CertsTopics Logo

Month End Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Vce PCNSE Questions Latest

Page: 27 / 28
Total 374 questions
Get PCNSE Full Access Download PCNSE PDF

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Questions and Answers

Question 105

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.

Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

Options:

A.

Navigate to Network > Zone Protection Click AddSelect Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set "Asymmetric Path" to Bypass

B.

> set session tcp-reject-non-syn no

C.

Navigate to Network > Zone Protection Click AddSelect Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set "Asymmetric Path" to Global

D.

# set deviceconfig setting session tcp-reject-non-syn no

Question 106

An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.

The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.

Which profile is the engineer configuring?

Options:

A.

Packet Buffer Protection

B.

Zone Protection

C.

Vulnerability Protection

D.

DoS Protection

Question 107

Panorama is being used to upgrade the PAN-OS version on a pair of firewalls in an active/passive high availability (HA) configuration. The Palo Alto Networks best practice upgrade steps have been completed in Panorama (Panorama upgraded, backups made, content updates, and disabling "Preemptive" pushed), and the firewalls are ready for upgrade. What is the next best step to minimize downtime and ensure a smooth transition?

Options:

A.

Upgrade both HA peers at the same time using Panorama’s "Group HA Peers" option to ensure version consistency

B.

Suspend the active firewall, upgrade it first, and reboot to verify it comes back online before upgrading the passive peer

C.

Perform the upgrade on the active firewall first while keeping the passive peer online to maintain failover capability

D.

Upgrade only the passive peer first, reboot it, restore HA functionality, and then upgrade the active peer

Question 108

Which action does a firewall take when a decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?

Options:

A.

It downgrades the protocol to ensure compatibility.

B.

It generates a decryption error message but allows the traffic to continue decryption.

C.

It blocks all communication with the server indefinitely.

D.

It automatically adds the server to the SSL decryption exclusion list.

Page: 27 / 28
Total 374 questions
Get PCNSE Full Access Download PCNSE PDF