Palo Alto Networks Palo Alto Networks Certifications PCNSE8 Questions & Answers

• Question 61:

  A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule. Given the following zone information: DMZ zone: DMZ-L3 Public zone: Untrust-L3 Guest zone: Guest-L3 Web server zone: Trust-L3 Public IP address (Untrust-L3): 1.1.1.1 Private IP address (Trust-L3): 192.168.1.50

  What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?

  A. Untrust-L3

  B. DMZ-L3

  C. Guest-L3

  D. Trust-L3

  Correct Answer: A

• Question 62:

  Palo Alto Networks maintains a dynamic database of malicious domains.

  Which two Security Platform components use this database to prevent threats? (Choose two)

  A. Brute-force signatures

  B. BrightCloud Url Filtering

  C. PAN-DB URL Filtering

  D. DNS-based command-and-control signatures

  Correct Answer: CD

• Question 63:

  A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies. Which CLI command syntax will display the rule that matches the test?

  A. test security -policy- match source destination destination port protocol

  B. show security rule source destination destination port protocol

  C. test security rule source destination destination port protocol

  D. show security-policy-match source destination destination port protocol test security-policy-match source

  Correct Answer: A

  test security-policy-match source destination protocol https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Test-Which-Security-Policy- Applies-to-a-Traffic-Flow/ta-p/53693

• Question 64:

  The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to

  10.1.1.100 on TCP Port 8080.

  

  Which NAT and security rules must be configured on the firewall? (Choose two)

  A. A security policy with a source of any from untrust-I3 Zone to a destination of 10.1.1.100 in dmz-I3 zone using web-browsing application

  B. A NAT rule with a source of any from untrust-I3 zone to a destination of 10.1.1.100 in dmz-zone using service-http service.

  C. A NAT rule with a source of any from untrust-I3 zone to a destination of 1.1.1.100 in untrust-I3 zone using service-http service.

  D. A security policy with a source of any from untrust-I3 zone to a destination of 1.1.100 in dmz-I3 zone using web-browsing application.

  Correct Answer: BD

• Question 65:

  Which two options are required on an M-100 appliance to configure it as a Log Collector? (Choose two)

  A. From the Panorama tab of the Panorama GUI select Log Collector mode and then commit changes

  B. Enter the command request system system-mode logger then enter Y to confirm the change to Log Collector mode.

  C. From the Device tab of the Panorama GUI select Log Collector mode and then commit changes.

  D. Enter the command logger-mode enable the enter Y to confirm the change to Log Collector mode.

  E. Log in the Panorama CLI of the dedicated Log Collector

  Correct Answer: BE

  (https://www.paloaltonetworks.com/documentation/60/panorama/panorama_adminguide/set-up- panorama/set-up-the-m-100-appliance)

• Question 66:

  A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens thousands of bogus UDP connections per second to a single destination IP address and post. Which option when enabled with the correction threshold would mitigate this attack without dropping legitirnate traffic to other hosts insides the network?

  A. Zone Protection Policy with UDP Flood Protection

  B. QoS Policy to throttle traffic below maximum limit

  C. Security Policy rule to deny trafic to the IP address and port that is under attack

  D. Classified DoS Protection Policy using destination IP only with a Protect action

  Correct Answer: D

• Question 67:

  Which three options are available when creating a security profile? (Choose three)

  A. Anti-Malware

  B. File Blocking

  C. Url Filtering

  D. IDS/ISP

  E. Threat Prevention

  F. Antivirus

  Correct Answer: ABF

• Question 68:

  Which two methods can be used to mitigate resource exhaustion of an application server? (Choose two)

  A. Vulnerability Object

  B. DoS Protection Profile

  C. Data Filtering Profile

  D. Zone Protection Profile

  Correct Answer: BD

• Question 69:

  The IT department has received complaints abou VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out

  what traffic is causing the jitter in real time when a user reports the jitter.

  Which feature can be used to identify, in real time, the applications taking up the most bandwidth?

  A. QoS Statistics

  B. Applications Report

  C. Application Command Center (ACC)

  D. QoS Log

  Correct Answer: A

• Question 70:

  Only two Trust to Untrust allow rules have been created in the Security policy Rule1 allows google-base Rule2 allows youtube-base The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found. Which action will allow youtube.com display in the browser correctly?

  A. Add SSL App-ID to Rule1

  B. Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to it

  C. Add the DNS App-ID to Rule2

  D. Add the Web-browsing App-ID to Rule2

  Correct Answer: C