PCNSC Online Practice Questions and Answers

Which PAN-OS policy must you configure to force a user to provide additional credential before he is allowed to access an internal application that contains highly sensitive business data?

A. Authentication policy

B. Decryption policy

C. Security policy

D. Application Override policy

In High Availability, which information is transferred via the HA data link?

A. heartbeats

B. HA state information

C. session information

D. User-ID information

The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router.

Which two options would help the administrator Troubleshoot this issue? (Choose two.)

A. Perform a traffic pcap on the NGFW lo see any BGP problems

B. View the System logs and look for error messages about BGP

C. View the Runtime Stats and look for problems with BGP configuration

D. View the ACC lab to isolate routing issues.

Which two benefits come from assigning a Decrypting Profile to a Decryption rule with a" NO Decrypt" action? (Choose two.)

A. Block sessions with unsuspected cipher suites

B. Block sessions with untrusted issuers

C. Block credential phishing.

D. Block sessions with client authentication

E. Block sessions with expired certificates

An administrator logs in to the Palo Alto Networks NGFW and reports and reports that the WebUI is missing the policies tab. Which profile is the cause of the missing policies tab?

A. WebUI

B. Admin Role

C. Authorization

D. Authentication

A Security policy rule is configured with a Vulnerability Protection Profile and an action of Deny".

Which action will this configuration cause on the matched traffic?

A. The configuration is invalid it will cause the firewall to Skip this Security policy rule A warning will be displayed during a command.

B. The configuration is valid It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is set to "Deny".

C. The configuration will allow the matched session unless a vulnerability signature is detected. The "Deny" action will supersede the per. defined, severity defined actions defined in the associated Vulnerability Protection Profile.

D. The configuration is invalid. The Profile Settings section will be- grayed out when the action is set to "Deny".

The firewall identified a popular application as a unknown-tcp. Which options are available to identify the application? (Choose two.)

A. Create a Security policy to identify the customer application.

B. Create a customer object for the customer application server to identify the custom application.

C. Submit an App-ID request to Palo Alto Networks.

D. Create a custom application.

Which two methods can be configured to validate the revocation status of a certificate? (Choose two)

A. CRL

B. Cert-Validation-Profile

C. OCSP

D. CRT

E. SSL /TLS Service Profile

Which version of Global Protect supports split tunneling based on destination domain, client process, and HTTP/HTTPs video streaming application?

A. Glovbalprotect version 4.0 with PAn-OS 8.0

B. Glovbalprotect version 4.1 with PAn-OS 8.1

C. Glovbalprotect version 4.0 with PAn-OS 8.1

D. Glovbalprotect version 4.1 with PAn-OS 8.0

An administrator pushes a new configuration from panorama to a pair of firewalls that are configured as active/passive HA pair. Which NGFW receives the configuration from panorama?

A. the active firewall, which then synchronizes to the passive firewall

B. the passive firewall, which then synchronizes to the active firewall

C. both the active and passive firewalls independently, with no synchronization afterward

D. both the active and passive firewalls, which then synchronizes with each other

A Company needs to preconfigured firewalls to be sent to remote sites with the least amount of preconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.

Which VPN configuration would adapt to changes when deployed to Hie future site?

A. preconfigured GlobalProtcet satellite

B. preconfigured GlobalProtcet client

C. preconfigured iPsec tunnels

D. preconfigured PPTP Tunnels

When is the content inspection performed in the packet flow process?

A. after the SSL Proxy re-encrypts the packet

B. before the packet forwarding process

C. after the application has been identified

D. before session lookup

Winch three steps will reduce the CPU utilization on the management plane? (Choose three. )

A. Disable predefined reports.

B. Reduce the traffic being decrypted by the firewall.

C. Disable SNMP on the management interface.

D. Application override of SSL application.

An administrator deploys PA-500 NGFWs as an active/passive high availability pair . The devices are not participating in dynamic router and preemption is disabled.

What must be verified to upgrade the firewalls to the most recent version of PAN OS software?

A. Antivirus update package

B. Applications and Threats update package

C. Wildfire update package

D. User-ID agent

Which DoS protection mechanism detects and prevents session exhaustion attacks?

A. TCP Port Scan Protection

B. Flood Protection

C. Resource Protection

D. Pocket Based Attack Protection