PCNSE6 Exam - Palo Alto Networks Certified Network Security Engineer 6.0

Q1. WildFire Analysis Reports are available for the following Operating Systems (select all that apply) 

A. Windows XP 

B. Windows 7 

C. Windows 8 

D. Mac OS-X 

View Answer

Q2. What has happened when the traffic log shows an internal host attempting to open a session to a properly configured sinkhole address? 

A. The internal host is trying to resolve a DNS query by connecting to a rogue DNS server. 

B. The internal host attempted to use DNS to resolve a known malicious domain into an IP address. 

C. A rogue DNS server is now using the sinkhole address to direct traffic to a known malicious domain. 

D. A malicious domain is trying to contact an internal DNS server. 

View Answer

Q3. In the following display, ethernetl/6 is configured with an interface management profile that allows ping with no restriction on the source address: 

Given the following security policy rule base: 

What is the result of a ping sent from an address on the Trust-L3 zone to the IP address of ethernet1/6? 

A. The firewall will send an ICMP redirect message to the client. 

B. The client will receive an ICMP "destination unreachable" packet. 

C. The interface will respond. 

D. The traffic will be dropped by the firewall. 

View Answer

Q4. How do you limit the amount of information recorded in the URL Content Filtering Logs? 

A. Enable DSRI 

B. Disable URL packet captures 

C. Enable URL log caching 

D. Enable Log container page only 

View Answer

Q5. Which of the Dynamic Updates listed below are issued on a daily basis? 

A. Global Protect 

B. URL Filtering 

C. Antivirus 

D. Applications and Threats 

View Answer

Q6. In PAN-OS 6.0, rule numbers were introduced. Rule Numbers are: 

A. Dynamic numbers that refer to a security policy’s order and are especially useful when filtering security policies by tags 

B. Numbers referring to when the security policy was created and do not have a bearing on the order of policy enforcement 

C. Static numbers that must be manually re-numbered whenever a new security policy is added 

View Answer

Q7. A company has purchased a WildFire subscription and would like to implement dynamic updates to download the most recent content as often as possible. 

What is the shortest time interval the company can configure their firewall to check for WildFire updates? 

A. Every 24 hours 

B. Every 30 minutes 

C. Every 15 minutes 

D. Every 1 hour 

E. Every 5 minutes 

View Answer

Q8. A security architect has been asked to implement User-ID in a MacOS environment with no enterprise email, using a Sun LDAP server for user authentication. 

In this environment, which two User-ID methods are effective for mapping users to IP addresses? Choose 2 answers 

A. Terminal Server Agent 

B. Mac OS Agent 

C. Captive Portal 

D. GlobalProtect 

View Answer

Q9. After migrating from an ASA firewall, the VPN connection between a remote network and the Palo Alto Networks firewall is not establishing correctly. The following entry is appearing in the logs: 

pfs group mismatched: my:0 peer:2 

Which setting should be changed on the Palo Alto Firewall to resolve this error message? 

A. Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from group2 to no-pfs. 

B. Update the IKE Crypto profile for the Vendor IKE gateway from no-pfs to group2. 

C. Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from no-pfs to group2. 

D. Update the IKE Crypto profile for the Vendor IKE gateway from group2 to no-pfs. 

View Answer

Q10. A company wants to run their pair of PA-200 firewalls in a High Availability Active/Passive configuration and will be using HA-Lite. 

Which capability can be used in this situation? 

A. Configuration Sync 

B. Link Aggregation 

C. Session Sync 

D. Jumbo Frames 

View Answer