CertsTopics Logo

Month End Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

PCNSE Paloalto Networks Exam Lab Questions

Page: 7 / 28
Total 374 questions
Get PCNSE Full Access Download PCNSE PDF

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Questions and Answers

Question 25

An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.

Which configuration will enable this HA scenario?

Options:

A.

The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.

B.

Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP.

C.

The firewalls do not use floating IPs in active/active HA.

D.

The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.

Question 26

As a best practice, logging at session start should be used in which case?

Options:

A.

While troubleshooting

B.

Only on Deny rules

C.

On all Allow rules

D.

Only when log at session end is enabled

Question 27

All firewall at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a sylog server and forward all firewall logs to the syslog server and to the log collectors. There is known logging peak time during the day, and the security team has asked the firewall engineer to determined how many logs per second the current Palo Alto Networking log processing at that particular time. Which method is the most time-efficient to complete this task?

Options:

A.

Navigate to Panorama > Managed Collectors, and open the Statistics windows for each Log Collector during the peak time.

B.

Navigate to Monitor > Unified logs, set the filter to the peak time, and browse to the last page to find out how many logs have been received.

C.

Navigate to Panorama> Managed Devices> Health, open the Logging tab for each managed firewall and check the log rates during the peak time.

D.

Navigate to ACC> Network Activity, and determine the total number of sessions and threats during the peak time.

Question 28

Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.

In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?

Options:

A.

NAT Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Server -Destination IP: 172.16.15.10 -Source Translation: Static IP / 172.16.15.1Security Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Trust -Destination IP: 172.16.15.10 -Application: ssh

B.

NAT Rule:Source Zone: Trust -Source IP: 192.168.15.0/24 -Destination Zone: Trust -Destination IP: 192.168.15.1 -Destination Translation: Static IP / 172.16.15.10Security Rule:Source Zone: Trust -Source IP: 192.168.15.0/24 -Destination Zone: Server -Destination IP: 172.16.15.10 -Application: ssh

C.

NAT Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Trust -Destination IP: 192.168.15.1 -Destination Translation: Static IP /172.16.15.10Security Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Server -Destination IP: 172.16.15.10 -Application: ssh

D.

NAT Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Server -Destination IP: 172.16.15.10 -Source Translation: dynamic-ip-and-port / ethernet1/4Security Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Server -Destination IP: 172.16.15.10 -Application: ssh

Page: 7 / 28
Total 374 questions
Get PCNSE Full Access Download PCNSE PDF