New Year Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

PCNSE Questions and Answers

Question # 6

A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.

What should the NAT rule destination zone be set to?

A.

None

B.

Outside

C.

DMZ

D.

Inside

Full Access
Question # 7

Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?

A.

Perform packet forwarding to the active-passive peer during session setup and asymmetric traffic flow.

B.

Perform synchronization of routes, IPSec security associations, and User-ID information.

C.

Perform session cache synchronization for all HA cluster members with the same cluster ID.

D.

Perform synchronization of sessions, forwarding tables, and IPSec security associations between firewalls in an HA pair.

Full Access
Question # 8

An administrator has been tasked with configuring decryption policies,

Which decryption best practice should they consider?

A.

Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.

B.

Decrypt all traffic that traverses the firewall so that it can be scanned for threats.

C.

Place firewalls where administrators can opt to bypass the firewall when needed.

D.

Create forward proxy decryption rules without Decryption profiles for unsanctioned applications.

Full Access
Question # 9

Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

A.

ethernet1/6

B.

ethernet1/3

C.

ethernet1/7

D.

ethernet1/5

Full Access
Question # 10

Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with multiple virtual systems?

A.

To allow traffic between zones in different virtual systems without the traffic leaving the appliance

B.

To allow traffic between zones in different virtual systems while the traffic is leaving the appliance

C.

External zones are required because the same external zone can be used on different virtual systems

D.

Multiple external zones are required in each virtual system to allow the communications between virtual systems

Full Access
Question # 11

Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?

A.

On Palo Alto Networks Update Servers

B.

M600 Log Collectors

C.

Cortex Data Lake

D.

Panorama

Full Access
Question # 12

What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain?

A.

an Authentication policy with 'unknown' selected in the Source User field

B.

an Authentication policy with 'known-user' selected in the Source User field

C.

a Security policy with 'known-user' selected in the Source User field

D.

a Security policy with 'unknown' selected in the Source User field

Full Access
Question # 13

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)

A.

Change the firewall management IP address

B.

Configure a device block list

C.

Add administrator accounts

D.

Rename a vsys on a multi-vsys firewall

E.

Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode

Full Access
Question # 14

Given the following snippet of a WildFire submission log, did the end user successfully download a file?

A.

No, because the URL generated an alert.

B.

Yes, because both the web-browsing application and the flash file have the 'alert" action.

C.

Yes, because the final action is set to "allow.''

D.

No, because the action for the wildfire-virus is "reset-both."

Full Access
Question # 15

Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?

A.

NAT

B.

DOS protection

C.

QoS

D.

Tunnel inspection

Full Access
Question # 16

A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose TWO)

A.

Exclude video traffic

B.

Enable decryption

C.

Block traffic that is not work-related

D.

Create a Tunnel Inspection policy

Full Access
Question # 17

Which CLI command displays the physical media that are connected to ethernet1/8?

A.

> show system state filter-pretty sys.si. p8. stats

B.

> show system state filter-pretty sys.sl.p8.phy

C.

> show system state filter-pretty sys.sl.p8.med

D.

> show interface ethernet1/8

Full Access
Question # 18

Which source is the most reliable for collecting User-ID user mapping?

A.

Syslog Listener

B.

Microsoft Exchange

C.

Microsoft Active Directory

D.

GlobalProtect

Full Access
Question # 19

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.

The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?

A.

A web server certificate signed by the organization's PKI

B.

A self-signed certificate generated on the firewall

C.

A subordinate Certificate Authority certificate signed by the organization's PKI

D.

A web server certificate signed by an external Certificate Authority

Full Access
Question # 20

With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?

A.

Incomplete

B.

unknown-tcp

C.

Insufficient-data

D.

not-applicable

Full Access
Question # 21

Which new PAN-OS 11.0 feature supports IPv6 traffic?

A.

DHCPv6 Client with Prefix Delegation

B.

OSPF

C.

DHCP Server

D.

IKEv1

Full Access
Question # 22

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?

A.

No Direct Access to local networks

B.

Tunnel mode

C.

iPSec mode

D.

Satellite mode

Full Access
Question # 23

Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.

In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?

A.

NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Source Translation: Static IP / 172.16.15.1

Security Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Trust -

Destination IP: 172.16.15.10 -

Application: ssh

B.

NAT Rule:

Source Zone: Trust -

Source IP: 192.168.15.0/24 -

Destination Zone: Trust -

Destination IP: 192.168.15.1 -

Destination Translation: Static IP / 172.16.15.10

Security Rule:

Source Zone: Trust -

Source IP: 192.168.15.0/24 -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh

C.

NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Trust -

Destination IP: 192.168.15.1 -

Destination Translation: Static IP /172.16.15.10

Security Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh

D.

NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Source Translation: dynamic-ip-and-port / ethernet1/4

Security Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh

Full Access
Question # 24

If a URL is in multiple custom URL categories with different actions, which action will take priority?

A.

Allow

B.

Override

C.

Block

D.

Alert

Full Access
Question # 25

A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.

Which path should the engineer follow to deploy the PAN-OS images to the firewalls?

A.

Upload the image to Panorama > Software menu, and deploy it to the firewalls. *

B.

Upload the image to Panorama > Device Deployment > Dynamic Updates menu, and deploy it to the firewalls. *

C.

Upload the image to Panorama > Dynamic Updates menu, and deploy it to the firewalls.

D.

Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls.

Full Access
Question # 26

An engineer configures SSL decryption in order to have more visibility to the internal users' traffic when it is regressing the firewall.

Which three types of interfaces support SSL Forward Proxy? (Choose three.)

A.

High availability (HA)

B.

Layer 3

C.

Layer 2

D.

Tap

E.

Virtual Wire

Full Access
Question # 27

Refer to the exhibit.

Based on the screenshots above what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

A.

shared pre-rules

DATACENTER DG pre rules

rules configured locally on the firewall

shared post-rules

DATACENTER_DG post-rules

DATACENTER.DG default rules

B.

shared pre-rules

DATACENTER_DG pre-rules

rules configured locally on the firewall

shared post-rules

DATACENTER.DG post-rules

shared default rules

C.

shared pre-rules

DATACENTER_DG pre-rules

rules configured locally on the firewall

DATACENTER_DG post-rules

shared post-rules

shared default rules

D.

shared pre-rules

DATACENTER_DG pre-rules

rules configured locally on the firewall

DATACENTER_DG post-rules

shared post-rules

DATACENTER_DG default rules

Full Access
Question # 28

An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 sub-interface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.

Without changing the existing access to the management interface, how can the engineer fulfill this request?

A.

Specify the subinterface as a management interface in Setup > Device > Interfaces.

B.

Add the network segment's IP range to the Permitted IP Addresses list.

C.

Enable HTTPS in an Interface Management profile on the subinterface.

D.

Configure a service route for HTTP to use the subinterface.

Full Access
Question # 29

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing.

What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?

A.

Add the Evernote application to the Security policy rule, then add a second Security policy rule containing both HTTP and SSL.

B.

Create an Application Override using TCP ports 443 and 80.

C.

Add the HTTP. SSL. and Evernote applications to the same Security policy.

D.

Add only the Evernote application to the Security policy rule.

Full Access
Question # 30

Which two statements correctly describe Session 380280? (Choose two.)

A.

The session went through SSL decryption processing.

B.

The session has ended with the end-reason unknown.

C.

The application has been identified as web-browsing.

D.

The session did not go through SSL decryption processing.

Full Access
Question # 31

Review the images. A firewall policy that permits web traffic includes the global-logs policy is depicted

What is the result of traffic that matches the "Alert - Threats" Profile Match List?

A.

The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.

B.

The source address of traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.

C.

The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.

D.

The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.

Full Access
Question # 32

A company wants to add threat prevention to the network without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)

A.

VirtualWire

B.

Layer3

C.

TAP

D.

Layer2

Full Access
Question # 33

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances.

Which profile should be configured in order to achieve this?

A.

SSH Service profile

B.

SSL/TLS Service profile

C.

Certificate profile

D.

Decryption profile

Full Access
Question # 34

A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any data. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.

Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?

A.

Create a custom application with specific timeouts and signatures based on patterns discovered in packet captures.

B.

Access the Palo Alto Networks website and raise a support request through the Customer Support Portal.

C.

Create a custom application with specific timeouts, then create an application override rule and reference the custom application.

D.

Access the Palo Alto Networks website and complete the online form to request that a new application be added to App-ID.

Full Access
Question # 35

Which three authentication types can be used to authenticate users? (Choose three.)

A.

Local database authentication

B.

PingID

C.

Kerberos single sign-on

D.

GlobalProtect client

E.

Cloud authentication service

Full Access
Question # 36

A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known

What can the administrator configure to establish the VPN connection?

A.

Set up certificate authentication.

B.

Use the Dynamic IP address type.

C.

Enable Passive Mode

D.

Configure the peer address as an FQDN.

Full Access
Question # 37

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)

A.

upload-onlys

B.

install and reboot

C.

upload and install

D.

upload and install and reboot

E.

verify and install

Full Access
Question # 38

A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL.

When creating a new rule, what is needed to allow the application to resolve dependencies?

A.

Add SSL and web-browsing applications to the same rule.

B.

Add web-browsing application to the same rule.

C.

Add SSL application to the same rule.

D.

SSL and web-browsing must both be explicitly allowed.

Full Access
Question # 39

An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?

A.

Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

B.

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

C.

Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.

D.

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all its vsys in a single device group.

Full Access
Question # 40

An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.

The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.

Which profile is the engineer configuring?

A.

Packet Buffer Protection

B.

Zone Protection

C.

Vulnerability Protection

D.

DoS Protection

Full Access
Question # 41

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

A.

Set the passive link state to shutdown".

B.

Disable config sync.

C.

Disable the HA2 link.

D.

Disable HA.

Full Access
Question # 42

An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration.

What type of service route can be used for this configuration?

A.

IPv6 Source or Destination Address

B.

Destination-Based Service Route

C.

IPv4 Source Interface

D.

Inherit Global Setting

Full Access
Question # 43

An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?

A.

The profile rule action

B.

CVE column

C.

Exceptions lab

D.

The profile rule threat name

Full Access
Question # 44

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?

A.

It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS.

B.

It stops the tunnel-establishment processing to the GlobalProtect gateway immediately.

C.

It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS.

D.

It keeps trying to establish an IPSec tun£el to the GlobalProtect gateway.

Full Access
Question # 45

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?

A.

Deny

B.

Discard

C.

Allow

D.

Next VR

Full Access
Question # 46

An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.

Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)

A.

Hello Interval

B.

Promotion Hold Time

C.

Heartbeat Interval

D.

Monitor Fail Hold Up Time

Full Access
Question # 47

Which protocol is supported by GlobalProtect Clientless VPN?

A.

FTP

B.

RDP

C.

SSH

D.

HTTPS

Full Access
Question # 48

In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?

A.

The running configuration with the candidate configuration of the firewall

B.

Applications configured in the rule with applications seen from traffic matching the same rule

C.

Applications configured in the rule with their dependencies

D.

The security rule with any other security rule selected

Full Access
Question # 49

An administrator receives the following error message:

"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192.168 33 33/24 type IPv4 address protocol 0 port 0, received remote id 172.16 33.33/24 type IPv4 address protocol 0 port 0."

How should the administrator identify the root cause of this error message?

A.

In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate

B.

Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure

C.

Check whether the VPN peer on one end is set up correctly using policy-based VPN

D.

In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.

Full Access
Question # 50

An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes?

A.

Click Preview Changes under Push Scope

B.

Use Test Policy Match to review the policies in Panorama

C.

Review the configuration logs on the Monitor tab

D.

Context-switch to the affected firewall and use the configuration audit tool

Full Access
Question # 51

A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two)

A.

SSL/TLS Service

B.

HTTP Server

C.

Decryption

D.

Interface Management

Full Access
Question # 52

A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.

What should the engineer do to complete the configuration?

A.

Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to 1.1.1.10 with the destination port equal to UDP/53.

B.

Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward.

C.

Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Reverse.

D.

Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to 192.168.1.10 with the destination port equal to UDP/53.

Full Access
Question # 53

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?

A.

Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and reboot.

B.

Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot.

C.

Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot.

D.

Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit.

Full Access