Professional Documents
Culture Documents
PCNSE6 (48Q)
Number: PCNSE6
Passing Score: 800
Time Limit: 120 min
File Version: 4.9
PCNSE6
Palo Alto Networks Certified Network Security Engineer 6.0
1.
2.
3.
4.
I was so happy when I cleared the exam with great scores 94%.
How great and perfect exam preparation tool is that!
Ive used this, and want everyone else to benefit from it too.
You can now be victorious in test by simply preparing from the online guide.
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Exam A
QUESTION 1
Two firewalls are configured in an Active/Passive High Availability (HA) pair with the following election settings:
Firewall 5050-B is presently in the "Active" state and 5050-A is presently in the "Passive" state. Firewall 5050-B reboots causing 5050-A to become
Active.
Which firewall will be in the "Active" state after firewall 5050-B has completed its reboot and is back online?
A.
B.
C.
D.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
Which two statements are true about DoS Protection Profiles and Policies? Choose 2 answers
A. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks on a zone basis, regardless of interface(s). They provide
reconnaissance protection against TCP/UDP port scans and host sweeps.
B. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks. They provide resource protection by limiting the number of sessions
that can be used.
C. They mitigate against volumetric attacks that leverage known vulnerabilities, brute force methods, amplification, spoofing, and other vulnerabilities.
D. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks by utilizing "random early drop".
Correct Answer: BD
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Section: (none)
Explanation
Explanation/Reference:
QUESTION 3
Where can the maximum concurrent SSL VPN Tunnels be set for Vsys2 when provisioning a Palo Alto Networks firewall for multiple virtual systems?
A.
B.
C.
D.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 4
A security engineer has been asked by management to optimize how Palo Alto Networks firewall syslog messages are forwarded to a syslog receiver.
There are currently 20 PA-5060 s, each of which is configured to forward syslogs individually.
The security engineer would like to leverage their two M-100 appliances to send syslog messages from a single source and has already deployed one in
Panorama mode and the other as a Log Collector.
What is the remaining step in implementing this solution?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
QUESTION 5
What can cause missing SSL packets when performing a packet capture on data plane interfaces?
A.
B.
C.
D.
There is a hardware problem with the offloading FPGA on the management plane.
The missing packets are offloaded to the management plane CPU.
The packets are hardware offloaded to the offload processor on the data plane.
The packets are not captured because they are encrypted.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 6
A company has a policy that denies all applications they classify as bad and permits only applications they classify as good. The firewall administrator
created the following security policy on the company s firewall:
Which two benefits are gained from having both rule 2 and rule 3 present? Choose 2 answers
A.
B.
C.
D.
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 7
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Company employees have been given access to the GlobalProtect Portal at https://portal.company.com:
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
A.
B.
C.
D.
Clients outside the network will be able to connect to the external gateway Gateway1.
Clients inside the network will be able to connect to the internal gateway Gateway1.
Clients outside the network will NOT be able to connect to the external gateway Gateway1.
Clients inside the network will NOT be able to connect to the internal gateway Gateway1.
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 8
What is the maximum usable storage capacity of an M-100 appliance?
A.
B.
C.
D.
2TB
4TB
6TB
STB
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 9
A user is reporting that they cannot download a PDF file from the internet.
Which action will show whether the downloaded file has been blocked by a Security Profile?
A.
B.
C.
D.
Filter the Session Browser for all sessions from the user with the application "adobe".
Filter the System log for "Download Failed" messages.
Filter the Traffic logs for all traffic from the user that resulted in a Deny action.
Filter the Data Filtering logs for the user's traffic and the name of the PDF file.
Correct Answer: D
Section: (none)
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Explanation
Explanation/Reference:
QUESTION 10
What has happened when the traffic log shows an internal host attempting to open a session to a properly configured sinkhole address?
A.
B.
C.
D.
The internal host is trying to resolve a DNS query by connecting to a rogue DNS server.
The internal host attempted to use DNS to resolve a known malicious domain into an IP address.
A rogue DNS server is now using the sinkhole address to direct traffic to a known malicious domain.
A malicious domain is trying to contact an internal DNS server.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 11
Which Security Policy rule configuration option disables antivirus and anti-spyware scanning of server- to-client flows only?
A.
B.
C.
D.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 12
Which two interface types provide support for network address translation (NAT)? Choose 2 answers
A. HA
B. Tap
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
C. Layer3
D. Virtual Wire
E. Layer2
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 13
A firewall is being attacked with a port scan. Which component can prevent this attack?
A.
B.
C.
D.
DoS Protection
Anti-Spyware
Vulnerability Protection
Zone Protection
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 14
A Palo Alto Networks firewall has the following interface configuration;
She first ensures that ail traffic is allowed between zones based on the following security policy rule:
Which interface configuration change should be applied to ethernet1/6 to allow the two hosts to communicate based on this information?
A.
B.
C.
D.
Correct Answer: D
Section: (none)
Explanation
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Explanation/Reference:
QUESTION 15
After migrating from an ASA firewall, the VPN connection between a remote network and the Palo Alto Networks firewall is not establishing correctly.
The following entry is appearing in the logs:
pfs group mismatched: my:0 peer:2
Which setting should be changed on the Palo Alto Firewall to resolve this error message?
A.
B.
C.
D.
Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from group2 to no-pfs.
Update the IKE Crypto profile for the Vendor IKE gateway from no-pfs to group2.
Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from no-pfs to group2.
Update the IKE Crypto profile for the Vendor IKE gateway from group2 to no-pfs.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 16
Which two interface types can be used when configuring GlobalProtect Portal? Choose 2 answers
A.
B.
C.
D.
Virtual Wire
Loopback
Tunnel
Layer3
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 17
After pushing a security policy from Panorama to a PA-3020 firewall, the firewall administrator notices that traffic logs from the PA-3020 are not
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 18
Palo Alto Networks maintains a dynamic database of malicious domains. Which two Security Platform components use this database to prevent
threats? Choose 2 answers
A.
B.
C.
D.
Brute-force signatures
DNS-based command-and-control signatures
PAN-DB URL Filtering
BrightCloud URL Filtering
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 19
Which three inspections can be performed with a next-generation firewall but NOT with a legacy firewall? Choose 3 answers
A.
B.
C.
D.
E.
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Link Monitoring
Heartbeat Polling
Preemption
SNMP Polling
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 21
How is the Forward Untrust Certificate used?
A.
B.
C.
D.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 22
By default, all PA-5060 syslog data is forwarded out the Management interface. What needs to be configured in order to send syslog data out of a
different interface?
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
A.
B.
C.
D.
Configure Service Route Only for Threats and URL Filtering, and the traffic will use the same route.
Configure an Interface Management Profile and apply it to the interface that the syslogs will be sent through.
Configure a Service Route for the Syslog service to use a dataplane interface.
Create a Log-Forwarding Profile that points to the device that will receive the syslogs.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 23
A network administrator uses Panorama to push security policies to managed firewalls at branch offices.
Which policy type should be configured on Panorama if the administrator wishes to allow local administrators at the branch office sites to override these
policies?
A.
B.
C.
D.
Implicit Rules
Post Rules
Default Rules
Pre Rules
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 24
A network engineer experienced network reachability problems through the firewall. The routing table on the device is complex. To troubleshoot the
problem the engineer ran a Command Line Interface (CLI) command to determine the egress interface for traffic destined to 98.139.183.24. The
command resulted in the following output:
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
There is no route for the IP address 98.139.183.24, and there is a default route for outbound traffic.
There is no interface in the firewall with the IP address 98.139.183.24.
In virtual-router vrl, there is a route in the routing table for the network 98.139.0.0/16.
There is no route for the IP address 98.139.183.24, and there is no default route.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 25
A website is presenting an RSA 2048-bit key. By default, what will the size of the key in the certificate sent by the firewall to the client be when doing
SSL Decryption?
A.
B.
C.
D.
512 bits
1024 bits
2048 bits
4096 bits
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 26
A hotel chain is using a system to centrally control a variety of items in guest rooms. The client devices in each guest room communicate to the central
controller using TCP and frequently disconnect due to a premature timeouts when going through a Palo Alto Networks firewall.
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Which action will address this issue without affecting all TCP traffic traversing the firewall?
A.
B.
C.
D.
Create a security policy without security profiles, allowing the client-to-server traffic.
Create an application override policy, assigning the client-to-server traffic to a custom application.
Create an application with a specified TCP timeout and assign traffic to it with an application override policy.
Create an application override policy, assigning the server-to-client traffic to a custom application.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 27
What are the three Security Policy rule Type classifications supported in PAN-OS 6.1?
A.
B.
C.
D.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 28
Which two steps are required to make Microsoft Active Directory users appear in the firewall's traffic log? Choose 2 answers
A.
B.
C.
D.
E.
Correct Answer: AE
Section: (none)
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Explanation
Explanation/Reference:
QUESTION 29
It is discovered that WebandNetTrends Unlimited's new web server software produces traffic that the Palo Alto Networks firewall sees as "unknown-tcp"
traffic.
Which two configurations would identify the application while preserving the ability of the firewall to perform content and threat detection on the traffic?
Choose 2 answers
A.
B.
C.
D.
A custom application, with a name properly describing the new web server s purpose
A custom application and an application override policy that assigns traffic going to and from the web server to the custom application
An application override policy that assigns the new web server traffic to the built-in application "web-browsing"
A custom application with content and threat detection enabled, which includes a signature, identifying the new web server s traffic
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 30
The IT department has received complaints about VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall
interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user
reports the jitter.
Which feature can be used to identify, in real-time, the applications taking up the most bandwidth?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
QUESTION 31
A company has a web server behind their Palo Alto Networks firewall that they would like to make accessible to the public. They have decided to
configure a destination NAT Policy rule.
Given the following zone information:
What should be configured as the destination zone on the Original Packet tab of the NAT Policy rule?
A.
B.
C.
D.
DMZ-L3
Any
Untrust-L3
Trust-L3
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 32
Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log?
A.
B.
C.
D.
Allow
Alert
Log
Default
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 33
The WildFire Cloud or WF-500 appliance provide information to which two Palo Alto Networks security services? Choose 2 answers
A. Threat Prevention
B. App-ID
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
C. URL Filtering
D. PAN-OS
E. GlobalProtect Data File
Correct Answer: AE
Section: (none)
Explanation
Explanation/Reference:
QUESTION 34
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens of thousands of bogus UDP connections
per second to a single destination IP address and port.
Which option, when enabled with the correct threshold, would mitigate this attack without dropping legitimate traffic to other hosts inside the network?
A.
B.
C.
D.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 35
How can a Palo Alto Networks firewall be configured to send syslog messages in a format compatible with nonstandard syslog servers?
A.
B.
C.
D.
Correct Answer: C
Section: (none)
Explanation
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Explanation/Reference:
QUESTION 36
Which Public Key Infrastructure component is used to authenticate users for GlobalProtect when the Connect Method is set to "pre-logon"?
A.
B.
C.
D.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 37
A company is in the process of upgrading their existing Palo Alto Networks firewalls from version 6.1.0 to 6.1.1.
Which three methods can the firewall administrator use to install PAN-OS 6.1.1 across the enterprise? Choose 3 answers
A.
B.
C.
D.
E.
F.
Push the PAN-OS 6.1.1 updates from the support site to install on each firewall.
Download PAN-OS 6.1.1 files from the support site and install them on each firewall after manually uploading.
Download PAN-OS 6.1.1 to a USB drive and the firewall will automatically update after the USB drive is inserted in the firewall.
Push the PAN-OS 6.1.1 update from one firewall to all of the other remaining after updating one firewall.
Download and push PAN-OS 6.1.1 from Panorama to each firewall.
Download and install PAN-OS 6.1.1 directly on each firewall.
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Which configuration change on the firewall would cause it to use 10.66.24.88 as the nexthop for the 192.168.93.0/30 network?
A.
B.
C.
D.
Configuring the Administrative Distance for RIP to be higher than that of OSPF Ext
Configuring the metric for RIP to be higher than that of OSPF Int
Configuring the metric for RIP to be lower than that of OSPF Ext
Configuring the Administrative Distance for RIP to be lower than that of OSPF Int
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 39
A company hosts a publicly-accessible web server behind their Palo Alto Networks firewall, with this configuration information:
Which NAT Policy rule will allow users outside the company to access the web server?
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
A.
B.
C.
D.
Option A
Option B
Option C
Option D
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 40
A company has purchased a WildFire subscription and would like to implement dynamic updates to download the most recent content as often as
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
possible.
What is the shortest time interval the company can configure their firewall to check for WildFire updates?
A.
B.
C.
D.
E.
Every 24 hours
Every 30 minutes
Every 15 minutes
Every 1 hour
Every 5 minutes
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 41
Which method is the most efficient for determining which administrator made a specific change to the running config?
A.
B.
C.
D.
In the Configuration log, set a filter for the edit command and look for the object that was changed.
In the System log, set a filter for the name of the object that was changed.
In Config Audit, compare the current running config to all of the saved configurations until the change is found.
In Config Audit, compare the current running config to previous committed versions until the change is found.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 42
You are configuring a File Blocking Profile to be applied to all outbound traffic uploading a specific file type, and there is a specific application that you
want to match in the policy.
What are three valid actions that can be set when the specified file is detected? Choose 3 answers
A. Reset-both
B. Block
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
C. Continue
D. Continue-and-forward
E. Upload
Correct Answer: BCD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 43
A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall.
Which method will show the global counters associated with the traffic after configuring the appropriate packet filters?
A.
B.
C.
D.
From the CLI, issue the show counter interface command for the egress interface.
From the GUI, select "Show global counters" under the Monitor tab.
From the CLI, issue the show counter global filter packet-filter yes command.
From the CLI, issue the show counter interface command for the ingress interface.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 44
A security architect has been asked to implement User-ID in a MacOS environment with no enterprise email, using a Sun LDAP server for user
authentication.
In this environment, which two User-ID methods are effective for mapping users to IP addresses? Choose 2 answers
A.
B.
C.
D.
Correct Answer: CD
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Section: (none)
Explanation
Explanation/Reference:
QUESTION 45
Which authentication method can provide role-based administrative access to firewalls running PAN- OS?
A.
B.
C.
D.
LDAP
Certificate-based authentication
Kerberos
RADIUS with Vendor Specific Attributes
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 46
Which three engines are built into the Single-Pass Parallel Processing Architecture? Choose 3 answers
A.
B.
C.
D.
E.
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
A.
B.
C.
D.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 48
Which source address translation type will allow multiple devices to share a single translated source address while using a single NAT Policy rule?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn