Palo Alto Networks Palo Alto Networks Certifications PCNSE8 Questions & Answers

• Question 11:

  A company hosts a publicly accessible web server behind a Palo Alto Networks next-generation firewall with the following configuration information:

  *

  Users outside the company are in the "Untrust-L3" zone.

  *

  The web server physically resides in the "Trust-L3" zone.

  *

  Web server public IP address: 23.54.6.10

  *

  Web server private IP address: 192.168.1.10

  Which two items must the NAT policy contain to allow users in the Untrust-L3 zone to access the web server? (Choose two.)

  A. Destination IPof 23.54.6.10

  B. UntrustL3 for both Source and Destination Zone

  C. Destination IP of 192.168.1.10

  D. UntrustL3 for Source Zone and Trust-L3 for Destination Zone

  Correct Answer: AB

• Question 12:

  In an enterprise deployment, a network security engineer wants to assign to a group of administrators without creating local administrator accounts on the firewall. Which authentication method must be used?

  A. LDAP

  B. Kerberos

  C. Certification based authentication

  D. RADIUS with Vendor-Specific Attributes

  Correct Answer: D

• Question 13:

  Which two logs on the firewall will contain authentication-related information useful for troubleshooting purpose (Choose two)

  A. ms.log

  B. traffic.log

  C. system.log

  D. dp-monitor.log

  E. authd.log

  Correct Answer: CE

• Question 14:

  When a malware-infected host attempts to resolve a known command-and-control server, the traffic matches a security policy with DNS sinhole enabled, generating a traffic log. What will be the destination IP Address in that log entry?

  A. The IP Address of sinkhole.paloaltonetworks.com

  B. The IP Address of the command-and-control server

  C. The IP Address specified in the sinkhole configuration

  D. The IP Address of one of the external DNS servers identified in the anti-spyware database

  Correct Answer: C

  https://live.paloaltonetworks.com/t5/MaHYPERLINK "https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Verify-DNS-Sinkhole-Function- is-Working/ta-p/65864"naHYPERLINK "https://live.paloaltonetworks.com/t5/Management- Articles/How-to-Verify-DNS-Sinkhole-Function-isWorking/ta-p/65864"gement-Articles/How-to- Verify-DNS-Sinkhole-Function-is-Working/ta-p/65864

• Question 15:

  Which CLI command displays the current management plane memory utilization?

  A. > debug management-server show

  B. > show running resource-monitor

  C. > show system info

  D. > show system resources

  Correct Answer: D

  https://HYPERLINK "https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Interpret-show- system-resources/ta-p/59364"live.paloaltonetworks.com/t5/Learning-Articles/How-to-Interpret- show-system-resources/ta-p/59364 "The command show system resources gives a snapshot of Management Plane (MP) resource utilization including memory and CPU. This is similar to the `top' command in Linux." https://live.HYPERLINK "https://live.paloaltonetworks.com/t5/ Learning-Articles/How-to-Interpret- show-system-resources/ta-p/59364"paloHYPERLINK "https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Interpret-show-system- resources/ta-p/59364"altonetworHYPERLINK "https://live.paloaltonetworks.com/t5/Learning- Articles/How-to-Interpret-show-system-resources/tap/59364"ks.com/t5/Learning-Articles/How-to- Interpret-show-system-resources/ta-p/59364

• Question 16:

  A network security engineer needs to configure a virtual router using IPv6 addresses. Which two routing options support these addresses? (Choose two)

  A. BGP not sure

  B. OSPFv3

  C. RIP

  D. Static Route

  Correct Answer: BD

  https://live.paloaltonetworks.com/t5/Management-Articles/Does-PAN-OS-Support-Dynamic- Routing-Protocols-OSPF-or-BGP-with/ta-p/62773

• Question 17:

  

  What will be the source address in the ICMP packet?

  A. 10.30.0.93

  B. 10.46.72.93

  C. 10.46.64.94

  D. 192.168.93.1

  Correct Answer: C

• Question 18:

  A file sharing application is being permitted and no one knows what this application is used for. How should this application be blocked?

  A. Block all unauthorized applications using a security policy

  B. Block all known internal custom applications

  C. Create a WildFire Analysis Profile that blocks Layer 4 and Layer 7 attacks

  D. Create a File blocking profile that blocks Layer 4 and Layer 7 attacks

  Correct Answer: D

• Question 19:

  Which three rule types are available when defining policies in Panorama? (Choose three.)

  A. Pre Rules

  B. Post Rules

  C. Default Rules

  D. Stealth Rules

  E. Clean Up Rules

  Correct Answer: ABC

  https://www.paloaltonetwoHYPERLINK "https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/panorama- web-interface/defining-policies-on-panorama"rks.com/documentation/71/pan-os/web- interHYPERLINK "https://www.paloaltonetworks.com/ documentation/71/pan-os/web-interface- help/panorama-web-interface/defining-policies-on-panorama"face-help/panorama-web- interface/defining-policies-on-panorama

• Question 20:

  Which CLI command displays the current management plan memory utilization?

  A. > show system info

  B. > show system resources

  C. > debug management-server show

  D. > show running resource-monitor

  Correct Answer: B

  https://live.paloaltonetworks.comHYPERLINK "https://live.paloaltonetworks.com/t5/Management- Articles/Show-System-Resource-Command-Displays-CPU-Utilization-of-9999/ta- p/58149"/t5/Management-Articles/Show-System-ResourceCommand-Displays-CPU-Utilization-of- 9999/ta-p/58149