PCNSE6 dump(46 to 60) for IT specialist: Apr 2016 Edition

PCNSE6 Royal Pack Testengine pdf

100% Actual & Verified — 100% PASS

Unlimited access to the world's largest Dumps library!


Download of PCNSE6 actual exam materials and forum for Paloalto Networks certification for IT candidates, Real Success Guaranteed with Updated PCNSE6 pdf dumps vce Materials. 100% PASS Palo Alto Networks Certified Network Security Engineer 6.0 exam Today!

2016 Apr PCNSE6 Study Guide Questions:

Q46. What has happened when the traffic log shows an internal host attempting to open a session to a properly configured sinkhole address? 

A. The internal host is trying to resolve a DNS query by connecting to a rogue DNS server. 

B. The internal host attempted to use DNS to resolve a known malicious domain into an IP address. 

C. A rogue DNS server is now using the sinkhole address to direct traffic to a known malicious domain. 

D. A malicious domain is trying to contact an internal DNS server. 

Answer: B 


Reference: https://www.paloaltonetworks.jp/content/dam/paloaltonetworks-com/en_US/assets/pdf/framemaker/pan-os/NewFeaturesGuide.pdf page 14 

Q47. Users can be authenticated serially to multiple authentication servers by configuring: 

A. Multiple RADIUS Servers sharing a VSA configuration 

B. Authentication Sequence 

C. Authentication Profile 

D. A custom Administrator Profile 

Answer: B 

Q48. When a Palo Alto Networks firewall is forwarding traffic through interfaces configured for L2 mode, security policies can be set to match on multicast IP addresses. 

A. True 

B. False 

Answer: B 

Q49. Which of the following are accurate statements describing the HA3 link in an Active-Active HA deployment? 

A. HA3 is used for session synchronization 

B. The HA3 link is used to transfer Layer 7 information 

C. HA3 is used to handle asymmetric routing 

D. HA3 is the control link 

Answer: A 

Q50. The following can be configured as a next hop in a Static Route: 

A. A Policy-Based Forwarding Rule 

B. Virtual System 

C. A Dynamic Routing Protocol 

D. Virtual Router 

Answer: D 

PCNSE6 sample question

Up to date PCNSE6 practice test:

Q51. In PAN-OS 5.0, how is Wildfire enabled? 

A. Via the URL-Filtering "Continue" Action 

B. Wildfire is automaticaly enabled with a valid URL-Filtering license 

C. A custom file blocking action must be enabled for all PDF and PE type files 

D. Via the "Forward" and "Continue and Forward" File-Blocking actions 

Answer: A 

Q52. In Active/Active HA environments, redundancy for the HA3 interface can be achieved by 

A. Configuring a corresponding HA4 interface 

B. Configuring HA3 as an Aggregate Ethernet bundle 

C. Configuring multiple HA3 interfaces 

D. Configuring HA3 in a redundant group 

Answer: B 

Q53. Which of the following are methods HA clusters use to identify network outages? 

A. Path and Link Monitoring 

B. VR and VSys Monitors 

C. Heartbeat and Session Monitors 

D. Link and Session Monitors 

Answer: A 

Q54. Which two interface types can be used when configuring GlobalProtect Portal? Choose 2 answers 

A. Virtual Wire 

B. Loopback 

C. Tunnel 

D. Layer3 

Answer: B,D 


Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/framemaker/61/globalprotect/globalprotect-admin-guide.pdf page 10 

Q55. When a user logs in via Captive Portal, their user information can be checked against: 

A. Terminal Server Agent 

B. Security Logs 


D. Radius 

Answer: D 

PCNSE6 practice

Approved PCNSE6 :

Q56. A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens of thousands of bogus UDP connections per second to a single destination IP address and port. 

Which option, when enabled with the correct threshold, would mitigate this attack without dropping legitimate traffic to other hosts inside the network? 

A. Zone Protection Policy with UDP Flood Protection 

B. Classified DoS Protection Policy using destination IP only with a Protect action 

C. QoS Policy to throttle traffic below maximum limit 

D. Security Policy rule to deny traffic to the IP address and port that is under attack 

Answer: B 


Reference: https://live.paloaltonetworks.com/docs/DOC-1746 

Q57. When creating a Security Policy to allow Facebook in PAN-OS 5.0, how can you be sure that no other web-browsing traffic is permitted? 

A. Ensure that the Service column is defined as "application-default" for this security rule. This will automatically include the implicit web-browsing application dependency. 

B. Create a subsequent rule which blocks all other traffic 

C. When creating the rule, ensure that web-browsing is added to the same rule. Both applications will be processed by the Security policy, allowing only Facebook to be accessed. Any other applications can be permitted in subsequent rules. 

D. No other configuration is required on the part of the administrator, since implicit application dependencies will be added automaticaly. 

Answer: D 

Q58. Which two statements are true about DoS Protection Profiles and Policies? Choose 2 answers 

A. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks on a zone basis, regardless of interface(s). They provide reconnaissance protection against TCP/UDP port scans and host sweeps. 

B. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks. They provide resource protection by limiting the number of sessions that can be used. 

C. They mitigate against volumetric attacks that leverage known vulnerabilities, brute force methods, amplification, spoofing, and other vulnerabilities. 

D. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks by utilizing "random early drop". 

Answer: B,D 


Reference: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/7158-102-3-25328/Application%20DDoS%20Mitigation.pdf page 4 

Q59. Which option allows an administrator to segrate Panorama and Syslog traffic, so that the Management Interface is not employed when sending these types of traffic? 

A. Custom entries in the Virtual Router, pointing to the IP addresses of the Panorama and Syslog devices. 

B. Define a Loopback interface for the Panorama and Syslog Devices 

C. On the Device tab in the Web UI, create custom server profiles for Syslog and Panorama 

D. Service Route Configuration 

Answer: D 

Q60. Which of the following would be a reason to use an XML API to communicate with a Palo Alto Networks firewall? 

A. So that information can be pulled from other network resources for User-ID 

B. To allow the firewall to push UserID information to a Network Access Control (NAC) device. 

C. To permit sys logging of User Identification events 

Answer: B 

see more Palo Alto Networks Certified Network Security Engineer 6.0