A security engineer has configured a GlobalProtect portal agent with four gateways Which
GlobalProtect Gateway will users connect to based on the chart provided?
A. South
B. West
C. East
D. Central
Explanation: Based on the provided table, the GlobalProtect portal agent configuration
includes four gateways with varying priorities and response times. Users will connect to the
gateway with the highest priority and, if multiple gateways share the same priority, the one
with the lowest response time.
Answer Determination
A network administrator notices a false-positive state after enabling Security profiles. When
the administrator checks the threat prevention logs, the related signature displays the
following:
threat type: spyware category: dns-c2 threat ID: 1000011111
Which set of steps should the administrator take to configure an exception for this
signature?
A. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions tabs Search related threat ID and click enable Commit
B. Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile Select the signature exceptions tab and then click show all signatures Search related threat ID and click enable Change the default action Commit
C. Navigate to Objects > Security Profiles > Vulnerability Protection
Select related profile
Select the Exceptions lab and then click show all signatures
Search related threat ID and click enable
Commit
D. Navigate to Objects > Security Profiles > Anti-Spyware
Select related profile
Select the Exceptions lab and then click show all signatures
Search related threat ID and click enable Commit
Explanation: When dealing with a false positive, particularly for a spyware threat detected
through DNS queries (as indicated by the category "dns-c2"), the correct course of action
involves creating an exception in the Anti-Spyware profile, not the Vulnerability Protection
profile. This is because the Anti-Spyware profile in Palo Alto Networks firewalls is designed
to detect and block spyware threats, which can include command and control (C2) activities
often signaled by DNS queries.
The steps to configure an exception for this specific spyware signature (threat ID:
1000011111) are as follows:
Navigate to Objects > Security Profiles > Anti-Spyware. This is where all the Anti-
Spyware profiles are listed.
Select the related Anti-Spyware profile that is currently applied to the security
policy which is generating the false positive.
Within the profile, go to the DNS Exceptions tab. This tab allows you to specify
exceptions based on DNS signatures.
Search for the related threat ID (in this case, 1000011111) and click enable to
create an exception for it. By doing this, you instruct the firewall to bypass the
detection for this specific signature, effectively treating it as a false positive.
Commit the changes to make the exception active.
By following these steps, the administrator can effectively address the false positive without
disabling the overall spyware protection capabilities of the firewall.
An administrator configures HA on a customer's Palo Alto Networks firewalls with path monitoring by using the default configuration values. What are the default values for ping interval and ping count before a failover is triggered?
A. Ping interval of 200 ms and ping count of three failed pings
B. Ping interval of 5000 ms and ping count of 10 failed pings
C. Ping interval of 200 ms and ping count of 10 failed pings
D. Ping interval of 5000 ms and ping count of three failed pings
Explanation: Ping Interval—Specify the interval between pings that are sent to the destination IP address (range is 200 to 60,000ms; default is 200ms). Ping Count—Specify the number of failed pings before declaring a failure (range is 3 to 10; default is 10).
A company wants to deploy IPv6 on its network which requires that all company Palo Alto Networks firewalls process IPv6 traffic and to be configured with IPv6 addresses. Which consideration should the engineers take into account when planning to enable IPv6?
A. Device > Setup Settings Do not enable on each interface
B. Network > Zone Settings Do not enable on each interface
C. Network > Zone Settings Enable on each interface
D. Device > Setup Settings Enable on each interface
An engineer is pushing configuration from Panorama to a managed firewall What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?
A. The firewall ignores only the pushed objects that have the same name as the locally configured objects, and it will commit the rest of the pushed configuration.
B. The firewall fully commits all of the pushed configuration and overwrites its locally configured objects
C. The firewall rejects the pushed configuration, and the commit fails.
D. The firewall renames the duplicate local objects with "-1" at the end signifying they are clones; it will update the references to the objects accordingly and fully commit the pushed configuration.
Which statement about High Availability timer settings is true?
A. Use the Critical timer for faster failover timer settings.
B. Use the Aggressive timer for faster failover timer settings
C. Use the Moderate timer for typical failover timer settings
D. Use the Recommended timer for faster failover timer settings.
A firewall engineer is investigating high dataplane CPU utilization. To decrease the load on this CPU, what should be reduced?
A. The amount of decrypted traffic
B. The timeout value for admin sessions
C. The number of mapped User-ID groups
D. The number of permitted IP addresses on the management interface
Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration. What part of the configuration should the engineer verify?
A. IKE Crypto Profile
B. Security policy
C. Proxy-IDs
D. PAN-OS versions
| Page 12 out of 41 Pages |
| Palo Alto PCNSE Practice Test Home | Previous |
Contact Us - Privacy Policy ... Copyright © - All Rights Reserved