Palo Alto Networks Certified Network Security Consultant v1.0

Page:    1 / 4   
Exam contains 59 questions
Expand All

TAC has requested a PCAP on your Panorama to see why the DNS app is having intermittent issues resolving FQDN.
What is the appropriate CLI command?

  • A. tcpdump snaplen 53 filter “port 53”
  • B. tcp dump snaplen 0 filter “app dns”
  • C. tcpdump snaplen 0 filter “port 53”
  • D. tcp dump snaplen 53 filter “tcp 53”


Answer : C

A firewall configuration is being migrated by Expedition from a third-party vendor to a Palo Alto Networks Next-Generation Firewall (NGFW.). Expedition flags one service as invalid following the import of the original configuration file. An engineer investigates and finds the invalid service to be ping which is used by the security policies.
Which action should the engineer take?

  • A. Create an Application Override policy to override the ping service classification with ping application.
  • B. Remove ping service from all the policies which reference it.
  • C. Ignore the invalid flag in Expedition for the firewall to accept ping service.
  • D. Use the search & replace in Expedition to replace the ping service classification with ping application.


Answer : D

SSL decryption has been implemented in a customer environment. The firewall protecting this environment is using PAN-OS 10.0. Users of an application are filing support cases claiming that a function of this application is no longer working.
Where should the investigation for decryption issues begin?

  • A. the Correlated Events log
  • B. the “session end reason” column in the Traffic log
  • C. the CLI, using the less mp-log ikemgr.log command
  • D. the Decryption log


Answer : D

What information is necessary to properly plan the deployment of a Panorama hardware appliance for firewall management?

  • A. Virtual router, zones, and interface configuration of the dataplane interface
  • B. ESXi Server location and routing to the Panorama appliance
  • C. Wiring, power, Console access, and management interface connectivity
  • D. Panorama Mode, number of managed devices, CPU, and memory allocation in the hypervisor


Answer : C

Which additional license is required for the feature Host Information Profiles to function on Palo Alto Networks Next-Generation Firewalls?

  • A. Threat
  • B. WildFire
  • C. GlobalProtact gateway
  • D. IoT


Answer : C

What is the default port used by the Terminal Services agent to communicate with a firewall?

  • A. 5009
  • B. 5007
  • C. 636
  • D. 443


Answer : B

SSL Forward Proxy decryption is enabled on the firewall. When clients use Chrome to browse to HTTPS sites, the firewall returns the Forward Trust certificate, even when accessing websites with invalid certificates. The clients need to be presented with a browser warning error with the option to proceed to websites with invalid certificates.
Which two options will satisfy this requirement? (Choose two.)

  • A. Create a PKI signed Forward Untrust enabled certificate.
  • B. Create a self-signed Forward Untrust enabled certificate.
  • C. Create a Decryption Profile with the “Block sessions with expired certificates” option enabled.
  • D. Remove the Forward Untrust option from the Forward Trust certificate.


Answer : AB

Your customer wants to implement Active/Active High Availability for their PA-5260 pair. The following conditions are true in their environment:
-They are using multiple Layer 3 interfaces to process traffic.
-Their routing topology requires the use of Network Address Translation policies to ensure that traffic can reach its destinations correctly.
-They prefer to have the session workload distributed as evenly as possible to ensure both firewalls have lower resource utilization.
-They make use of dynamic routing protocols on their virtual routers for route-based redundancy.
-They chose to go with Active/Active for failover speed reasons.
Which three of the following HA configurations should your customer ensure they use to meet these requirements? (Choose three.)

  • A. HA1A, HA1B, and HA2 interfaces
  • B. HA1A, HA1B, HA2, and HA3 interfaces
  • C. Session selection algorithm – Primary Device
  • D. Active/Active HA Binding in the NAT policies
  • E. Session selection algorithm – First Packet


Answer : BDE

Which CLI command should you use to verify whether all SFP, SFP+, or QSFP modules are installed in a firewall?

  • A. show system state filter sys.p*.phy
  • B. show system state filter sys.s*.p*.phy
  • C. show system info
  • D. show interface <interface name> detail


Answer : B

Which three attributes can be used to exclude traffic from an SSL Decryption policy? (Choose three.)

  • A. User-ID
  • B. URL Category
  • C. HIP Profile
  • D. Application
  • E. Destination


Answer : ABE

Which two options describe the behavior of the “Direction” property in a WildFire Analysis Profile rule? (Choose two.)

  • A. The both direction option matches all files that are seen by the firewall, regardless of whether the transfer is started by the connection initiator or responder.
  • B. The download direction option matches files that the connection initiator received from the service it connected to.
  • C. The upload direction option matches only files that were uploaded to the internet by a user on the Inside network.
  • D. The both direction option matches all files, but only if the transfer is started by the connection initiator.


Answer : AB

A company’s network operations engineer is documenting a solution and wants to know the default priority setting for an LACP connection.
If no changes are made to the default configuration settings for the LACP, which priority setting should you share with the engineer?

  • A. 32,768
  • B. 100
  • C. 1
  • D. 65,535


Answer : A

Examine the configured Security policy rule. Which day one/Iron Skillet Security Profile Group is used to secure the traffic that is permitted through this rule?

  • A. Internal
  • B. Inbound
  • C. Default
  • D. Outbound


Answer : A

In preparation for a cutover event, which two processes or procedures should be verified? (Choose two.)

  • A. Auditing
  • B. Change management requirements
  • C. Roles and responsibilities
  • D. Logging and reporting


Answer : BC

A firewall that was previously connected to a User-ID agent server now shows disconnected.
What is the likely cause?

  • A. The server has stopped listening on port 2010.
  • B. The Domain Controller service account has been locked out.
  • C. The agent is not running.
  • D. The firewall was upgraded to a PAN-OS version that is not compatible with the agent version.


Answer : D

Page:    1 / 4   
Exam contains 59 questions
Expand All

Talk to us!

Have any questions or issues ? Please dont hesitate to contact us

[email protected]

Certlibrary.com is owned by MBS Tech Limited: Room 1905 Nam Wo Hong Building, 148 Wing Lok Street, Sheung Wan, Hong Kong. Company registration number: 2310926
Certlibrary doesn't offer Real Microsoft Exam Questions. Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
Terms & Conditions | Privacy Policy