Mock P C N S E Exam 5 Quiz

1.

MULTIPLE CHOICE QUESTION

2 mins • 1 pt

An administrator connects four new remote offices to the corporate data center. The administrator decides to use the Large Scale VPN (LSVPN) feature on the Palo Alto Networks next-generation firewall.

What should the administrator configure in order to connect the sites?

Generic Routing Encapsulation (GRE) Tunnels

GlobalProtect Satellite

SD-WAN

IKE Gateways

Answer explanation

GlobalProtect Satellite—A Palo Alto Networks firewall at a remote site that establishes IPSec tunnels with the gateway(s) at your corporate office(s) for secure access to centralized resources. Configuration on the satellite firewall is minimal, enabling you to quickly and easily scale your VPN as you add new sites.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/large-scale-vpn-lsvpn/lsvpn-overview#id6b64ee5f-9e3f-4246-9296-945c25cd6c3b

2.

MULTIPLE CHOICE QUESTION

2 mins • 1 pt

A customer wants to set up a site-to-site VPN using tunnel interfaces.

What format is the correct naming convention for tunnel interfaces?

tun.1025

tunnel.50

vpn.1024

gre1/2

Answer explanation

tunnel is the default name on the setup page, while 50 is the number you assigned for the tunnel... and when you finish creating the tunnel, the wizard adds the default name and assigned number together making it tunnel.50

3.

MULTIPLE CHOICE QUESTION

2 mins • 1 pt

An engineer notices that the tunnel monitoring has been failing for a day and the VPN should have failed over to a backup path.

What part of the network profile configuration should the engineer verify?

Destination IP

Threshold

Action

Interval

Answer explanation

Configure a Monitoring Profile.

Network > Network Profiles > Monitor > Add

Make sure "Fail Over" Option is selected. < Action Settings

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POO0CAO

4.

MULTIPLE SELECT QUESTION

2 mins • 1 pt

Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)

One-time password

User certificate

SMS

Voice

Fingerprint

Answer explanation

Push

An endpoint device (such as a phone or tablet) prompts the user to allow or deny authentication.

Short message service (SMS)

An SMS message on the endpoint device prompts the user to allow or deny authentication. In some cases, the endpoint device provides a code that the user must enter in the MFA login page.

Voice

An automated phone call prompts the user to authenticate by pressing a key on the phone or entering a code in the MFA login page.

One-time password (OTP)

An endpoint device provides an automatically generated alphanumeric string, which the user enters in the MFA login page to enable authentication for a single transaction or session.

5.

MULTIPLE SELECT QUESTION

2 mins • 1 pt

Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)

LDAP

Log Ingestion

HTTP

Log Forwarding

Answer explanation

>Threat logs, create a log forwarding profile to define how you want the firewall or Panorama to handle logs.

>Configure an HTTP server profile to forward logs to a remote User-ID agent.

> Select the log forwarding profile you created then select this server profile as the HTTP server profile

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions

6.

MULTIPLE CHOICE QUESTION

2 mins • 1 pt

What is the PAN-OS NPTv6 feature based on RFC 6296 used for?

Application port number translation

IPv6-to-IPv6 network prefix translation

Stateful translation to provide better security

IPv6-to-IPv6 host portion translation

Answer explanation

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nptv6/how-nptv6-works

7.

MULTIPLE SELECT QUESTION

2 mins • 1 pt

An administrator has been tasked with deploying SSL Forward Proxy.

Which two types of certificates are used to decrypt the traffic? (Choose two.)

Device certificate

Subordinate CA from the administrator’s own PKI infrastructure

Self-signed root CA

External CA certificate

8.

MULTIPLE SELECT QUESTION

2 mins • 1 pt

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)

Inherit all Security policy rules and objects

Inherit settings from the Shared group

Inherit IPSec crypto profiles

Inherit parent Security policy rules and objects

Answer explanation

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy

9.

MULTIPLE CHOICE QUESTION

2 mins • 1 pt

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones. The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?

A self-signed certificate generated on the firewall

A web server certificate signed by the organization’s PKI

A web server certificate signed by an external Certificate Authority

A subordinate Certificate Authority certificate signed by the organization’s PKI

Answer explanation

The only acceptable answer is A. You don't want to pay for the certificate, you don't want it to have a chain of trust and you don't want it trusted anywhere in your network. It's an 'Untrust' certificate after all.

10.

MULTIPLE CHOICE QUESTION

2 mins • 1 pt

After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall. After troubleshooting, the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports.

What can the engineer do to solve the VoIP traffic issue?

Disable ALG under H.323 application

Increase the TCP timeout under H.323 application

Increase the TCP timeout under SIP application

Disable ALG under SIP application

Answer explanation

The Palo Alto Networks firewall uses the Session Initiation Protocol (SIP) application-level gateway (ALG) to open dynamic pinholes in the firewall where NAT is enabled. However, some applications—such as VoIP—have NAT intelligence embedded in the client application. In these cases, the SIP ALG on the firewall can interfere with the signaling sessions and cause the client application to stop working.

One solution to this problem is to define an Application Override Policy for SIP, but using this approach disables the App-ID and threat detection functionality. A better approach is to disable the SIP ALG, which does not disable App-ID or threat detection.

Create a free account and access millions of resources

Similar Resources on Wayground

Popular Resources on Wayground

Discover more resources for Professional Development