Paloalto-Networks PCNSE6 Free Practice Questions

Q1. A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens of thousands of bogus UDP connections per second to a single destination IP address and port. 

Which option, when enabled with the correct threshold, would mitigate this attack without dropping legitimate traffic to other hosts inside the network? 

A. Zone Protection Policy with UDP Flood Protection 

B. Classified DoS Protection Policy using destination IP only with a Protect action 

C. QoS Policy to throttle traffic below maximum limit 

D. Security Policy rule to deny traffic to the IP address and port that is under attack 

View Answer

Q2. In PAN-OS 6.0, rule numbers were introduced. Rule Numbers are: 

A. Dynamic numbers that refer to a security policy’s order and are especially useful when filtering security policies by tags 

B. Numbers referring to when the security policy was created and do not have a bearing on the order of policy enforcement 

C. Static numbers that must be manually re-numbered whenever a new security policy is added 

View Answer

Q3. Wildfire may be used for identifying which of the following types of traffic? 

A. URL content 

B. DHCP 

C. DNS 

D. Viruses 

View Answer

Q4. Which of the following options may be enabled to reduce system overhead when using Content ID? 

A. STP 

B. VRRP 

C. RSTP 

D. DSRI 

View Answer

Q5. Which of the following types of protection are available in DoS policy? 

A. Session Limit, SYN Flood, UDP Flood 

B. Session Limit, Port Scanning, Host Swapping, UDP Flood 

C. Session Limit, SYN Flood, Host Swapping, UDP Flood 

D. Session Limit, SYN Flood, Port Scanning, Host Swapping 

View Answer

Q6. The WildFire Cloud or WF-500 appliance provide information to which two Palo Alto Networks security services? Choose 2 answers 

A. Threat Prevention 

B. App-ID 

C. URL Filtering 

D. PAN-OS 

E. GlobalProtect Data File 

View Answer

Q7. When Network Address Translation has been performed on traffic, Destination Zones in Security rules should be based on: 

A. Post-NAT addresses 

B. The same zones used in the NAT rules 

C. Pre-NAT addresses 

D. None of the above 

View Answer

Q8. How is the Forward Untrust Certificate used? 

A. It issues certificates encountered on the Untrust security zone. 

B. It is used for Captive Portal to identify unknown users. 

C. It is used when web servers request a client certificate. 

D. It is the issuer for an external certificate which is not trusted by the firewall. 

View Answer

Q9. After migrating from an ASA firewall, the VPN connection between a remote network and the Palo Alto Networks firewall is not establishing correctly. The following entry is appearing in the logs: 

pfs group mismatched: my:0 peer:2 

Which setting should be changed on the Palo Alto Firewall to resolve this error message? 

A. Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from group2 to no-pfs. 

B. Update the IKE Crypto profile for the Vendor IKE gateway from no-pfs to group2. 

C. Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from no-pfs to group2. 

D. Update the IKE Crypto profile for the Vendor IKE gateway from group2 to no-pfs. 

View Answer

Q10. What has happened when the traffic log shows an internal host attempting to open a session to a properly configured sinkhole address? 

A. The internal host is trying to resolve a DNS query by connecting to a rogue DNS server. 

B. The internal host attempted to use DNS to resolve a known malicious domain into an IP address. 

C. A rogue DNS server is now using the sinkhole address to direct traffic to a known malicious domain. 

D. A malicious domain is trying to contact an internal DNS server. 

View Answer

Q11. When configuring Security rules based on FQDN objects, which of the following statements are true? 

A. The firewall resolves the FQDN first when the policy is committed, and is refreshed each time Security rules are evaluated. 

B. The firewall resolves the FQDN first when the policy is committed, and is refreshed at TTL expiration. There is no limit on the number of IP addresses stored for each resolved FQDN. 

C. In order to create FQDN-based objects, you need to manually define a list of associated IP. Up to 10 IP addresses can be configured for each FQDN entry. 

D. The firewall resolves the FQDN first when the policy is committed, and is refreshed at TTL expiration. The resolution of this FQDN stores up to 10 different IP addresses. 

View Answer

Q12. Which Public Key Infrastructure component is used to authenticate users for GlobalProtect when the Connect Method is set to "pre-logon"? 

A. Certificate Revocation List 

B. Trusted root certificate 

C. Machine certificate 

D. Online Certificate Status Protocol 

View Answer

Q13. Which fields can be altered in the default Vulnerability profile? 

A. Severity 

B. Category 

C. CVE 

D. None 

View Answer

Q14. In the following display, ethernetl/6 is configured with an interface management profile that allows ping with no restriction on the source address: 

Given the following security policy rule base: 

What is the result of a ping sent from an address on the Trust-L3 zone to the IP address of ethernet1/6? 

A. The firewall will send an ICMP redirect message to the client. 

B. The client will receive an ICMP "destination unreachable" packet. 

C. The interface will respond. 

D. The traffic will be dropped by the firewall. 

View Answer

Q15. A network administrator uses Panorama to push security policies to managed firewalls at branch offices. 

Which policy type should be configured on Panorama if the administrator wishes to allow local administrators at the branch office sites to override these policies? 

A. Implicit Rules 

B. Post Rules 

C. Default Rules 

D. Pre Rules 

View Answer