16 October, 2020

What Accurate PCNSE Free Question Is

We provide real PCNSE exam questions and answers braindumps in two formats. Download PDF & Practice Tests. Pass Paloalto-Networks PCNSE Exam quickly & easily. The PCNSE PDF type is available for reading and printing. You can print more and practice many times. With the help of our Paloalto-Networks PCNSE dumps pdf and vce product and material, you can easily pass the PCNSE exam.

Free demo questions for Paloalto-Networks PCNSE Exam Dumps Below:

Page: 1 / 21

Total 255 questions Full Exam Access

Question 1

If an administrator wants to decrypt SMTP traffic and possesses the server’s certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?
Solution:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/configure-ssl-inbound-inspection

Does this meet the goal?

Yes

Question 2

Which authentication source requires the installation of Palo Alto Networks software, other than PAN-OS 7x, to obtain a username-to-IP-address mapping?

Microsoft Active Directory

Microsoft Terminal Services

Aerohive Wireless Access Point

Palo Alto Networks Captive Portal

Question 3

Which GlobalProtect Client connect method requires the distribution and use of machine certificates?

User-logon (Always on)

At-boot

On-demand

Pre-logon

Question 4

Which feature can provide NGFWs with User-ID mapping information?

GlobalProtect

Web Captcha

Native 802.1q authentication

Native 802.1x authentication

Question 5

Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?

Disable Server Response Inspection

Apply an Application Override

Disable HIP Profile

Add server IP Security Policy exception

Question 6

Only two Trust to Untrust allow rules have been created in the Security policy Rule1 allows google-base
Rule2 allows youtube-base
The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found.
Which action will allow youtube.com display in the browser correctly?

Add SSL App-ID to Rule1

Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID\'s to it

Add the DNS App-ID to Rule2

Add the Web-browsing App-ID to Rule2

Question 7

A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens thousands of bogus UDP connections per second to a single destination IP address and post.
Which option when enabled with the correction threshold would mitigate this attack without dropping legitirnate traffic to other hosts insides the network?

Zone Protection Policy with UDP Flood Protection

QoS Policy to throttle traffic below maximum limit

Security Policy rule to deny trafic to the IP address and port that is under attack

Classified DoS Protection Policy using destination IP only with a Protect action

Question 8

Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS® version, and serial number?

debug system details

show session info

show system info

show system details

Question 9

An administrator has left a firewall to use the default port for all management services. Which three
functions are performed by the dataplane? (Choose three.)

WildFire updates

NAT

NTP

antivirus E.File blocking

Question 10

Refer to the exhibit.
PCNSE dumps exhibit

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be
steered to the specific server based on the application, where Host A (10.1.1.100) received HTTP traffic and host B(10.1.1.101) receives SSH traffic.
Which two security policy rules will accomplish this configuration? (Choose two)

Untrust (Any) to Untrust (10.1.1.1) Ssh-Allow

Untrust (Any) to DMZ (1.1.1.100) Ssh-Allow

Untrust (Any) to DMZ (1.1.1.100) Web-browsing -Allow

Untrust (Any) to Untrust (10.1.1.1) Web-browsing -Allow

Question 11

Which CLI command can be used to export the tcpdump capture?
Solution:
Reference: https://live.paloaltonetworks.com/t5/Management-Articles/How-To-Packet-Capture-tcpdump-On-Management-Interface/ta-p/55415

Does this meet the goal?

Yes

Question 12

An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?

Enable and configure the Packet Buffer protection thresholds.Enable Packet Buffer Protection per ingress zone.

Enable and then configure Packet Buffer thresholdsEnable Interface Buffer protection.

Create and Apply Zone Protection Profiles in all ingress zones.Enable Packet Buffer Protection per ingress zone.

Configure and apply Zone Protection Profiles for all egress zones.Enable Packet Buffer Protection pre egress zone.

Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits.Enable Zone Buffer Protection per zone.

Question 13

A network design calls for a "router on a stick" implementation with a PA-5060 performing inter- VLAN routing All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk interface
Which interface type and configuration setting will support this design?

Trunk interface type with specified tag

Layer 3 interface type with specified tag

Layer 2 interface type with a VLAN assigned

Layer 3 subinterface type with specified tag

Question 14

Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site A connects directly to the internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect to the internet.
How should NAT Traversal be implemented for the VPN connection to be established between Site-A and Site-B?

Enable on Site-A only

Enable on Site-B only

Enable on Site-B only with passive mode

Enable on Site-A and Site-B

Question 15

An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS software?
Solution:

Dependencies : Before upgrade, make sure the firewall is running a version of app + threat (content version) that meets the minimum requirement of the new PAN-OS Upgrade. Reference: https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS- Upgrade/ta-p/111045

Does this meet the goal?

Yes

Question 16

An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing.
The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL.
Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL?

Create a decryption rule matching the encrypted BitTorrent traffic with action “No-Decrypt,” and place the rule at the top of the Decryption policy.

Create a Security policy rule that matches application “encrypted BitTorrent” and place the rule at the top of the Security policy.

Disable the exclude cache option for the firewall.

Create a Decryption Profile to block traffic using unsupported cyphers, and attach the profile to the decryption rule.

Question 17

Which three settings are defined within the Templates object of Panorama? (Choose three.)

Setup

Virtual Routers

Interfaces

Security

Application Override

Question 18

People are having intermittent quality issues during a live meeting via web application.

Use QoS profile to define QoS Classes

Use QoS Classes to define QoS Profile

Use QoS Profile to define QoS Classes and a QoS Policy

Use QoS Classes to define QoS Profile and a QoS Policy

Question 19

An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications. QoS natively integrates with which feature to provide service quality?

Port Inspection

Certificate revocation

Content-ID

App-ID

Question 20

The certificate information displayed in the following image is for which type of certificate? Exhibit:
PCNSE dumps exhibit

Forward Trust certificate

Self-Signed Root CA certificate

Web Server certificate

Public CA signed certificate

Question 21

Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a “No Decrypt” action? (Choose two.)

Block sessions with expired certificates

Block sessions with client authentication

Block sessions with unsupported cipher suites

Block sessions with untrusted issuers

Block credential phishing

Question 22

A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a firewall
Which part of files needs to be imported back into the replacement firewall that is using Panorama?

Device state and license files

Configuration and serial number files

Configuration and statistics files

Configuration and Large Scale VPN (LSVPN) setups file

Question 23

An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the Policies tab. Which profile is the cause of the missing Policies tab?

Admin Role

WebUI

Authentication

Authorization

Question 24

A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.
Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.

application: web-browsing; service: application-default

application: web-browsing; service: service-https

application: ssl; service: any

application: web-browsing; service: (custom with destination TCP port 8080)

Question 25

VPN traffic intended for an administrator’s Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

Zone Protection

DoS Protection

Web Application

Replay

Question 26

A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report?

Blocked Activity

Bandwidth Activity

Threat Activity

Network Activity

Question 27

A network engineer has revived a report of problems reaching 98.139.183.24 through vr1 on the firewall. The routing table on this firewall is extensive and complex.
Which CLI command will help identify the issue?

test routing fib virtual-router vr1

show routing route type static destination 98.139.183.24

test routing fib-lookup ip 98.139.183.24 virtual-router vr1

show routing interface

Question 28

An administrator needs to upgrade an NGFW to the most current version of PAN-OS® software. The following is occurring:
•Firewall has Internet connectivity through e1/1.
•Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.
•Service route is configured, sourcing update traffic from e1/1.
•A communication error appears in the System logs when updates are performed.
•Download does not complete.
What must be configured to enable the firewall to download the current version of PAN-OS software?

DNS settings for the firewall to use for resolution

scheduler for timed downloads of PAN-OS software

static route pointing application PaloAlto-updates to the update servers

Security policy rule allowing PaloAlto-updates as the application

Page: 1 / 21

Total 255 questions Full Exam Access