02 October, 2021

Up To Date Palo Alto Networks Certified Security Engineer (PCNSE)PAN-OS 8.0 PCNSE Test

Your success in Paloalto-Networks PCNSE is our sole target and we develop all our PCNSE braindumps in a way that facilitates the attainment of this target. Not only is our PCNSE study material the best you can find, it is also the most detailed and the most updated. PCNSE Practice Exams for Paloalto-Networks PCNSE are written to the highest standards of technical accuracy.

Free demo questions for Paloalto-Networks PCNSE Exam Dumps Below:

Page: 1 / 21

Total 255 questions Full Exam Access

Question 1

Which logs enable a firewall administrator to determine whether a session was decrypted?

Correlated Event

Traffic

Decryption

Security Policy

Question 2

YouTube videos are consuming too much bandwidth on the network, causing delays in mission- critical traffic. The administrator wants to throttle YouTube traffic. The following interfaces and zones are in use on the firewall:
* ethernet1/1, Zone: Untrust (Internet-facing)
* ethernet1/2, Zone: Trust (client-facing)
A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface Ethernet1/1 has a QoS profile called Outbound, and interface Ethernet1/2 has a QoS profile called Inbound.
Which setting for class 6 with throttle YouTube traffic?

Outbound profile with Guaranteed Ingress

Outbound profile with Maximum Ingress

Inbound profile with Guaranteed Egress

Inbound profile with Maximum Egress

Question 3

Which Panorama feature allows for logs generated by Panorama to be forwarded to an external Security Information and Event Management(SIEM) system?

Panorama Log Settings

Panorama Log Templates

Panorama Device Group Log Forwarding

Collector Log Forwarding for Collector Groups

Question 4

How are IPV6 DNS queries configured to user interface ethernet1/3?

Network > Virtual Router > DNS Interface

Objects > CustomerObjects > DNS

Network > Interface Mgrnt

Device > Setup > Services > Service Route Configuration

Question 5

Which Captive Portal mode must be configured to support MFA authentication?

NTLM

Redirect

Single Sign-On

Transparent

Question 6

Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

Create a no-decrypt Decryption Policy rule.

Configure an EDL to pull IP addresses of known sites resolved from a CRL.

Create a Dynamic Address Group for untrusted sites

Create a Security Policy rule with vulnerability Security Profile attached.

Enable the “Block sessions with untrusted issuers” setting.

Question 7

An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?

Enable and configure the Packet Buffer protection thresholds.Enable Packet Buffer Protection per ingress zone.

Enable and then configure Packet Buffer thresholdsEnable Interface Buffer protection.

Create and Apply Zone Protection Profiles in all ingress zones.Enable Packet Buffer Protection per ingress zone.

Configure and apply Zone Protection Profiles for all egress zones.Enable Packet Buffer Protection pre egress zone.

Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits.Enable Zone Buffer Protection per zone.

Question 8

An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications. QoS natively integrates with which feature to provide service quality?

Port Inspection

Certificate revocation

Content-ID

App-ID

Question 9

Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)

CRL

CRT

OCSP

Cert-Validation-Profile

SSL/TLS Service Profile

Question 10

Which three log-forwarding destinations require a server profile to be configured? (Choose three)

SNMP Trap

RADIUS

Kerberos

Panorama

Syslog

Question 11

Which administrative authentication method supports authorization by an external service?

Certificates

LDAP

RADIUS

SSH keys

Question 12

The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router.
Which two options would help the administrator troubleshoot this issue? (Choose two.)

View the System logs and look for the error messages about BGP.

Perform a traffic pcap on the NGFW to see any BGP problems.

View the Runtime Stats and look for problems with BGP configuration.

View the ACC tab to isolate routing issues.

Question 13

A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link aggregation. Which two formats are correct for naming aggregate interfaces? (Choose two.)

ae.8

aggregate.1

ae.1

aggregate.8

Question 14

A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule.
Given the following zone information:
• DMZ zone: DMZ-L3
• Public zone: Untrust-L3
• Guest zone: Guest-L3
• Web server zone: Trust-L3
• Public IP address (Untrust-L3): 1.1.1.1
• Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?

Untrust-L3

DMZ-L3

Guest-L3

Trust-L3

Question 15

An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?

The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.

Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP.

The firewalls do not use floating IPs in active/active HA.

The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.

Question 16

Which virtual router feature determines if a specific destination IP address is reachable?

Heartbeat Monitoring

Failover

Path Monitoring

Ping-Path

Question 17

How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

Configure the option for “Threshold”.

Disable automatic updates during weekdays.

Automatically “download only” and then install Applications and Threats later, after the administrator approves the update.

Automatically “download and install” but with the “disable new applications” option used.

Question 18

A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled.
Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?

Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole

File Blocking profiles applied to outbound security policies with action set to alert

Vulnerability Protection profiles applied to outbound security policies with action set to block

Antivirus profiles applied to outbound security policies with action set to alert

Question 19

A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens thousands of bogus UDP connections per second to a single destination IP address and post.
Which option when enabled with the correction threshold would mitigate this attack without dropping legitirnate traffic to other hosts insides the network?

Zone Protection Policy with UDP Flood Protection

QoS Policy to throttle traffic below maximum limit

Security Policy rule to deny trafic to the IP address and port that is under attack

Classified DoS Protection Policy using destination IP only with a Protect action

Question 20

A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Which statement is true about this deployment?

The two devices must share a routable floating IP address

The two devices may be different models within the PA-5000 series

The HA1 IP address from each peer must be on a different subnet

The management port may be used for a backup control connection

Question 21

Which URL Filtering Security Profile action togs the URL Filtering category to the URL Filtering log?

Log

Alert

Allow

Default

Question 22

A company has a policy that denies all applications it classifies as bad and permits only application it classifies as good. The firewall administrator created the following security policy on the company's
firewall.
PCNSE dumps exhibit

Which interface configuration will accept specific VLAN IDs?
Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two)

A report can be created that identifies unclassified traffic on the network.

Different security profiles can be applied to traffic matching rules 2 and 3.

Rule 2 and 3 apply to traffic on different ports.

Separate Log Forwarding profiles can be applied to rules 2 and 3.

Question 23

Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.)

TACACS+

Kerberos

PAP

LDAP

SAML

RADIUS

Question 24

The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?

5-tuple matchSource IP Address, Destination IP Address, Source Port, Destination Port, Protocol

7-tuple matchSource IP Address, Destination IP Address, Source Port, Destination Port ,Source User, URL Category and Source Security Zone.

6-tuple matchSource IP Address, Destination IP Address, Source Port, Destination Port, Protocol and Source Security Zone

9-tuple matchSource IP Address, Destination IP Address, Source Port, Destination Port, Source User, Source Security Zone, Destination Security Zone, Application and URL Category

Question 25

A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers. Which option will protect the individual servers?

Enable packet buffer protection on the Zone Protection Profile.

Apply an Anti-Spyware Profile with DNS sinkholing.

Use the DNS App-ID with application-default.

Apply a classified DoS Protection Profile.

Page: 1 / 21

Total 255 questions Full Exam Access