection to the first available gateway Answer: A

Question No : 50 A network administrator uses Panorama to push security policies to managed firewalls at branch offices. Which policy type should be configured on Panorama if the administrator wishes to allow local administrators at the branch office sites to override these policies? A. Implicit Rules B. Post Rules C. Default Rules D. Pre Rules Answer: D

Question No : 51 The "Disable Server Return Inspection" option on a security profile: A. Can only be configured in Tap Mode


24

Paloalto Networks PCNSE6 : Practice Test B. Should only be enabled on security policies allowing traffic to a trusted server. C. Does not perform higher-level inspection of traffic from the side that srcinated the TCP SYN packet D. Only performs inspection of traffic from the side that srcinated the TCP SYN-ACK packet Answer: B

Question No : 52 What is the default setting for 'Action' in a Decryption Policy's rule? A. No-decrypt B. Decrypt C. Any D. None Answer: D

Question No : 53 Which two interface types can be used when configuring GlobalProtect Portal? Choose 2 answers A. Virtual Wire B. Loopback C. Tunnel D. Layer3 Answer: B,D Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/61/globalprotect/globalprotect-admin-guide.pdf page 10

Question No : 54


25

Paloalto Networks PCNSE6 : Practice Test The following can be configured as a next hop in a Static Route: A. A Policy-Based Forwarding Rule B. Virtual System C. A Dynamic Routing Protocol D. Virtual Router Answer: D

Question No : 55 In order to route traffic between layer 3 interfaces on the PAN firewall you need: A. VLAN B. Vwire C. Security Profile D. Virtual Router Answer: A

Question No : 56 Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log? A. Allow B. Alert C. Log D. Default Answer: B Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/urlfiltering/configure-url-filtering.html


26

Paloalto Networks PCNSE6 : Practice Test When a user logs in via Captive Portal, their user information can be checked against: A. Terminal Server Agent B. Security Logs C. XML API D. Radius Answer: D

Question No : 58 When configuring Admin Roles for Web UI access, what are the available access levels? A. Enable and Disable only B. None, Superuser, Device Administrator C. Allow and Deny only D. Enable, Read-Only and Disable Answer: D

Question No : 59 Which of the following objects cannot use User-ID as a match criteria? A. Security Policies B. QoS C. Policy Based Forwarding D. DoS Protection E. None of the above Answer: E

Question No : 60 A user is reporting that they cannot download a PDF file from the internet. Which action will show whether the downloaded file has been blocked by a Security A Composite Solution With Just One Click - Certification Guaranteed

27

Paloalto Networks PCNSE6 : Practice Test Profile? A. Filter the Session Browser for all sessions from the user with the application "adobe". B. Filter the System log for "Download Failed" messages. C. Filter the Traffic logs for all traffic from the user that resulted in a Deny action. D. Filter the Data Filtering logs for the user’s traffic and the name of the PDF file. Answer: D

Question No : 61 The WildFire Cloud or WF-500 appliance provide information to which two Palo Alto Networks security services? Choose 2 answers A. Threat Prevention B. App-ID C. URL Filtering D. PAN-OS E. GlobalProtect Data File Answer: A,E Reference: https://www.paloaltonetworks.com/products/technologies/wildfire.html

Question No : 62 When an interface is in Tap mode and a policy action is set to block, the interface will send a TCP reset. A. True B. False Answer: B

Question No : 63


28

Paloalto Networks PCNSE6 : Practice Test You have decided to implement a Virtual Wire Subinterface. Which options can be used to classify traffic? A. Either VLAN tag or IP address, provided that each tag or ID is contained in the same zone. B. Subinterface ID and VLAN tag only C. By Zone and/or IP Classifier D. VLAN tag, or VLAN tag plus IP address (IP address, IP range, or subnet). Answer: D

Question No : 64 What will the user experience when browsing a Blocked hacking website such as www.2600.com via Google Translator? A. The URL filtering policy to Block is enforced B. It will be translated successfully C. It will be redirected to www.2600.com D. User will get "HTTP Error 503 - Service unavailable" message Answer: A

Question No : 65 Palo Alto Networks maintains a dynamic database of malicious domains. Which two Security Platform components use this database to prevent threats? Choose 2 answers A. Brute-force signatures B. DNS-based command-and-control signatures C. PAN-DB URL Filtering D. BrightCloud URL Filtering Answer: B,C Reference: https://www.paloaltonetworks.com/products/features/apt-prevention.html


29

Paloalto Networks PCNSE6 : Practice Test Question No : 66 Taking into account only the information in the screenshot above, answer the following question. Which applications will be allowed on their standard ports? (Select all correct answers.)

A. BitTorrent B. Gnutella C. Skype D. SSH Answer: A,D

Question No : 67 What is the correct policy to most effectively block Skype? A. Allow Skype, block Skype-probe B. Allow Skype-probe, block Skype C. Block Skype-probe, block Skype D. Block Skype Answer: A

Question No : 68 Which one of the options describes the sequence of the GlobalProtect agent connecting to a Gateway? A. The agent connects to the portal, obtains a list of the Gateways, and connects to the Gateway with the fastest SSL connect time A Composite Solution With Just One Click - Certification Guaranteed

30

Paloalto Networks PCNSE6 : Practice Test B. The agent connects to the portal and randomly establishes connect to the first available Gateway C. The agent connects to the portal, obtains a list of the Gateways, and connects to the Gateway with the fastest PING response time D. The agent connects to the closest Gateway and sends the HIP report to the portal Answer: C

Question No : 69 For non-Microsoft clients, what Captive Portal method is supported? A. NTLM Auth B. User Agent C. Local Database D. Web Form Captive Portal Answer: D

Question No : 70 A network engineer experienced network reachability problems through the firewall. The routing table on the device is complex. To troubleshoot the problem the engineer ran a Command Line Interface (CLI) command to determine the egress interface for traffic destined to 98.139.183.24. The command resulted in the following output:

How should this output be interpreted? A. There is no route for the IP address 98.139.183.24, and there is a default route for outbound traffic. B. There is no interface in the firewall with the IP address 98.139.183.24. C. In virtual-router vrl, there is a route in the routing table for the network 98.139.0.0/16. A Composite Solution With Just One Click - Certification Guaranteed

31

Paloalto Networks PCNSE6 : Practice Test D. There is no route for the IP address 98.139.183.24, and there is no default route. Answer: D

Question No : 71 In the following display, ethernetl/6 is configured with an interface management profile that allows ping with no restriction on the source address:

Given the following security policy rule base:

What is the result of a ping sent from an address on the Trust-L3 zone to the IP address of ethernet1/6?

A. The firewall will send an ICMP redirect message to the client. B. The client will receive an ICMP "destination unreachable" packet. C. The interface will respond. D. The traffic will be dropped by the firewall. Answer: D

Question No : 72 In PAN-OS 5.0, how is Wildfire enabled? A. Via the URL-Filtering "Continue" Action B. Wildfire is automaticaly enabled with a valid URL-Filtering license C. A custom file blocking action must be enabled for all PDF and PE type files A Composite Solution With Just One Click - Certification Guaranteed

32

Paloalto Networks PCNSE6 : Practice Test D. Via the "Forward" and "Continue and Forward" File-Blocking actions Answer: A

Question No : 73 What is the maximum usable storage capacity of an M-100 appliance? A. 2TB B. 4TB C. 6TB D. STB Answer: B Reference: https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/set -up-panorama/set-up-the-m-100-appliance.html

Question No : 74 Traffic going to a public IP address is being translated by your PANW firewall to your web server's private IP. Which IP should the Security Policy use as the "Destination IP" in order to allow traffic to the server. A. The server’s public IP B. The firewall’s gateway IP C. The server’s private IP D. The firewall’s MGT IP Answer: A

Question No : 75 Which fields can be altered in the default Vulnerability profile?


33

Paloalto Networks PCNSE6 : Practice Test A. Severity B. Category C. CVE D. None Answer: D

Question No : 76 A website is presenting an RSA 2048-bit key. By default, what will the size of the key in the certificate sent by the firewall to the client be when doing SSL Decryption? A. 512 bits B. 1024 bits C. 2048 bits D. 4096 bits Answer: C Reference: https://www.paloaltonetworks.com/documentation/61/panos/newfeaturesguide/management-features/configurable-key-size-for-ssl-forward-proxyserver-certificates.html

Question No : 77 A "Continue" action can be configured on the following Security Profiles: A. URL Filtering, File Blocking, and Data Filtering B. URL Filteringn C. URL Filtering and Antivirus D. URL Filtering and File Blocking Answer: D

Question No : 78


34

Paloalto Networks PCNSE6 : Practice Test What is the size limitation of files manually uploaded to WildFire A. Configuarable up to 10 megabytes B. Hard-coded at 10 megabytes C. Hard-coded at 2 megabytes D. Configuarable up to 20 megabytes Answer: A

Question No : 79 With IKE, each device is identified to the other by a Peer ID. In most cases, this is just the public IP address of the device. In situations where the public ID is not static, this value can be replaced with a domain name or other text value

A. True B. False Answer: A

Question No : 80 To create a custom signature object for an Application Override Policy, which of the following fields are mandatory? A. Category B. Regular Expressions C. Ports D. Characteristics Answer: D

Question No : 81 HOTSPOT Match the components with their role in preventing threats. Answer options may be used more than once or not at all. A Composite Solution With Just One Click - Certification Guaranteed

35


Answer:

Question No : 82 Which method is the most efficient for determining which administrator made a specific A Composite Solution With Just One Click - Certification Guaranteed

36

Paloalto Networks PCNSE6 : Practice Test change to the running config? A. In the Configuration log, set a filter for the edit command and look for the object that was changed. B. In the System log, set a filter for the name of the object that was changed. C. In Config Audit, compare the current running config to all of the saved configurations until the change is found. D. In Config Audit, compare the current running config to previous committed versions until the change is found. Answer: B

Question No : 83 What option should be configured when using User-ID A. Enable User-ID per zone B. Enable User-ID per interface C. Enable User-ID per Security Policy D. None of the above Answer: C

Question No : 84 What built-in administrator role allows all rights except for the creation of administrative accounts and virtual systems? A. superuser B. vsysadmin C. A custom role is required for this level of access D. deviceadmin Answer: D

Question No : 85


37

Paloalto Networks PCNSE6 : Practice Test Ethernet 1/1 has been configured with the following subinterfaces:

The following security policy is applied:

The Interface Management Profile permits the following:

Your customer is trying to ping 10.10.10.1 from VLAN 800 IP 10.10.10.2/24


38

Paloalto Networks PCNSE6 : Practice Test What will be the result of this ping? A. The ping will be successful because the management profile applied to Ethernet1/1 allows ping. B. The ping will not be successful because the virtual router is different from the other subinterfaces. C. The ping will not be successful because there is no management profile attached to Ethernet1/1.799. D. The ping will not be successful because the security policy does not apply to VLAN 800. E. The ping will be successful because the security policy permits this traffic. Answer: D

Question No : 86

Which mechanism is used to trigger a High Availability (HA) failover if a firewall interface goes down? A. Link Monitoring B. Heartbeat Polling C. Preemption D. SNMP Polling Answer: A Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/60/pan-os/pan-os/section_4.pdf page 130

Question No : 87 A security engineer has been asked by management to optimize how Palo Alto Networks firewall syslog messages are forwarded to a syslog receiver. There are currently 20 PA5060 s, each of which is configured to forward syslogs individually. The security engineer would like to leverage their two M-100 appliances to send syslog messages from a single source and has already deployed one in Panorama mode and the other as a Log Collector.


39

Paloalto Networks PCNSE6 : Practice Test What is the remaining step in implementing this solution? A. Configure Collector Log Forwarding B. Configure a Syslog Proxy Profile C. Configure a Panorama Log Forwarding Profile D. Enable Syslog Aggregation Answer: A Reference: https://live.paloaltonetworks.com/docs/DOC-7987

Question No : 88 What are two sources of information for determining if the firewall has been successful in communicating with an external User-ID Agent? A. System Logs and the indicator light under the User-ID Agent settings in the firewall B. There's only one location - System Logs C. There's only one location - Traffic Logs D. System Logs and indicator light on the chassis Answer: A

Question No : 89 HOTSPOT Assuming that the default antivirus profile is installed, match each decoder with its default action. Answer options may be used more than once or not at all.


40


Answer:


41


Question No : 90 A company has a web server behind their Palo Alto Networks firewall that they would like to make accessible to the public. They have decided to configure a destination NAT Policy rule. Given the following zone information: DMZzone: DMZ-L3  Public zone: Untrust-L3  Web server zone: Trust-L3  Public IP address (Untrust-L3): 1.1.1.1  Private IP address (Trust-L3): 192.168.1.50 


42

Paloalto Networks PCNSE6 : Practice Test What should be configured as the destination zone on the Original Packet tab of the NAT Policy rule? A. DMZ-L3 B. Any C. Untrust-L3 D. Trust-L3 Answer: C

Question No : 91 What is the default DNS Sinkhole address used by Palo Alto Networks Firewall to cut off communication?

A. MGT interface address B. Loopback interface address C. Any one Layer 3 interface address D. Localhost address Answer: B

Question No : 92 When troubleshooting Phase 1 of an IPSec VPN tunnel, what location will have the most informative logs? A. Responding side, Traffic Logs B. Initiating side, Traffic Logs C. Responding side, System Logs D. Initiating side, System Logs Answer: C

Question No : 93 Which three inspections can be performed with a next-generation firewall but NOT with a A Composite Solution With Just One Click - Certification Guaranteed

43

Paloalto Networks PCNSE6 : Practice Test legacy firewall? Choose 3 answers A. Recognizing when SSH sessions are using SSH v1 instead of SSH v2 B. Validating that UDP port 53 packets are not being used to tunnel data for another protocol C. Identifying unauthorized applications that attempt to connect over non-standard ports D. Allowing a packet through from an external DNS server only if an internal host recently queried that DNS server E. Removing from the session table any TCP session without traffic for 3600 seconds Answer: B,C,D

Question No : 94 Which link is used by an Active-Passive cluster to synchronize session information? A. The Data Link B. The Control Link C. The Uplink D. The Management Link Answer: A

Question No : 95 Which option allows an administrator to segrate Panorama and Syslog traffic, so that the Management Interface is not employed when sending these types of traffic? A. Custom entries in the Virtual Router, pointing to the IP addresses of the Panorama and Syslog devices. B. Define a Loopback interface for the Panorama and Syslog Devices C. On the Device tab in the Web UI, create custom server profiles for Syslog and Panorama D. Service Route Configuration Answer: D


44

Paloalto Networks PCNSE6 : Practice Test What will the user experience when attempting to access a blocked hacking website through a translation service such as Google Translate or Bing Translator? A. A “Blocked” page response when the URL filtering policy to block is enforced. B. A “Success” page response when the site is successfully translated. C. The browser will be redirected to the srcinal website address. D. An "HTTP Error 503 Service unavailable" message. Answer: A

Question No : 97 By default, all PA-5060 syslog data is forwarded out the Management interface. What needs to be configured in order to send syslog data out of a different interface? A. Configure Service Route Only for Threats and URL Filtering, and the traffic will use the same route. B. Configure an Interface Management Profile and apply it to the interface that the syslogs will be sent through. C. Configure a Service Route for the Syslog service to use a dataplane interface. D. Create a Log-Forwarding Profile that points to the device that will receive the syslogs. Answer: C Reference: https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/reportsand-logging/define-remote-logging-destinations.html

Question No : 98 A company has a policy that denies all applications they classify as bad and permits only applications they classify as good. The firewall administrator created the following security policy on the company s firewall:


45

Paloalto Networks PCNSE6 : Practice Test Which two benefits are gained from having both rule 2 and rule 3 present? Choose 2 answers A. Different security profiles can be applied to traffic matching rules 2 and 3. B. Separate Log Forwarding profiles can be applied to rules 2 and 3. C. Rule 2 denies traffic flowing across different TCP and UDP ports than rule 3. D. A report can be created that identifies unclassified traffic on the network. Answer: A,D

Question No : 99 Which of the following options may be enabled to reduce system overhead when using Content ID?

A. STP B. VRRP C. RSTP D. DSRI Answer: D

Question No : 100 The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides: A. Password-protected access to specific file downloads, for authorized users increased speed on the downloads of the allowed file types B. Protection against unwanted downloads, by alerting the user with a response page indicating that file is going to be downloaded C. The Administrator the ability to leverage Authentication Profiles in order to protect against unwanted downloads Answer: C


46

Paloalto Networks PCNSE6 : Practice Test When configuring a Decryption Policy, which of the following are available as matching criteria in a policy? (Choose 3) A. Source Zone B. Source User C. Service D. URL-Category E. Application Answer: A,B,D

Question No : 102 Which authentication method can provide role-based administrative access to firewalls running PAN-OS? A. LDAP B. Certificate-based authentication C. Kerberos D. RADIUS with Vendor Specific Attributes Answer: D

Question No : 103 A company is in the process of upgrading their existing Palo Alto Networks firewalls from version 6.1.0 to 6.1.1. Which three methods can the firewall administrator use to install PAN-OS 6.1.1 across the enterprise? Choose 3 answers A. Push the PAN-OS 6.1.1 updates from the support site to install on each firewall. B. Download PAN-OS 6.1.1 files from the support site and install them on each firewall after manuallyPAN-OS uploading. C. Download 6.1.1 to a USB drive and the firewall will automatically update after the USB drive is inserted in the firewall. D. Push the PAN-OS 6.1.1 update from one firewall to all of the other remaining after updating one firewall. E. Download and push PAN-OS 6.1.1 from Panorama to each firewall. A Composite Solution With Just One Click - Certification Guaranteed

47

Paloalto Networks PCNSE6 : Practice Test F. Download and install PAN-OS 6.1.1 directly on each firewall. Answer: B,E,F Reference: https://live.paloaltonetworks.com/docs/DOC-1062

Question No : 104 How do you limit the amount of information recorded in the URL Content Filtering Logs? A. Enable DSRI B. Disable URL packet captures C. Enable URL log caching D. Enable Log container page only Answer: D

Question No : 105 In PAN-OS 6.0, rule numbers were introduced. Rule Numbers are: A. Dynamic numbers that refer to a security policy’s order and are especially useful when filtering security policies by tags B. Numbers referring to when the security policy was created and do not have a bearing on the order of policy enforcement C. Static numbers that must be manually re-numbered whenever a new security policy is added Answer: A

Question No : 106 Which mode will allow a user to choose how they wish to connect to the GlobalProtect Network as they would like? A. Single Sign-On Mode A Composite Solution With Just One Click - Certification Guaranteed

48

Paloalto Networks PCNSE6 : Practice Test B. On Demand Mode C. Always On Mode D. Optional Mode Answer: B

Question No : 107 A local/enterprise PKI system is required to deploy outbound forward proxy SSL decryption capabilities. A. True B. False Answer: B

Question No : 108 Which Public Key Infrastructure component is used to authenticate users for GlobalProtect when the Connect Method is set to "pre-logon"? A. Certificate Revocation List B. Trusted root certificate C. Machine certificate D. Online Certificate Status Protocol Answer: C Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/60/globalprotect/Global_Protect_6.0.pdf page 12.

Question No : 109 A company wants to run their pair of PA-200 firewalls in a High Availability Active/Passive configuration and will be using HA-Lite.


49

Paloalto Networks PCNSE6 : Practice Test Which capability can be used in this situation? A. Configuration Sync B. Link Aggregation C. Session Sync D. Jumbo Frames Answer: A Reference: https://live.paloaltonetworks.com/docs/DOC-3091

Question No : 110 When configuring Security rules based on FQDN objects, which of the following statements are true? A. The firewall resolves the FQDN first when the policy is committed, and is refreshed each time Security rules are evaluated. B. The firewall resolves the FQDN first when the policy is committed, and is refreshed at TTL expiration. There is no limit on the number of IP addresses stored for each resolved FQDN. C. In order to create FQDN-based objects, you need to manually define a list of associated IP. Up to 10 IP addresses can be configured for each FQDN entry. D. The firewall resolves the FQDN first when the policy is committed, and is refreshed at TTL expiration. The resolution of this FQDN stores up to 10 different IP addresses. Answer: C

Question No : 111 Which routing protocol is supported on the Palo Alto Networks platform? A. BGP B. RSTP C. ISIS D. RIPv1 Answer: A


50


Question No : 112 Which two statements are true about DoS Protection Profiles and Policies? Choose 2 answers A. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks on a zone basis, regardless of interface(s). They provide reconnaissance protection against TCP/UDP port scans and host sweeps. B. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks. They provide resource protection by limiting the number of sessions that can be used. C. They mitigate against volumetric attacks that leverage known vulnerabilities, brute force methods, amplification, spoofing, and other vulnerabilities. D. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks by utilizing "random early drop". Answer: B,D Reference: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/7158-102-325328/Application%20DDoS%20Mitigation.pdf page 4

Question No : 113 To properly configure DOS protection to limit the number of sessions individually from specific source IPs you would configure a DOS Protection rule with the following characteristics: A. Action: Protect, Classified Profile with "Resources Protection" configured, and Classified Address with "source-ip-only" configured B. Action: Deny, Aggregate Profile with "Resources Protection" configured C. Action: Protect, Aggregate Profile with "Resources Protection" configured D. Action: Deny, Classified Profile with "Resources Protection" configured, and Classified Address with "source-ip-only" configured Answer: A


51

Paloalto Networks PCNSE6 : Practice Test When using Config Audit, the color yellow indicates which of the following? A. A setting has been changed between the two config files B. A setting has been deleted from a config file. C. A setting has been added to a config file D. An invalid value has been used in a config file. Answer: C

Question No : 115 An Outbound SSL forward-proxy decryption rule cannot be created using which type of zone? A. Virtual Wire B. Tap C. L3 D. L2 Answer: A

Question No : 116 A security architect has been asked to implement User-ID in a MacOS environment with no enterprise email, using a Sun LDAP server for user authentication. In this environment, which two User-ID methods are effective for mapping users to IP addresses? Choose 2 answers A. Terminal Server Agent B. Mac OS Agent C. Captive Portal D. GlobalProtect Answer: C,D

Question No : 117


52

Paloalto Networks PCNSE6 : Practice Test When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of evaluation within a profile is: A. Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list, Cache files. B. Block list, Allow list, Custom Categories, Cache files, Local URL DB file. C. Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL filtering, Allow list. D. Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined categories. Answer: A

Question No : 118

In PANOS 6.0, rule numbers are: A. Numbers that specify the order in which security policies are evaluated. B. Numbers created to be unique identifiers in each firewall’s policy database. C. Numbers on a scale of 0 to 99 that specify priorities when two or more rules are in conflict. D. Numbers created to make it easier for users to discuss a complicated or difficult sequence of rules. Answer: A

Question No : 119 HOTSPOT Match the description of an application field with its name. Answer options may be used more than once or not at all.


53


Answer:

Question No : 120 Which of the Dynamic Updates listed below are issued on a daily basis? A. Global Protect B. URL Filtering C. Antivirus D. Applications and Threats A Composite Solution With Just One Click - Certification Guaranteed

54

Paloalto Networks PCNSE6 : Practice Test Answer: B,C

Question No : 121 What is a prerequisite for configuring a pair of Palo Alto Networks firewalls in an Active/Passive High Availability (HA) pair? A. The peer HA1 IP address must be the same on both firewalls. B. The management interfaces must be on the same network. C. The firewalls must have the same set of licenses. D. The HA interfaces must be directly connected to each other. Answer: C Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/60/pan-os/pan-os/section_4.pdf page 134

Question No : 122 Both SSL decryption and SSH decryption are disabled by default. A. True B. False Answer: A

Question No : 123 Where can the maximum concurrent SSL VPN Tunnels be set for Vsys2 when provisioning a Palo Alto Networks firewall for multiple virtual systems? A. In the GUI B. In the GUI C. In the GUI D. In the GUI

under Network->Global Protect->Gateway->Vsys2 under Device->Setup->Session->Session Settings under Device->Virtual Systems->Vsys2->Resource under Network->Global Protect->Portal->Vsys2


55

Paloalto Networks PCNSE6 : Practice Test Answer: C Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/tech-briefs/virtual-systems.pdf page 6

Question No : 124 When allowing an Application in a Security policy on a PAN-OS 5.0 device, would a dependency Application need to also be enabled if the application does not employ HTTP, SSL, MSRPC, RPC, t.120, RTSP, RTMP, and NETBIOS-SS. A. Yes B. No Answer: A

Question No : 125 Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and RoleBased (customized user roles) A. True B. False Answer: A

Question No : 126 Which fields can be altered in the default Vulnerability Protection Profile?

A. Category B. Severity C. None Answer: C


56


Question No : 127 Which of the following types of protection are available in DoS policy? A. Session Limit, SYN Flood, UDP Flood B. Session Limit, Port Scanning, Host Swapping, UDP Flood C. Session Limit, SYN Flood, Host Swapping, UDP Flood D. Session Limit, SYN Flood, Port Scanning, Host Swapping Answer: A

Question No : 128 Select the implicit rules enforced on traffic failing to match any user defined Security Policies: A. Intra-zone traffic is denied B. Inter-zone traffic is denied C. Intra-zone traffic is allowed D. Inter-zone traffic is allowed Answer: B,C

Question No : 129 In PAN-OS 5.0, which of the following features is supported with regards to IPv6? A. OSPF B. NAT64 C. IPSec VPN tunnels None of the above D. Answer: B


57

Paloalto Networks PCNSE6 : Practice Test Question No : 130 Which of the following is NOT a valid option for built-in CLI access roles? A. read/write B. superusers C. vsysadmin D. deviceadmin Answer: A

Question No : 131 Which of the following interfaces types will have a MAC address? A. Layer 3 B. Tap C. Vwire D. Layer 2 Answer: D

Question No : 132 Given the following routing table:

Which configuration change on the firewall would cause it to use 10.66.24.88 as the A Composite Solution With Just One Click - Certification Guaranteed

58

Paloalto Networks PCNSE6 : Practice Test nexthop for the 192.168.93.0/30 network? A. Configuring the Administrative Distance for RIP to be higher than that of OSPF Ext B. Configuring the metric for RIP to be higher than that of OSPF Int C. Configuring the metric for RIP to be lower than that of OSPF Ext D. Configuring the Administrative Distance for RIP to be lower than that of OSPF Int Answer: D Reference: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/5284-102-317278/Route%20Redistribution%20and%20Filtering%20TechNote%20-%20Rev%20B.pdf

Question No : 133 What is the name of the debug save file for IPSec VPN tunnels? A. set vpn all up B. test vpn ike-sa C. request vpn IPsec-sa test D. Ikemgr.pcap Answer: D

Question No : 134 Which of the following fields is not available in DoS policy? A. Destination Zone B. Source Zone C. Application D. Service Answer: C

Question No : 135


59

Paloalto Networks PCNSE6 : Practice Test Which of the following are methods HA clusters use to identify network outages? A. Path and Link Monitoring B. VR and VSys Monitors C. Heartbeat and Session Monitors D. Link and Session Monitors Answer: A

Question No : 136 Will an exported configuration contain Management Interface settings? A. Yes B. No Answer: A

Question No : 137 What has happened when the traffic log shows an internal host attempting to open a session to a properly configured sinkhole address? A. The internal host is trying to resolve a DNS query by connecting to a rogue DNS server. B. The internal host attempted to use DNS to resolve a known malicious domain into an IP address. C. A rogue DNS server is now using the sinkhole address to direct traffic to a known malicious domain. D. A malicious domain is trying to contact an internal DNS server. Answer: B Reference: https://www.paloaltonetworks.jp/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/pan-os/NewFeaturesGuide.pdf page 14

Question No : 138 HOTSPOT


60

Paloalto Networks PCNSE6 : Practice Test Match each type of report provided by the firewall with its description. Answer options may be used more than once or not at all.

Answer:


61


Question No : 139 As the Palo Alto Networks administrator, you have enabled Application Block pages. Afterward, some users do not receive web-based feedback for all denied applications. Why would this be? A. Some users are accessing the Palo Alto Networks firewall through a virtual system that does not have Application Block pages enabled. B. Application Block Pages will only be displayed when Captive Portal is configured C. Some Application ID's are set with a Session Timeout value that is too low. D. Application Block Pages will only be displayed when users attempt to access a denied web-based application.


62

Paloalto Networks PCNSE6 : Practice Test Answer: D

Question No : 140 When Destination Network Address Translation is being performed, the destination in the corresponding Security Policy Rule should use: A. The PostNAT destination zone and PostNAT IP address. B. The PreNAT destination zone and PreNAT IP address. C. The PreNAT destination zone and PostNAT IP address. D. The PostNAT destination zone and PreNAT IP address. Answer: D

Question No : 141 When a Palo Alto Networks firewall is forwarding traffic through interfaces configured for L2 mode, security policies can be set to match on multicast IP addresses. A. True B. False Answer: B

Question No : 142 A firewall is being attacked with a port scan. Which component can prevent this attack? A. DoS Protection B. Anti-Spyware C. Vulnerability Protection D. Zone Protection Answer: D Reference: https://live.paloaltonetworks.com/docs/DOC-4501


63


Question No : 143 How is the Forward Untrust Certificate used? A. It issues certificates encountered on the Untrust security zone. B. It is used for Captive Portal to identify unknown users. C. It is used when web servers request a client certificate. D. It is the issuer for an external certificate which is not trusted by the firewall. Answer: D

Question No : 144 A hotel chain is using a system to centrally control a variety of items in guest rooms. The client devices in each guest room communicate to the central controller using TCP and frequently disconnect due to a premature timeouts when going through a Palo Alto Networks firewall. Which action will address this issue without affecting all TCP traffic traversing the firewall? A. Create a security policy without security profiles, allowing the client-to-server traffic. B. Create an application override policy, assigning the client-to-server traffic to a custom application. C. Create an application with a specified TCP timeout and assign traffic to it with an application override policy. D. Create an application override policy, assigning the server-to-client traffic to a custom application. Answer: C

Question No : 145 You are configuring a File Blocking Profile to be applied to all outbound traffic uploading a specific file type, and there is a specific application that you want to match in the policy.


64

Paloalto Networks PCNSE6 : Practice Test What are three valid actions that can be set when the specified file is detected? Choose 3 answers A. Reset-both B. Block C. Continue D. Continue-and-forward E. Upload Answer: B,C,D Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/60/pan-os/pan-os/section_8.pdf page 287

Question No : 146 You’d like to schedule a firewall policy to only allow a certain application during a particular time of day. Where can this policy option be configured? A. Policies > Security > Service B. Policies > Security > Options C. Policies > Security > Application D. Policies > Security > Profile Answer: D

Question No : 147 When employing the Brightcloud URL filtering database on the Palo Alto Networks firewalls, the order of checking within a profile is: A. Block List, Allow List, Custom Categories, Cache Files, Predefined Categories, Dynamic URL Filtering B. Block List, Allow List, Cache Files, Custom Categories, Predefined Categories, Dynamic URL Filtering C. Dynamic URL Filtering, Block List, Allow List, Cache Files, Custom Categories, Predefined Categories D. None of the above A Composite Solution With Just One Click - Certification Guaranteed

65

Paloalto Networks PCNSE6 : Practice Test Answer: A

Question No : 148 Which source address translation type will allow multiple devices to share a single translated source address while using a single NAT Policy rule? A. Dynamic IP and Port B. Dynamic IP C. Bi-directional D. Static IP Answer: A Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/panos/networking/nat.html

Question No : 149 A user complains that they are no longer able to access a needed work application after you have implemented vulnerability and anti-spyware profiles. The user's application uses a unique port. What is the most efficient way to allow the user access to this application? A. Utilize an Application Override Rule, referencing the custom port utilzed by this application. Application Override rules bypass all Layer 7 inspection, thereby allowing access to this application. B. In the Threat log, locate the event which is blocking access to the user's application and create a IP-based exemption for this user. C. In the vulnerability and anti-spyware profiles, create an application exemption for the user's application. D. Create a custom Security rule for this user to access the required application. Do not apply vulnerability and anti-spyware profiles to this rule. Answer: B


66

Paloalto Networks PCNSE6 : Practice Test Which two interface types provide support for network address translation (NAT)? Choose 2 answers A. HA B. Tap C. Layer3 D. Virtual Wire E. Layer2 Answer: C,D Reference: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/1517-102-711647/Understanding_NAT-4.1-RevC.pdf

Question No : 151 Which Security Policy rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only? A. Apply an Application Override Policy B. Disable Server Response Inspection C. Add server IP to Security Policy exception D. Disable HIP Profile Answer: B Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/gettingstarted/set-up-basic-security-policies.html

Question No : 152 What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on the firewall? (Select all correct answers.)

A. Improved DNSbased C&C signatures. B. Improved PANDB malware detection. A Composite Solution With Just One Click - Certification Guaranteed

67

Paloalto Networks PCNSE6 : Practice Test C. Improved BrightCloud malware detection. D. Improved malware detection in WildFire. Answer: A,B,D

Question No : 153 HOTSPOT Within a Zone Protection Profile, under the Reconnaissance Protection tab, there are several possible values for Action:

Match each Reconnaissance Protection Action to its description.

Answer options may be used more than once or not at all.


68


Answer:


69



70

Paloalto Networks PCNSE6

Recommend Documents