PCNSE6 - Palo Alto Networks Certified Network Security Engineer 6
Go back to Palo-Alto-Networks
What can cause missing SSL packets when performing a packet capture on data plane interfaces?
The packets are hardware offloaded to the offload processor on the data plane.
Which source address translation type will allow multiple devices to share a single translated source address while using a single NAT Policy rule?
Dynamic IP and Port
Which three engines are built into the Single-Pass Parallel Processing Architecture? Choose 3 answers
Application Identification (App-ID)
User Identification (User-ID)
Content Identification (Content-ID)
Which authentication method can provide role-based administrative access to firewalls running PAN- OS?
RADIUS with Vendor Specific Attributes
Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log?
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens of thousands of bogus UDP connections per second to a single destination IP address and port. Which option, when enabled with the correct threshold, would mitigate this attack without dropping legitimate traffic to other hosts inside the network?
Classified DoS Protection Policy using destination IP only with a Protect action
What are the three Security Policy rule Type classifications supported in PAN-OS 6.1?
Intrazone, Interzone, Universal
You are configuring a File Blocking Profile to be applied to all outbound traffic uploading a specific file type, and there is a specific application that you want to match in the policy. What are three valid actions that can be set when the specified file is detected? Choose 3 answers
How can a Palo Alto Networks firewall be configured to send syslog messages in a format compatible with nonstandard syslog servers?
Create a custom log format under the syslog server profile.
Which two steps are required to make Microsoft Active Directory users appear in the firewall's traffic log? Choose 2 answers
Enable User-ID on the zone object for the source zone.
Run the User-ID Agent using an Active Directory account that has "event log viewer" permissions.
Which Public Key Infrastructure component is used to authenticate users for GlobalProtect when the Connect Method is set to "pre-logon"?
A user is reporting that they cannot download a PDF file from the internet. Which action will show whether the downloaded file has been blocked by a Security Profile?
Filter the Data Filtering logs for the user's traffic and the name of the PDF file.
The IT department has received complaints about VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter. Which feature can be used to identify, in real-time, the applications taking up the most bandwidth?
Application Command Center (ACC)
It is discovered that WebandNetTrends Unlimited's new web server software produces traffic that the Palo Alto Networks firewall sees as "unknown-tcp" traffic. Which two configurations would identify the application while preserving the ability of the firewall to perform content and threat detection on the traffic? Choose 2 answers
A custom application, with a name properly describing the new web server s purpose
A custom application and an application override policy that assigns traffic going to and from the web server to the custom application
Which method is the most efficient for determining which administrator made a specific change to the running config?
In the System log, set a filter for the name of the object that was changed.
After pushing a security policy from Panorama to a PA-3020 firewall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in Panorama's traffic logs. What could be the problem?
None of the firewall's policies have been assigned a Log Forwarding profile.
What is the maximum usable storage capacity of an M-100 appliance?
After migrating from an ASA firewall, the VPN connection between a remote network and the Palo Alto Networks firewall is not establishing correctly. The following entry is appearing in the logs: pfs group mismatched: my:0 peer:2 Which setting should be changed on the Palo Alto Firewall to resolve this error message?
Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from no-pfs to group2.
Which two statements are true about DoS Protection Profiles and Policies? Choose 2 answers
They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks. They provide resource protection by limiting the number of sessions that can be used.
They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks by utilizing "random early drop".
A security engineer has been asked by management to optimize how Palo Alto Networks firewall syslog messages are forwarded to a syslog receiver. There are currently 20 PA-5060 s, each of which is configured to forward syslogs individually. The security engineer would like to leverage their two M-100 appliances to send syslog messages from a single source and has already deployed one in Panorama mode and the other as a Log Collector. What is the remaining step in implementing this solution?
Configure Collector Log Forwarding
A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall. Which method will show the global counters associated with the traffic after configuring the appropriate packet filters?
From the CLI, issue the show counter global filter packet-filter yes command.
The WildFire Cloud or WF-500 appliance provide information to which two Palo Alto Networks security services? Choose 2 answers
GlobalProtect Data File
Where can the maximum concurrent SSL VPN Tunnels be set for Vsys2 when provisioning a Palo Alto Networks firewall for multiple virtual systems?
In the GUI under Device->Virtual Systems->Vsys2->Resource
Which mechanism is used to trigger a High Availability (HA) failover if a firewall interface goes down?
A company has a web server behind their Palo Alto Networks firewall that they would like to make accessible to the public. They have decided to configure a destination NAT Policy rule. Given the following zone information: What should be configured as the destination zone on the Original Packet tab of the NAT Policy rule?
Which two interface types provide support for network address translation (NAT)? Choose 2 answers
A hotel chain is using a system to centrally control a variety of items in guest rooms. The client devices in each guest room communicate to the central controller using TCP and frequently disconnect due to a premature timeouts when going through a Palo Alto Networks firewall. Which action will address this issue without affecting all TCP traffic traversing the firewall?
Create an application with a specified TCP timeout and assign traffic to it with an application override policy.
What is a prerequisite for configuring a pair of Palo Alto Networks firewalls in an Active/Passive High Availability (HA) pair?
The firewalls must have the same set of licenses.
Which Security Policy rule configuration option disables antivirus and anti-spyware scanning of server- to-client flows only?
Disable Server Response Inspection
Which three inspections can be performed with a next-generation firewall but NOT with a legacy firewall? Choose 3 answers
Validating that UDP port 53 packets are not being used to tunnel data for another protocol
Identifying unauthorized applications that attempt to connect over non-standard ports
Allowing a packet through from an external DNS server only if an internal host recently queried that DNS server
A company has purchased a WildFire subscription and would like to implement dynamic updates to download the most recent content as often as possible. What is the shortest time interval the company can configure their firewall to check for WildFire updates?
Every 15 minutes
Which two interface types can be used when configuring GlobalProtect Portal? Choose 2 answers
A security architect has been asked to implement User-ID in a MacOS environment with no enterprise email, using a Sun LDAP server for user authentication. In this environment, which two User-ID methods are effective for mapping users to IP addresses? Choose 2 answers
A firewall is being attacked with a port scan. Which component can prevent this attack?
A network administrator uses Panorama to push security policies to managed firewalls at branch offices. Which policy type should be configured on Panorama if the administrator wishes to allow local administrators at the branch office sites to override these policies?
A website is presenting an RSA 2048-bit key. By default, what will the size of the key in the certificate sent by the firewall to the client be when doing SSL Decryption?
How is the Forward Untrust Certificate used?
It is the issuer for an external certificate which is not trusted by the firewall.
What has happened when the traffic log shows an internal host attempting to open a session to a properly configured sinkhole address?
The internal host attempted to use DNS to resolve a known malicious domain into an IP address.