PCNSE8 Online Practice Questions and Answers

Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?

A. check

B. find

C. test

D. sim

Which two virtualization platforms officially support the deployment of Palo Alto Networks VM- Series firewalls? (Choose two.)

A. Red Hat Enterprise Virtualization (RHEV)

B. Kernel Virtualization Module (KVM)

C. Boot Strap Virtualization Module (BSVM)

D. Microsoft Hyper-V

Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?

A. Deny application facebook-chat before allowing application facebook

B. Deny application facebook on top

C. Allow application facebook on top

D. Allow application facebook before denying application facebook-chat

Which three firewall states are valid? (Choose three.)

A. Active

B. Functional

C. Pending

D. Passive

E. Suspended

Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and Host B (10.1.1.101) receives SSH traffic.

Which two Security policy rules will accomplish this configuration? (Choose two.)

A. Untrust (Any) to Untrust (10.1.1.1) Ssh-Allow

B. Untrust (Any) to DMZ (1.1.1.100) Ssh-Allow

C. Untrust (Any) to DMZ (1.1.1.100) Web-browsing -Allow

D. Untrust (Any) to Untrust (10.1.1.1) Web-browsing -Allow

E. Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow

An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator's home and experiencing issues completing the connection. The following is th output from the command: less mp-log ikemgr.log:

What could be the cause of this problem?

A. The public IP addresse do not match for both the Palo Alto Networks Firewall and the ASA.

B. The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the ASA.

C. The shared secerts do not match between the Palo Alto firewall and the ASA

D. The deed peer detection settings do not match between the Palo Alto Networks Firewall and the ASA

A company.com wants to enable Application Override. Given the following screenshot:

Which two statements are true if Source and Destination traffic match the Application Override policy? (Choose two)

A. Traffic that matches "rtp-base" will bypass the App-ID and Content-ID engines.

B. Traffic will be forced to operate over UDP Port 16384.

C. Traffic utilizing UDP Port 16384 will now be identified as "rtp-base".

D. Traffic utilizing UDP Port 16384 will bypass the App-ID and Content-ID engines.

A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server. What can be done to simplify the NAT policy?

A. Configure ECMP to handle matching NAT traffic

B. Configure a NAT Policy rule with Dynamic IP and Port

C. Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi-directional option

D. Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bi- directional option

A file sharing application is being permitted and no one knows what this application is used for. How should this application be blocked?

A. Block all unauthorized applications using a security policy

B. Block all known internal custom applications

C. Create a WildFire Analysis Profile that blocks Layer 4 and Layer 7 attacks

D. Create a File blocking profile that blocks Layer 4 and Layer 7 attacks

An administrator is configuring an IPSec VPN to a Cisco ASA at the administrator's home and experiencing issues completing the connection. the following is the output from the command:

What could be the cause of this problem?

A. The dead peer detection settings do not match between the Palo Alto Networks Firewall and the ASA.

B. The Proxy IDs on the Palo Alto Networks Firewall do not match the setting on the ASA.

C. The public IP addresses do not match for both the Palo Alto Networks Firewall and the ASA.

D. The shared secrets do not match between the Palo Alto Networks Firewall and the ASA.