PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.0 Questions and Answers

Phase 2 SAs are synchronized over HA2 links

Phase 1 and Phase 2 SAs are synchronized over HA2 links

Phase 1 SAs are synchronized over HA1 links

Phase 1 and Phase 2 SAs are synchronized over HA3 links

Decryption will function and there will be no effect to end users

Decryption will not function because self-signed root certificates are not supported

Decryption will not function until the certificate is installed on client systems

Decryption will function but users will see certificate warnings for each SSL site they visit

the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.

The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.

The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.

Export the log database.

Use the import option to pull logs.

Use the ACC to consolidate the logs.

Use the scp logdb export command.

Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection

Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN. ICMP ICMPv6, UDP. and other IP flood attacks

Add a WildFire subscription to activate DoS and zone protection features

Replace the hardware firewall because DoS and zone protection are not available with VM-Series systems

Alert entries are in the Alarms log. Entries for dropped traffic, discarded sessions, and blocked IP address are in the Threat log

All entries are in the System log

Alert entries are in the System log. Entries for dropped traffic, discarded sessions and blocked IP addresses are in the Threat log

All entries are in the Alarms log

IPSec crypto profile mismatch

IPSec protocol mismatch

mismatched Proxy-IDs

bad local and peer identification IP addresses in the IKE gateway

Guest devices may not trust the CA certificate used for the forward untrust certificate.

Guests may use operating systems that can't be decrypted.

The organization has no legal authority to decrypt their traffic.

Guest devices may not trust the CA certificate used for the forward trust certificate.

Microsoft Terminal Server, Red Hat Linux, and Microsoft Active Directory

Microsoft Active Directory, Red Hat Linux, and Microsoft Exchange

Microsoft Exchange, Microsoft Active Directory, and Novell eDirectory

Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory

GlobalProtect Portal

CaptivePortal

WebUI

CLI

All public cloud deployments require the /plugins folder to support proper firewall native integrations

The /content folder is missing from the bootstrap package

The VM-Series firewall was not pre-registered in Panorama and prevented the bootstrap process from successfully completing

The /config or /software folders were missing mandatory files to successfully bootstrap