PCNSE Exam Domain 1 PLAN

PCNSE Exam Domain 1 (PLAN)

Which component of the integrated Palo Alto Networks security solution limits network- attached workstation access to a corporate mainframe?next-generation firewall Which Palo Alto Networks product is designed primarily to provide threat context with deeper information about attacks?AutoFocus Which Palo Alto Networks product is designed primarily to provide normalization of threat intelligence feeds with the potential for automated resopnse?MineMeld Which Palo Alto Networks product is designed primarily to prevent endpoints from successfully running malware programs?Traps The Palo Alto Networks Cortex Data Lake can accept logging from which two products?Traps Next-generation firewalls Which Palo Alto Networks product is a cloud-based storage service designed to hold log information?Cortex Data Lake Which product is an example of an application designed to analyze Cortex Data Lake information?Cortex XDR- Analytics A potential customer says it wants to maximize the threat detection capability of its next- generation firewall. Which three additional services should it consider implementing to enhance its firewall's capability to detect threats?WildFire URL Filtering DNS Security A VM-Series firewall differs from a physical Palo Alto Networks firewall in which way?A VM-Series firewall supports fewer traffic interface types Which product would best secure east-west traffic within a public cloud implementation?VM-Series firewall Why would you recommend an active/active firewall cluster instead of an active/passive firewall cluster?Active/active is the preferred solution when the firewall cluster is behind a load balancer that randomizes routing, thus requiring both firewalls to be active Which two events can trigger an HA pair failover event?

• An HA cable is disconnected from one of the firewalls
• The firewall fails to ping a path-monitored destination address successfully

Which two firewall features support floating IP addresses in an active/active HA Pair?

• Source NAT
• VPN Endpoints

How are firewalls configurations in an active/passive HA pair synchronized if the firewalls are not under Panorama control?

An administrator commits the change to one, which automatically synchronizes with the other In which two ways is an active/passive HA pair configured in virtual firewalls deployed in any public clouds?

• The virtual firewalls are deployed in a cloud "scale set" with a cloud-supplied load

balancer in front to detect and manage failover

• The virtual firewalls rely on a VM-Series plugin to map appropriate cloud functions to

the firewall's HA settings Without having to make network address configuration changes, you would use which type of network interface to insert a Palo Alto Networks firewall in front of a legacy port- based firewall to collect application information from incoming network traffic?virtual wire (vWire) Which type of interface do you use to connect Layer 2 and Layer 3 interfaces?VLAN interface Which three types of interfaces can the firewall's management web interface be bound to?

1. VLAN

• Tunnel
• Layer 3

Which three types of interfaces connect to a virtual router?

1. VLAN

• Tunnel
• Layer 3

Which dynamic routing protocol is not supported by the Palo Alto Networks firewall?

IGRP Which action is not compatible with aggregate interface configuration?aggregating 12 Layer 3 interfaces In a Panorama environment, how do you create and view enterprise-wide reports that include data from all managed firewalls?Run Panorama reports normally. Firewall summary reporting information is gathered automatically once the firewalls are managed by Panorama What must you configure to guarantee duplication of log data on Log Collectors?Log Collector settings to include "Enable log redundancy" Which three devices can be used as Log Collectors?

• Virtual Panorama

2. M-600

3. M-200

True/False Both Panoramas collect independent logging traffic and are not affected by failover.True True/False Both Panoramas receive the same logging traffic and synchronize in case of HA failover.False How are log retention periods on Palo Alto Networks firewalls increased?Forward logs to external Log Collectors

How do you access, and view firewall log data sent to the Cortex Data Lake?Through Panorama using a Log Collector configuration for access Log retention is increased when a Dedicated Log Collector is used to collect logs from firewalls in which two ways?

• Adding storage capacity to the Log Collector
• Adding Log Collectors to the Log Collector group

The Security policy for all of a customer's remote offices is the same, but different offices have different firewall models. If the remote offices are managed by Panorama, how might the offices share device groups and templates?Same device group, different template stacks A Panorama template stack contains two templates and one configuration setting has a different value in each template. When Panorama pushes the template stack to the managed firewalls, which setting value will the firewalls receive?Value from the top template of the stack Which two firewall settings can be stored in Panorama templates?

• Server Profile for an External LDAP server
• Data-plane interface configurations

Where in Panorama do you enter Security policy rules to ensure that your new rules will take precedence over locally entered rules?Pre-rules section of Security policy rules In Panorama, how would you make changes to a Security policy rule for a specific firewall?Log into Panorama, clone the rule, modify the clone, and add a target firewall to the new rule Which three firewall settings are stored in Panorama device groups?

• Custom App-ID signatures
• Services definitions
• DoS protection profiles

Which part of a VM-Series firewall should be updated to provide maximum feature support for a public cloud?The latest VM-Series plugin Which two types of firewall interfaces are most likely to be supported in public cloud deployments?

• Layer 3
• Tunnel

From where can you buy and download a VM-Series virtual firewall appliance for a public cloud deployment?Could vendor's "Solution Marketplace" Which two conditions must be met to manage Palo Alto Networks firewalls deployed in multiple cloud environments from a central Panorama?

• The Panorama and firewall must be able to communicate
• Firewalls must be running a version of PAN-OS software equal to or less than that on

Panorama A private cloud has 20 VLANs spread over five ESXi hypervisors, managed by a single vCenter. How many firewall VMs are needed to implement microsegmentation?Five

When you deploy the Palo Alto Networks NGFW on NSX, packets coming to an application VM from VMs running on different hardware go through which modules?Network, vSwitch, NSX firewall, Palo Alto Networks NGFW, NSX firewall Which option shows the interface types that ESXi supports on the VM-Series firewalls?Tap, Layer 2, Layer 3, Virtual wire To configure multi-factor authentication for users accessing services through the firewall, which three configuration pieces need to be addressed?

• Captive Portal
• Authentication Enforcement Profile
• Authentication Profile

Which firewall configuration component is used to configure access to an external authentication service?Server profiles Which two firewall functions are reserved only for administrators assigned the superuser dynamic role?

• Managing firewall admin accounts
• Creating virtual systems within a firewall

Palo Alto Networks firewall can obtain a certificate for its internal use through which three methods?

• Import the certificate file generated by an external CA
• Generate a certificate directly by manually entering certificate data
• Obtain a certificate from an SCEP server using and SCEP Profile

The firewall uses which information to determine which interface to use for a packet's egress?(RIB) routing information base A virtual router can use a Redistribution Profile to share routers between which three routing protocols?

1. OSPF

2. BGP

• Static

How does a firewall determine which route to use when its RIB is populated with multiple routes to the same location, but routes were added by different routing protocol?Using the routes administrative distance and choosing the lowest value For which two reasons are denial-of-service protections applied by zone?

• Because denial DoS protections are applied early in the processing, before much

information is known about the connection but when the ingress interface is already known

• Because DoS protections are applied only when manually turned on to avoid quota

overload (which would make DoS easier) SYN flood protection provides flood protection from which protocol?

TCP To which two protocols does port scan reconnaissance protection apply?

1. TCP

2. UDP

For which two places do you configure flood protection?