Palo Alto Networks - actualTests.pcnsE6.v2015!11!26.by - Ndanga.51q

PCNSE6
Number: PCNSE6
Passing Score: 800
Time Limit: 120 min
File Version: 14.0
http://www.gratisexam.com/
PCNSE6
Palo Alto Networks Certified Network Security Engineer 6.0

Exam A
QUESTION 1
Which authentication method can provide role-based administrative access to firewalls running PAN-OS?
A. LDAP
B. Certificate-based authentication
C. Kerberos
D. RADIUS with Vendor Specific Attributes
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
Which three engines are built into the Single-Pass Parallel Processing Architecture? Choose 3 answers
A. Application Identification (App-ID)

B. Group Identification (Group-ID)
C. User Identification (User-ID)
D. Threat Identification (Threat-ID)
E. Content Identification (Content-ID)
Correct Answer: ACE

Section: (none)
Explanation
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks- com/en_US/assets/pdf/white-papers/single-pass-parallel-processing-architecture.pdf
page 5
QUESTION 3
Given the following routing table:
Which configuration change on the firewall would cause it to use 10.66.24.88 as the nexthop for the 192.168.93.0/30 network?
A. Configuring the Administrative Distance for RIP to be higher than that of OSPF Ext
B. Configuring the metric for RIP to be higher than that of OSPF Int
C. Configuring the metric for RIP to be lower than that of OSPF Ext
D. Configuring the Administrative Distance for RIP to be lower than that of OSPF Int
Correct Answer: D
Section: (none)
Explanation
Reference: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/5284-102-3- 17278/Route%20Redistribution%20and%20Filtering%20TechNote%20-
%20Rev%20B.pdf
QUESTION 4
A company hosts a publicly-accessible web server behind their Palo Alto Networks firewall, with this configuration information:
Users outside the company are in the "Untrust-L3" zone. The web server physically resides in the "Trust-L3" zone.
Web server public IP address: 1.1.1.1
Web server private IP address: 192.168.1.10
Which NAT Policy rule will allow users outside the company to access the web server?
A. Option A
B. Option B
C. Option C
D. Option D
Correct Answer: B
Section: (none)
Explanation
QUESTION 5
A company has purchased a WildFire subscription and would like to implement dynamic updates to download the most recent content as often as possible.
What is the shortest time interval the company can configure their firewall to check for WildFire updates?
A. Every 24 hours
B. Every 30 minutes
C. Every 15 minutes
D. Every 1 hour
E. Every 5 minutes
Correct Answer: C
Section: (none)
Explanation
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks- com/en_US/assets/pdf/framemaker/60/wildfire/WF_Admin/section_1.pdf page 11
QUESTION 6
Which method is the most efficient for determining which administrator made a specific change to the running config?
A. In the Configuration log, set a filter for the edit command and look for the object that was changed.
B. In the System log, set a filter for the name of the object that was changed.
C. In Config Audit, compare the current running config to all of the saved configurations until the change is found.
D. In Config Audit, compare the current running config to previous committed versions until the change is found.
Correct Answer: B
Section: (none)
Explanation
QUESTION 7
You are configuring a File Blocking Profile to be applied to all outbound traffic uploading a specific file type, and there is a specific application that you want to
match in the policy.
What are three valid actions that can be set when the specified file is detected? Choose 3 answers
A. Reset-both
B. Block
C. Continue
D. Continue-and-forward
E. Upload
Correct Answer: BCD

Section: (none)
Explanation
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks- com/en_US/assets/pdf/framemaker/60/pan-os/pan-os/section_8.pdf page 287
QUESTION 8
Two firewalls are configured in an Active/Passive High Availability (HA) pair with the following election settings:
Firewall 5050-B is presently in the "Active" state and 5050-A is presently in the "Passive" state. Firewall 5050-B reboots causing 5050-A to become Active.
Which firewall will be in the "Active" state after firewall 5050-B has completed its reboot and is back online?
A. Both firewalls are active (split brain)

B. Firewall 5050-B
C. Firewall 5050-A
D. It could be either firewall
Correct Answer: B
Section: (none)
Explanation
Reference: https://live.paloaltonetworks.com/docs/DOC-2926
QUESTION 9
Which two statements are true about DoS Protection Profiles and Policies? Choose 2 answers
A. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks on a zone basis, regardless of interface(s). They provide reconnaissance
protection against TCP/UDP port scans and host sweeps.
B. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks. They provide resource protection by limiting the number of sessions that can be
used.
C. They mitigate against volumetric attacks that leverage known vulnerabilities, brute force methods, amplification, spoofing, and other vulnerabilities.
D. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks by utilizing "random early drop".
Correct Answer: BD
Section: (none)
Explanation
Reference: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/7158-102-3- 25328/Application%20DDoS%20Mitigation.pdf page 4
QUESTION 10
Where can the maximum concurrent SSL VPN Tunnels be set for Vsys2 when provisioning a Palo Alto Networks firewall for multiple virtual systems?
A. In the GUI under Network->Global Protect->Gateway->Vsys2

B. In the GUI under Device->Setup->Session->Session Settings
C. In the GUI under Device->Virtual Systems->Vsys2->Resource
D. In the GUI under Network->Global Protect->Portal->Vsys2
Correct Answer: C
Section: (none)
Explanation
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks- com/en_US/assets/pdf/tech-briefs/virtual-systems.pdf page 6
QUESTION 11
A security engineer has been asked by management to optimize how Palo Alto Networks firewall syslog messages are forwarded to a syslog receiver. There are
currently 20 PA-5060 s, each of which is configured to forward syslogs individually.
The security engineer would like to leverage their two M-100 appliances to send syslog messages from a single source and has already deployed one in Panorama
mode and the other as a Log Collector.
What is the remaining step in implementing this solution?
A. Configure Collector Log Forwarding

B. Configure a Syslog Proxy Profile
C. Configure a Panorama Log Forwarding Profile
D. Enable Syslog Aggregation
Correct Answer: A
Section: (none)
Explanation
QUESTION 12
What can cause missing SSL packets when performing a packet capture on data plane interfaces?
A. There is a hardware problem with the offloading FPGA on the management plane.
B. The missing packets are offloaded to the management plane CPU.
C. The packets are hardware offloaded to the offload processor on the data plane.
D. The packets are not captured because they are encrypted.
Correct Answer: C
Section: (none)
Explanation
QUESTION 13
A company has a policy that denies all applications they classify as bad and permits only applications they classify as good. The firewall administrator created the
following security policy on the company s firewall:
Which two benefits are gained from having both rule 2 and rule 3 present? Choose 2 answers
A. Different security profiles can be applied to traffic matching rules 2 and 3.

B. Separate Log Forwarding profiles can be applied to rules 2 and 3.
C. Rule 2 denies traffic flowing across different TCP and UDP ports than rule 3.
D. A report can be created that identifies unclassified traffic on the network.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 14
Company employees have been given access to the GlobalProtect Portal at https://portal.company.com:
Assume the following:
1. The firewall is configured to resolve DNS names using the internal DNS server.
2. The URL portal.company.com resolves to the external interface of the firewall on the company's external DNS server and to the internal interface of the firewall
on the company s internal DNS server.
3. The URL gatewayl.company.com resolves to the external interface of the firewall on the company's external DNS server and to the internal interface of the
firewall on the company s internal DNS server.
This Gateway configuration will have which two outcomes? Choose 2 answers
A. Clients outside the network will be able to connect to the external gateway Gateway1.
B. Clients inside the network will be able to connect to the internal gateway Gateway1.
C. Clients outside the network will NOT be able to connect to the external gateway Gateway1.
D. Clients inside the network will NOT be able to connect to the internal gateway Gateway1.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 15
What is the maximum usable storage capacity of an M-100 appliance?
A. 2TB
B. 4TB
C. 6TB
D. STB
Correct Answer: B
Section: (none)
Explanation
Reference:
https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/set-up- panorama/set-up-the-m-100-appliance.html
QUESTION 16
A user is reporting that they cannot download a PDF file from the internet.
Which action will show whether the downloaded file has been blocked by a Security Profile?
A. Filter the Session Browser for all sessions from the user with the application "adobe".
B. Filter the System log for "Download Failed" messages.
C. Filter the Traffic logs for all traffic from the user that resulted in a Deny action.
D. Filter the Data Filtering logs for the user's traffic and the name of the PDF file.
Correct Answer: D
Section: (none)
Explanation
QUESTION 17
What has happened when the traffic log shows an internal host attempting to open a session to a properly configured sinkhole address?
A. The internal host is trying to resolve a DNS query by connecting to a rogue DNS server.
B. The internal host attempted to use DNS to resolve a known malicious domain into an IP address.
C. A rogue DNS server is now using the sinkhole address to direct traffic to a known malicious domain.
D. A malicious domain is trying to contact an internal DNS server.
Correct Answer: B
Section: (none)
Explanation
Reference: https://www.paloaltonetworks.jp/content/dam/paloaltonetworks- com/en_US/assets/pdf/framemaker/pan-os/NewFeaturesGuide.pdf page 14
QUESTION 18
Which Security Policy rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?
A. Apply an Application Override Policy

B. Disable Server Response Inspection
C. Add server IP to Security Policy exception
D. Disable HIP Profile
Correct Answer: B
Section: (none)
Explanation
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/getting- started/set-up-basic-security-policies.html
QUESTION 19
Which two interface types provide support for network address translation (NAT)? Choose 2 answers
A. HA
B. Tap
C. Layer3
D. Virtual Wire
E. Layer2
Correct Answer: CD
Section: (none)
Explanation
Reference: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/1517-102-7- 11647/Understanding_NAT-4.1-RevC.pdf
QUESTION 20
A firewall is being attacked with a port scan. Which component can prevent this attack?
A. DoS Protection
B. Anti-Spyware
C. Vulnerability Protection
D. Zone Protection
Correct Answer: D
Section: (none)
Explanation
QUESTION 21
A Palo Alto Networks firewall has the following interface configuration;
Hosts are directly connected on the following interfaces:

Ethernet 1/6 - Host IP 192.168.62.2
Ethernet 1/3 - Host IP 10.46.40.63
The security administrator is investigating why ICMP traffic between the hosts is not working.
She first ensures that ail traffic is allowed between zones based on the following security policy rule:
The routing table of the firewall shows the following output:

Which interface configuration change should be applied to ethernet1/6 to allow the two hosts to communicate based on this information?
A. Change the Management Profile.

B. Change the security policy to explicitly allow ICMP on this interface.
C. Change the configured zone to DMZ.
D. Change the Virtual Router setting to VR1.
Correct Answer: D
Section: (none)
Explanation
QUESTION 22
After migrating from an ASA firewall, the VPN connection between a remote network and the Palo Alto Networks firewall is not establishing correctly. The following
entry is appearing in the logs:
pfs group mismatched: my:0 peer:2

Which setting should be changed on the Palo Alto Firewall to resolve this error message?
A. Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from group2 to no-pfs.
B. Update the IKE Crypto profile for the Vendor IKE gateway from no-pfs to group2.
C. Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from no-pfs to group2.
D. Update the IKE Crypto profile for the Vendor IKE gateway from group2 to no-pfs.
Correct Answer: C
Section: (none)
Explanation
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/vpns/interpret- vpn-error-messages.html
QUESTION 23
Which two interface types can be used when configuring GlobalProtect Portal? Choose 2 answers
A. Virtual Wire
B. Loopback
C. Tunnel
D. Layer3
Correct Answer: BD
Section: (none)
Explanation
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks- com/en_US/assets/pdf/framemaker/61/globalprotect/globalprotect-admin-guide.pdf
page 10
QUESTION 24
After pushing a security policy from Panorama to a PA-3020 firewall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in
Panorama's traffic logs.
What could be the problem?
A. The firewall is not licensed for logging to this Panorama device.

B. Panorama is not licensed to receive logs from this particular firewall.
C. None of the firewall's policies have been assigned a Log Forwarding profile.
D. A Server Profile has not been configured for logging to this Panorama device.
Correct Answer: C
Section: (none)
Explanation
QUESTION 25
Palo Alto Networks maintains a dynamic database of malicious domains. Which two Security Platform components use this database to prevent threats? Choose 2
answers
A. Brute-force signatures
B. DNS-based command-and-control signatures
C. PAN-DB URL Filtering
D. BrightCloud URL Filtering
Correct Answer: BC
Section: (none)
Explanation
Reference: https://www.paloaltonetworks.com/products/features/apt-prevention.html
QUESTION 26
Which three inspections can be performed with a next-generation firewall but NOT with a legacy firewall? Choose 3 answers
A. Recognizing when SSH sessions are using SSH v1 instead of SSH v2

B. Validating that UDP port 53 packets are not being used to tunnel data for another protocol
C. Identifying unauthorized applications that attempt to connect over non-standard ports
D. Allowing a packet through from an external DNS server only if an internal host recently queried that DNS server
E. Removing from the session table any TCP session without traffic for 3600 seconds
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 27
Which mechanism is used to trigger a High Availability (HA) failover if a firewall interface goes down?
A. Link Monitoring
B. Heartbeat Polling
C. Preemption
D. SNMP Polling
Correct Answer: A
Section: (none)
Explanation
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks- com/en_US/assets/pdf/framemaker/60/pan-os/pan-os/section_4.pdf page 130
QUESTION 28
How is the Forward Untrust Certificate used?
A. It issues certificates encountered on the Untrust security zone.

B. It is used for Captive Portal to identify unknown users.
C. It is used when web servers request a client certificate.
D. It is the issuer for an external certificate which is not trusted by the firewall.
Correct Answer: D
Section: (none)
Explanation
QUESTION 29
By default, all PA-5060 syslog data is forwarded out the Management interface. What needs to be configured in order to send syslog data out of a different
interface?
A. Configure Service Route Only for Threats and URL Filtering, and the traffic will use the same route.
B. Configure an Interface Management Profile and apply it to the interface that the syslogs will be sent through.
C. Configure a Service Route for the Syslog service to use a dataplane interface.
D. Create a Log-Forwarding Profile that points to the device that will receive the syslogs.
Correct Answer: C
Section: (none)
Explanation
Reference: https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/reports-and- logging/define-remote-logging-destinations.html
QUESTION 30
A network administrator uses Panorama to push security policies to managed firewalls at branch offices.
Which policy type should be configured on Panorama if the administrator wishes to allow local administrators at the branch office sites to override these policies?
A. Implicit Rules
B. Post Rules
C. Default Rules
D. Pre Rules
Correct Answer: D
Section: (none)
Explanation
QUESTION 31
A network engineer experienced network reachability problems through the firewall. The routing table on the device is complex. To troubleshoot the problem the
engineer ran a Command Line Interface (CLI) command to determine the egress interface for traffic destined to 98.139.183.24.
The command resulted in the following output:
How should this output be interpreted?
A. There is no route for the IP address 98.139.183.24, and there is a default route for outbound traffic.
B. There is no interface in the firewall with the IP address 98.139.183.24.
C. In virtual-router vrl, there is a route in the routing table for the network 98.139.0.0/16.
D. There is no route for the IP address 98.139.183.24, and there is no default route.
Correct Answer: D
Section: (none)
Explanation
QUESTION 32
A website is presenting an RSA 2048-bit key. By default, what will the size of the key in the certificate sent by the firewall to the client be when doing SSL
Decryption?
A. 512 bits
B. 1024 bits
C. 2048 bits
D. 4096 bits
Correct Answer: C
Section: (none)
Explanation
Reference: https://www.paloaltonetworks.com/documentation/61/pan- os/newfeaturesguide/management-features/configurable-key-size-for-ssl-forward-proxy-
server- certificates.html
QUESTION 33
A hotel chain is using a system to centrally control a variety of items in guest rooms. The client devices in each guest room communicate to the central controller
using TCP and frequently disconnect due to a premature timeouts when going through a Palo Alto Networks firewall.
Which action will address this issue without affecting all TCP traffic traversing the firewall?
A. Create a security policy without security profiles, allowing the client-to-server traffic.
B. Create an application override policy, assigning the client-to-server traffic to a custom application.
C. Create an application with a specified TCP timeout and assign traffic to it with an application override policy.
D. Create an application override policy, assigning the server-to-client traffic to a custom application.
Correct Answer: C
Section: (none)
Explanation
QUESTION 34
Ethernet 1/1 has been configured with the following subinterfaces:
The following security policy is applied:
The Interface Management Profile permits the following:

Your customer is trying to ping 10.10.10.1 from VLAN 800 IP 10.10.10.2/24
What will be the result of this ping?
A. The ping will be successful because the management profile applied to Ethernet1/1 allows ping.
B. The ping will not be successful because the virtual router is different from the other subinterfaces.
C. The ping will not be successful because there is no management profile attached to Ethernet1/1.799.
D. The ping will not be successful because the security policy does not apply to VLAN 800.
E. The ping will be successful because the security policy permits this traffic.
Correct Answer: D
Section: (none)
Explanation
QUESTION 35
What are the three Security Policy rule Type classifications supported in PAN-OS 6.1?
A. Security, NAT, Policy-Based Forwarding

B. Intrazone, Interzone, Global
C. Intrazone, Interzone, Universal
D. Application, User, Content
Correct Answer: C
Section: (none)
Explanation
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks- com/en_US/assets/pdf/framemaker/61/pan-os/NewFeaturesGuide.pdf page 18-19
QUESTION 36
Which two steps are required to make Microsoft Active Directory users appear in the firewall's traffic log? Choose 2 answers
A. Enable User-ID on the zone object for the source zone.

B. Enable User-ID on the zone object for the destination zone.
C. Configure a RADIUS server profile to point to a domain controller.
D. Run the User-ID Agent using an Active Directory account that has "domain administrator" permissions.
E. Run the User-ID Agent using an Active Directory account that has "event log viewer" permissions.
Correct Answer: AE
Section: (none)
Explanation
QUESTION 37
It is discovered that WebandNetTrends Unlimited's new web server software produces traffic that the Palo Alto Networks firewall sees as "unknown-tcp" traffic.
Which two configurations would identify the application while preserving the ability of the firewall to perform content and threat detection on the traffic? Choose 2
answers
A. A custom application, with a name properly describing the new web server s purpose
B. A custom application and an application override policy that assigns traffic going to and from the web server to the custom application
C. An application override policy that assigns the new web server traffic to the built-in application "web-browsing"
D. A custom application with content and threat detection enabled, which includes a signature, identifying the new web server s traffic
Correct Answer: AB
Section: (none)
Explanation
QUESTION 38
The IT department has received complaints about VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but
there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter.
Which feature can be used to identify, in real-time, the applications taking up the most bandwidth?
A. Application Command Center (ACC)

B. QoS Statistics
C. QoS Log
D. Applications Report
Correct Answer: A
Section: (none)
Explanation
Reference: http://www.newnet66.org/Support/Resources/Using-The-ACC.pdf
QUESTION 39
A company has a web server behind their Palo Alto Networks firewall that they would like to make accessible to the public. They have decided to configure a
destination NAT Policy rule.
Given the following zone information:
DMZzone: DMZ-L3
Public zone: Untrust-L3
Web server zone: Trust-L3
Public IP address (Untrust-L3): 1.1.1.1
Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of the NAT Policy rule?
A. DMZ-L3
B. Any
C. Untrust-L3
D. Trust-L3
Correct Answer: C
Section: (none)
Explanation
QUESTION 40
Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log?
A. Allow
B. Alert
C. Log
D. Default
Correct Answer: B
Section: (none)
Explanation
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/url- filtering/configure-url-filtering.html
QUESTION 41
Where in the firewall GUI can an administrator see how many sessions of web-browsing traffic have occurred in the last day?
A. Monitor->Session Browser
B. Monitor->App Scope->Summary
C. Objects->Applications->web-browsing
D. ACC->Application
Correct Answer: D
Section: (none)
Explanation
Reference: http://www.newnet66.org/Support/Resources/Using-The-ACC.pdf
QUESTION 42
The WildFire Cloud or WF-500 appliance provide information to which two Palo Alto Networks security services? Choose 2 answers
A. Threat Prevention
B. App-ID
C. URL Filtering
D. PAN-OS
E. GlobalProtect Data File
Correct Answer: AE
Section: (none)
Explanation
Reference: https://www.paloaltonetworks.com/products/technologies/wildfire.html
QUESTION 43
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens of thousands of bogus UDP connections per second to
a single destination IP address and port.
Which option, when enabled with the correct threshold, would mitigate this attack without dropping legitimate traffic to other hosts inside the network?
A. Zone Protection Policy with UDP Flood Protection

B. Classified DoS Protection Policy using destination IP only with a Protect action
C. QoS Policy to throttle traffic below maximum limit
D. Security Policy rule to deny traffic to the IP address and port that is under attack
Correct Answer: B
Section: (none)
Explanation
QUESTION 44
Which three processor types are found on the data plane of a PA-5050? Choose 3 answers
A. Multi-Core Security Processor

B. Signature Match Processor
C. Network Processor
D. Protocol Decoder Processor
E. Management Processor
Correct Answer: ABC

Section: (none)
Explanation
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks- com/en_US/assets/pdf/white-papers/single-pass-parallel-processing-architecture.pdf
page 8
QUESTION 45
A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall.
Which method will show the global counters associated with the traffic after configuring the appropriate packet filters?
A. From the CLI, issue the show counter interface command for the egress interface.
B. From the GUI, select "Show global counters" under the Monitor tab.
C. From the CLI, issue the show counter global filter packet-filter yes command.
D. From the CLI, issue the show counter interface command for the ingress interface.
Correct Answer: C
Section: (none)
Explanation
QUESTION 46
In the following display, ethernetl/6 is configured with an interface management profile that allows ping with no restriction on the source address:
Given the following security policy rule base:
What is the result of a ping sent from an address on the Trust-L3 zone to the IP address of ethernet1/6?
A. The firewall will send an ICMP redirect message to the client.

B. The client will receive an ICMP "destination unreachable" packet.
C. The interface will respond.
D. The traffic will be dropped by the firewall.
Correct Answer: D
Section: (none)
Explanation
QUESTION 47
A security architect has been asked to implement User-ID in a MacOS environment with no enterprise email, using a Sun LDAP server for user authentication.
In this environment, which two User-ID methods are effective for mapping users to IP addresses? Choose 2 answers
A. Terminal Server Agent

B. Mac OS Agent
C. Captive Portal
D. GlobalProtect
Correct Answer: CD
Section: (none)
Explanation
QUESTION 48
Which feature can be configured with an IPv6 address?
A. Static Route
B. RIPv2
C. DHCP Server
D. BGP
Correct Answer: A
Section: (none)
Explanation
QUESTION 49
A company wants to run their pair of PA-200 firewalls in a High Availability Active/Passive configuration and will be using HA-Lite.
Which capability can be used in this situation?
A. Configuration Sync
B. Link Aggregation
C. Session Sync
D. Jumbo Frames
Correct Answer: A
Section: (none)
Explanation
QUESTION 50
Assuming that the default antivirus profile is installed, match each decoder with its default action.
Answer options may be used more than once or not at all.
Hot Area:
Correct Answer:
Section: (none)
Explanation
QUESTION 51
Within a Zone Protection Profile, under the Reconnaissance Protection tab, there are several possible values for Action:
Match each Reconnaissance Protection Action to its description.
Answer options may be used more than once or not at all.
Hot Area:
Correct Answer:
Section: (none)
Explanation

Palo Alto Networks - actualTests.pcnsE6.v2015!11!26.by - Ndanga.51q

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Palo Alto Networks - actualTests.pcnsE6.v2015!11!26.by - Ndanga.51q

Încărcat de

Drepturi de autor:

Formate disponibile

PCNSE6

Palo Alto Networks Certified Network Security Engineer 6.0

A. Application Identification (App-ID)

Correct Answer: ACE

Correct Answer: BCD

A. Both firewalls are active (split brain)

A. In the GUI under Network->Global Protect->Gateway->Vsys2

What is the remaining step in implementing this solution?

A. Configure Collector Log Forwarding

A. Different security profiles can be applied to traffic matching rules 2 and 3.

A. Apply an Application Override Policy

Hosts are directly connected on the following interfaces:

The routing table of the firewall shows the following output:

A. Change the Management Profile.

pfs group mismatched: my:0 peer:2

A. The firewall is not licensed for logging to this Panorama device.

A. Recognizing when SSH sessions are using SSH v1 instead of SSH v2

Correct Answer: BCD

A. It issues certificates encountered on the Untrust security zone.

How should this output be interpreted?

The Interface Management Profile permits the following:

What will be the result of this ping?

A. Security, NAT, Policy-Based Forwarding

A. Enable User-ID on the zone object for the source zone.

A. Application Command Center (ACC)

A. Zone Protection Policy with UDP Flood Protection

A. Multi-Core Security Processor

Correct Answer: ABC

Given the following security policy rule base:

A. The firewall will send an ICMP redirect message to the client.

A. Terminal Server Agent

Answer options may be used more than once or not at all.

Answer options may be used more than once or not at all.

S-ar putea să vă placă și