PCNSE Dumps Help You Study Objectives

Category:

Comments:

0 Comments

Post Date:

May 15, 2023

By practicing with PCNSE exam-like questions, you can identify areas where you may need to focus your studies. Palo Alto Networks PCNSE dumps can help you create a more targeted study plan and avoid wasting time studying topics you already know well. Taking PCNSE dumps can help you get used to the format and structure of the real exam. PCNSE dumps can help you feel more comfortable and confident on exam day, which can improve your chances of success. Practice Palo Alto Networks PCNSE exam free dumps below.

Page 1 of 10

1. DRAG DROP

An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.

2. An engineer must configure the Decryption Broker feature. To which router must the engineer assign the decryption forwarding interfaces that are used in Decryption Broker security chain?

A virtual router that has no additional interfaces for passing data-type traffic and no other configured routes than those used for the security chain.

The default virtual router. If there is no default virtual router , the engineer must create one during setup.

A virtual router that is configured with at least one dynamic routing protocol and has at least one entry in the RIB

The virtual router that routes the traffic that the Decryption Broker security chain inspects.

3. Which time determines how long the passive firewall will wait before taking over as the active firewall alter losing communications with the HA peer?

Heartbeat Interval

Additional Master Hold Up Time

Promotion Hold Time

Monitor Fall Hold Up Time

4. What can you use with Global Protect to assign user-specific client certificates to each GlobalProtect user?

SSL/TLS Service profile

Certificate profile

SCEP

OCSP Responder

5. A user at an internal system queries the DNS server for their web server with a private IP of 10 250 241 131 in the. The DNS server returns an address of the web server's public address, 200.1.1.10.

In order to reach the web server, which security rule and U-Turn NAT rule must be configured on the firewall?

Option A

Option B

Option C

Option D

6. Refer to the exhibit.

Review the screenshots and consider the following information:

• FW-1 is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DG.

• There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.

Which IP address will be pushed to the firewalls inside Address Object Server-1?

Server-1 on FW-1 will have IP 1.1.1.1. Server-1 will not be pushed to FW-2.

Server-1 on FW-1 will have IP 3.3.3.3. Server-1 will not be pushed to FW-2.

Server-1 on FW-1 will have IP 2.2.2.2. Server-1 will not be pushed to FW-2.

Server-1 on FW-1 will have IP 4.4.4.4. Server-1 on FW-2 will have IP 1.1.1.1.

7. Which CLI command is used to determine how much disk space is allocated to logs?

show logging-status

show system info

debug log-receiver show

show system logdfo-quota

8. Which log type will help the engineer verify whether packet buffer protection was activated?

Data Filtering

Configuration

Threat

Traffic

9. Which profile generates a packet threat type found in threat logs?

Zone Protection

WildFire

Anti-Spyware

Antivirus

10. What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?

It stops the tunnel-establishment processing to the GlobalProtect gateway immediately.

It tries to establish a tunnel to the GlobalProtect gateway using SSL/TL

It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway.

It tries to establish a tunnel to the GlobalProtect portal using SSL/TL

Page 2 of 10

11. A client wants to detect the use of weak and manufacturer-default passwords for loT devices.

Which option will help the customer?

Configure a Data Filtering profile with alert mode.

Configure an Antivirus profile with alert mode.

Configure a Vulnerability Protection profile with alert mode

Configure an Anti-Spyware profile with alert mode.

12. What is the best definition of the Heartbeat Interval?

The interval in milliseconds between hello packets

The frequency at which the HA peers check link or path availability

The frequency at which the HA peers exchange ping

The interval during which the firewall will remain active following a link monitor failure

13. An engineer has been tasked with reviewing traffic logs to find applications the firewall is unable to identify with App-ID.

Why would the application field display as incomplete?

The client sent a TCP segment with the PUSH flag set.

The TCP connection was terminated without identifying any application data.

There is insufficient application data after the TCP connection was established.

The TCP connection did not fully establish.

14. Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?

Resource Protection

TCP Port Scan Protection

Packet Based Attack Protection

Packet Buffer Protection

15. What are three valid qualifiers for a Decryption Policy Rule match? (Choose three.)

Destination Zone

App-ID

Custom URL Category

User-ID

Source Interface

16. A network engineer is troubleshooting a VPN and wants to verify whether the decapsulation/encapsulation counters are increasing.

Which CLI command should the engineer run?

Show vpn tunnel name | match encap

Show vpn flow name

Show running tunnel flow lookup

Show vpn ipsec-sa tunnel

17. An engineer is configuring SSL Inbound Inspection for public access to a company's application.

Which certificate(s) need to be installed on the firewall to ensure that inspection is performed successfully?

Self-signed CA and End-entity certificate

Root CA and Intermediate CA(s)

Self-signed certificate with exportable private key

Intermediate CA (s) and End-entity certificate

18. An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks.

Which sessions does Packet Buffer Protection apply to?

It applies to existing sessions and is not global

It applies to new sessions and is global

It applies to new sessions and is not global

It applies to existing sessions and is global

19. Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external, public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?

Change destination NAT zone to Trust_L3.

Change destination translation to Dynamic IP (with session distribution) using firewall ethI/2 address.

Change Source NAT zone to Untrust_L3.

Add source Translation to translate original source IP to the firewall eth1/2 interface translation.

20. A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped a by the firewall, the administrator decides to enable packet butter protection to protect against similar attacks.

The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.

What else should the administrator do to stop packet buffers from being overflowed?

Add the default Vulnerability Protection profile to all security rules that allow traffic from outside.

Enable packet buffer protection for the affected zones.

Add a Zone Protection profile to the affected zones.

Apply DOS profile to security rules allow traffic from outside.

Page 3 of 10

21. An engineer must configure the Decryption Broker feature

Which Decryption Broker security chain supports bi-directional traffic flow?

Layer 2 security chain

Layer 3 security chain

Transparent Bridge security chain

Transparent Proxy security chain

22. View the screenshots.

A QoS profile and policy rules are configured as shown.

Based on this information, which two statements are correct? (Choose two.)

DNS has a higher priority and more bandwidth than SS

Google-video has a higher priority and more bandwidth than WebEx.

SMTP has a higher priority but lower bandwidth than Zoom.

Facetime has a higher priority but lower bandwidth than Zoom.

23. When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?

Certificate profile

Path Quality profile

SD-WAN Interface profile

Traffic Distribution profile

24. What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)?

Phase 1 and Phase 2 SAs are synchronized over HA3 links.

Phase 1 SAs are synchronized over HA1 links.

Phase 2 SAs are synchronized over HA2 links.

Phase 1 and Phase 2 SAs are synchronized over HA2 links.

25. Which configuration is backed up using the Scheduled Config Export feature in Panorama?

Panorama running configuration

Panorama candidate configuration

Panorama candidate configuration and candidate configuration of all managed devices

Panorama running configuration and running configuration of all managed devices

26. Which protocol is supported by GlobalProtect Clientless VPN?

FTP

RDP

SSH

HTTPS

27. A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories

Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?

Choose the URL categories on Site Access column and set action to block Click the User credential Detection tab and select IP User Mapping Commit

Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select use IP User Mapping Commit

Choose the URL categories in the User Credential Submission column and set action to block Select the URL filtering settings and enable Domain Credential Filter Commit

Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select Use Domain Credential Filter Commit

28. After configuring HA in Active/Passive mode on a pair of firewalls the administrator gets a failed commit with the following details.

What are two explanations for this type of issue? (Choose two)

The peer IP is not included in the permit list on Management Interface Settings

The Backup Peer HA1 IP Address was not configured when the commit was issued

Either management or a data-plane interface is used as HA1-backup

One of the firewalls has gone into the suspended state

29. Which statement accurately describes service routes and virtual systems?

Virtual systems that do not have specific service routes configured inherit the global service and service route settings for the firewall.

Virtual systems can only use one interface for all global service and service routes of the firewall.

Virtual systems cannot have dedicated service routes configured; and virtual systems always use the global service and service route settings for the firewall.

The interface must be used for traffic to the required external services.

30. During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.

Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.

Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.

Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust

Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.

Page 4 of 10

31. An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama.

However, pre-existing logs from the firewalls are not appearing in Panorama.

Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?

Export the log database.

Use the import option to pull logs.

Use the scp logdb export command.

Use the ACC to consolidate the logs.

32. The same route appears in the routing table three times using three different protocols

Which mechanism determines how the firewall chooses which route to use?

Administrative distance

Round Robin load balancing

Order in the routing table

Metric

33. An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.

What could an administrator do to troubleshoot the issue?

Go to Device > High Availability> General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup

Check peer IP address In the permit list In Device > Setup > Management > Interfaces > Management Interface Settings

Go to Device > High Availability > HA Communications> General> and check the Heartbeat Backup under Election Settings

Check peer IP address for heartbeat backup to Device > High Availability > HA Communications > Packet Forwarding settings.

34. What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

IP Netmask

IP Wildcard Mask

IP Address

IP Range

35. Where is information about packet buffer protection logged?

Alert entries are in the Alarms log. Entries for dropped traffic, discarded sessions, and blocked IP address are in the Threat log

All entries are in the System log

Alert entries are in the System log. Entries for dropped traffic, discarded sessions and blocked IP addresses are in the Threat log

All entries are in the Alarms log

36. A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (Cas)

i. Enterprise-Trusted-CA; which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system)

ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate

iii. Enterprise-lntermediate-CA

iv. Enterprise-Root-CA which is verified only as Trusted Root CA

An end-user visits https //www example-website com/ with a server certificate Common Name (CN) www example-website com The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall

The end-user's browser will show that the certificate for www.example-website.com was issued by which of the following?

Enterprise-Untrusted-CA which is a self-signed CA

Enterprise-Trusted-CA which is a self-signed CA

Enterprise-intermediate-CA which was. in turn, issued by Enterprise-Root-CA

Enterprise-Root-CA which is a self-signed CA

37. Which configuration task is best for reducing load on the management plane?

Disable logging on the default deny rule

Enable session logging at start

Disable pre-defined reports

Set the URL filtering action to send alerts

38. A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose TWO)

Exclude video traffic

Enable decryption

Block traffic that is not work-related

Create a Tunnel Inspection policy

39. An administrator is troubleshooting why video traffic is not being properly classified.

If this traffic does not match any QoS classes, what default class is assigned?

40. What are two valid deployment options for Decryption Broker? (Choose two)

Transparent Bridge Security Chain

Layer 3 Security Chain

Layer 2 Security Chain

Transparent Mirror Security Chain

Page 5 of 10

41. A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama.

What are the next steps to migrate configuration from the firewalls to Panorama?

Use API calls to retrieve the configuration directly from the managed devices

Export Named Configuration Snapshot on each firewall followed by Import Named Configuration Snapshot in Panorama

import Device Configuration to Panorama followed by Export or Push Device Config Bundle

Use the Firewall Migration plugin to retrieve the configuration directly from the managed devices

42. DRAG DROP

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.

43. What is a key step in implementing WildFire best practices?

In a mission-critical network, increase the WildFire size limits to the maximum value.

Configure the firewall to retrieve content updates every minute.

In a security-first network, set the WildFire size limits to the minimum value.

Ensure that a Threat Prevention subscription is active.

44. An engineer is creating a template and wants to use variables to standardize the configuration across a large number of devices Which Mo variable types can be defined? (Choose two.)

Path group

Zone

IP netmask

FQDN

45. When using SSH keys for CLI authentication for firewall administration, which method is used for authorization?

Local

LDAP

Kerberos

Radius

46. An administrator needs to gather information about the firewall CPU utilization on both the management plane and the data plane.

Where does the administrator view the desired data?

Application Command and Control Center

Monitor > Utilization

Support > Resources

System Resources Widget on the Dashboard

47. ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?

1 to 4 hours

6 to 12 hours

24 hours

36 hours

48. A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall.

Which certificate is the best choice to configure as an SSL Forward Trust certificate?

A self-signed Certificate Authority certificate generated by the firewall

A Machine Certificate for the firewall signed by the organization's PKI

A web server certificate signed by the organization's PKI

A subordinate Certificate Authority certificate signed by the organization's PKI

49. Which data flow describes redistribution of user mappings?

User-ID agent to firewall

firewall to firewall

Domain Controller to User-ID agent

User-ID agent to Panorama

50. Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67

The PanGPS process failed to connect to the PanGPA process on port 4767

The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767

The PanGPA process failed to connect to the PanGPS process on port 4767

The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767

Page 6 of 10

51. Given the screenshot, how did the firewall handle the traffic?

Traffic was allowed by policy but denied by profile as encrypted.

Traffic was allowed by policy but denied by profile as a threat.

Traffic was allowed by profile but denied by policy as a threat.

Traffic was allowed by policy but denied by profile as a nonstandard port.

52. Which Panorama mode should be used so that all logs are sent to, and only stored in. Cortex Data Lake?

Legacy

Log Collector

Panorama

Management Only

53. A firewall administrator wants to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply Security rules on segment X after getting the visibility.

There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes.

What is the best option for the administrator to take?

Configure the TAP interface for segment X on the firewall.

Configure vwire interfaces for segment X on the firewall.

Configure a Layer 3 interface for segment X on the firewall.

Configure a new vsys for segment X on the firewall.

54. A firewall should be advertising the static route 10.2.0.0/24 Into OSPF. The configuration on the neighbor is correct, but the route is not in the neighbor's routing table.

Which two configurations should you check on the firewall? (Choose two.)

In the OSFP configuration, ensure that the correct redistribution profile is selected in the OSPF Export Rules section.

Within the redistribution profile ensure that Redist is selected.

Ensure that the OSPF neighbor state Is "2-Way."

In the redistribution profile check that the source type is set to "ospf."

55. How can an administrator use the Panorama device-deployment option to update the apps and threat version of an HA pair of managed firewalls?

Configure the firewall's assigned template to download the content updates.

Choose the download and install action for both members of the HA pair in the Schedule object.

Switch context to the firewalls to start the download and install process.

Download the apps to the primary; no further action is required.

56. A network security engineer configured IP multicast in the virtual router to support a new application. Users in different network segments are reporting that they are unable to access the application.

What must be enabled to allow an interface to forward multicast traffic?

IGMP

PIM

BFD

SSM

57. Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?

The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2.

The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-l and Spermitted-subnet-2.

The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-l.

The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-l and $permitted-subnet-2.

58. An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy

Which PAN-OS proxy method should be configured to maintain this type of traffic flow?

DNS proxy

Explicit proxy

SSL forward proxy

Transparent proxy

59. An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)

Inherit settings from the Shared group

Inherit IPSec crypto profiles

Inherit all Security policy rules and objects

Inherit parent Security policy rules and objects

60. Refer to the exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.

How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?

Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services

Configure log compression and optimization features on all remote firewalls

Any configuration on an M-500 would address the insufficient bandwidth concerns

Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW

Page 7 of 10

61. A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time.

How can they achieve this?

Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices.

Use the Scheduled Config Push to schedule Push lo Devices and separately schedule an API call to commit all Panorama changes.

Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to commit all Panorama changes.

Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices.

62. An administrator accidentally closed the commit window/screen before the commit was finished.

Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)

A. System Logs

B. Task Manager

C. Traffic Logs

D. Configuration Logs

63. Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.)

Verify

Schedules

Install from file

Check dependencies

Revert content

64. An engineer is pushing configuration from Panorama lo a managed firewall.

What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?

The firewall rejects the pushed configuration, and the commit fails.

The firewall renames the duplicate local objects with "-1" at the end signifying they are clones; it will update the references to the objects accordingly and fully commit the pushed configuration.

The firewall fully commits all of the pushed configuration and overwrites its locally configured objects

The firewall ignores only the pushed objects that have the same name as the locally configured objects, and it will commit the rest of the pushed configuration.

65. An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring Is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."

Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?

Non-functional

Passive

Active-Secondary

Active

66. What can be used to create dynamic address groups?

dynamic address

region objects

tags

FODN addresses

67. A super user is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups m their hierarchy to deploy policies and objects.

Which type of role-based access is most appropriate for this project?

Create a Dynamic Admin with the Panorama Administrator role.

Create a Device Group and Template Admin.

Create a Custom Panorama Admin.

Create a Dynamic Read only superuser

68. What is a correct statement regarding administrative authentication using external services with a local authorization method?

Prior to PAN-OS 10.2. an administrator used the firewall to manage role assignments, but access domains have not been supported by this method.

Starting with PAN-OS 10.2. an administrator needs to configure Cloud Identity Engine to use external authentication services for administrative authentication.

The administrative accounts you define locally on the firewall serve as references to the accounts defined on an external authentication server.

The administrative accounts you define on an external authentication server serve as references to the accounts defined locally on the firewall.

69. When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo Alto Networks best practices

What should you recommend?

Enable SSL decryption for known malicious source IP addresses

Enable SSL decryption for source users and known malicious URL categories

Enable SSL decryption for malicious source users

Enable SSL decryption for known malicious destination IP addresses

70. What is the dependency for users to access services that require authentication?

An Authentication profile that includes those services

Disabling the authentication timeout

An authentication sequence that includes those services

A Security policy allowing users to access those services

Page 8 of 10

71. The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an active/passive HA pair. The HA Passive Link State is set to "Auto" under Device > High Availability > General > Active/Passive Settings. The AE interface is configured with LACP enabled and is up only on the active firewall.

Why is the AE interface showing down on the passive firewall?

It does not perform pre-negotiation LACP unless "Enable in HA Passive State" is selected under the High Availability Options on the LACP tab of the AE Interface.

It does not participate in LACP negotiation unless Fast Failover is selected under the Enable LACP selection on the LACP tab of the AE Interface.

It participates in LACP negotiation when Fast is selected for Transmission Rate under the Enable LACP selection on the LACP tab of the AE Interface.

It performs pre-negotiation of LACP when the mode Passive is selected under the Enable LACP selection on the LACP tab of the AE Interface.

72. What is considered the best practice with regards to zone protection?

Review DoS threat activity (ACC > Block Activity) and look for patterns of abuse

Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs

If the levels of zone and DoS protection consume too many firewall resources, disable zone protection

Set the Alarm Rate threshold for event-log messages to high severity or critical severity

73. You need to allow users to access the office-suite applications of their choice.

How should you configure the firewall to allow access to any office-suite application?

Create an Application Group and add Office 365, Evernote Google Docs and Libre Office

Create an Application Group and add business-systems to it.

Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory.

Create an Application Filter and name it Office Programs then filter on the business-systems category.

74. Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.

Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution

How can Information Security extract and learn iP-to-user mapping information from authentication events for VPN and wireless users?

Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users.

Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TL

Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution

Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping.

75. An administrator needs to assign a specific DNS server to one firewall within a device group.

Where would the administrator go to edit a template variable at the device level?

Variable CSV export under Panorama > templates

PDF Export under Panorama > templates

Manage variables under Panorama > templates

Managed Devices > Device Association

76. An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication.

Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?

ASBR

ECMP

OSPFv3

OSPF

77. As a best practice, logging at session start should be used in which case?

On all Allow rules

While troubleshooting

Only when log at session end is enabled

Only on Deny rules

78. In the screenshot above which two pieces of information can be determined from the ACC configuration shown? (Choose two)

The Network Activity tab will display all applications, including FT

Threats with a severity of "high" are always listed at the top of the Threat Name list

Insecure-credentials, brute-force and protocol-anomaly are all a part of the vulnerability Threat Type

The ACC has been filtered to only show the FTP application

79. An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used. After looking at the configuration, the administrator believes that the firewall is not using a static route.

What are two reasons why the firewall might not use a static route? (Choose two.)

no install on the route

duplicate static route

path monitoring on the static route

disabling of the static route

80. Which statement about High Availability timer settings is true?

Use the Moderate timer for typical failover timer settings.

Use the Critical timer for taster failover timer settings.

Use the Recommended timer for faster failover timer settings.

Use the Aggressive timer for taster failover timer settings

Page 9 of 10

81. An administrator is receiving complaints about application performance degradation. After checking the ACC. the administrator observes that there Is an excessive amount of SSL traffic

Which three elements should the administrator configure to address this issue? (Choose three.)

QoS on the ingress Interface for the traffic flows

An Application Override policy for the SSL traffic

A QoS policy for each application ID

A QoS profile defining traffic classes

QoS on the egress interface for the traffic flows

82. After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall After troubleshooting the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports

What can the engineer do to solve the VoIP traffic issue?

Disable ALG under

323 application

Increase the TCP timeout under

323 application

Increase the TCP timeout under SIP application

Disable ALG under SIP application

83. A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Application to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.

How does the firewall identify the New App-ID characteristic?

It matches to the New App-IDs downloaded in the last 30 days.

It matches to the New App-IDs downloaded in the last 90 days

It matches to the New App-IDs installed since the last time the firewall was rebooted

It matches to the New App-IDs in the most recently installed content releases.

84. A network security engineer must implement Quality of Service policies to ensure specific levels of delivery guarantees for various applications in the environment They want to ensure that they know as much as they can about QoS before deploying.

Which statement about the QoS feature is correct?

QoS is only supported on firewalls that have a single virtual system configured

QoS can be used in conjunction with SSL decryption

QoS is only supported on hardware firewalls

QoS can be used on firewalls with multiple virtual systems configured

85. What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

the website matches a category that is not allowed for most users

the website matches a high-risk category

the web server requires mutual authentication

the website matches a sensitive category

86. A security engineer received multiple reports of an IPSec VPN tunnel going down the night before. The engineer couldn't find any events related to VPN under system togs.

What is the likely cause?

Dead Peer Detection is not enabled.

Tunnel Inspection settings are misconfigured.

The Tunnel Monitor is not configured.

The log quota for GTP and Tunnel needs to be adjusted

87. Which three use cases are valid reasons for requiring an Active/Active high availability deployment? (Choose three.)

The environment requires real, full-time redundancy from both firewalls at all times

The environment requires Layer 2 interfaces in the deployment

The environment requires that both firewalls maintain their own routing tables for faster dynamic routing protocol convergence

The environment requires that all configuration must be fully synchronized between both members of the HA pair

The environment requires that traffic be load-balanced across both firewalls to handle peak traffic spikes

88. An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.

Which three parts of a template an engineer can configure? (Choose three.)

NTP Server Address

Antivirus Profile

Authentication Profile

Service Route Configuration

Dynamic Address Groups

89. Which feature checks Panorama connectivity status after a commit?

Automated commit recovery

Scheduled config export

Device monitoring data under Panorama settings

HTTP Server profiles

90. A network administrator wants to deploy SSL Forward Proxy decryption.

What two attributes should a forward trust certificate have? (Choose two.)

A subject alternative name

A private key

A server certificate

A certificate authority (CA) certificate

Page 10 of 10

91. A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing.

What command could the engineer run to see the current state of the BGP state between the two devices?

show routing protocol bgp state

show routing protocol bgp peer

show routing protocol bgp summary

show routing protocol bgp rib-out

92. Before you upgrade a Palo Alto Networks NGFW, what must you do?

Make sure that the PAN-OS support contract is valid for at least another year

Export a device state of the firewall

Make sure that the firewall is running a version of antivirus software and a version of WildFire that support the licensed subscriptions.

Make sure that the firewall is running a supported version of the app + threat update

93. Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?

No Direct Access to local networks

Tunnel mode

iPSec mode

Satellite mode

TAGS:

PCNSE, PCNSE exam dumps

Notify of

Label

Name*

Email*

Website

Label

Name*

Email*

Website

0 Comments

Oldest

Newest Most Voted

Inline Feedbacks

View all comments

Posts

Palo Alto Networks Free Dumps

PCCSE Dumps Help You Study Objectives

By practicing with PCCSE exam-like questions, you can identify areas where you may need to focus your studies. Palo Alto...

Palo Alto Networks Free Dumps

Improve Your Knowledge with PCNSA Exam Dumps

Practicing with PCNSA questions can help you identify areas where you need to improve your knowledge. By answering PCNSA questions...

Get PCNSE Dumps Full Version

Q&As: 177
Versions: PDF and Software Download Now

About Dumpsinfo

Dumpsinfo is a good platform providing the latest exam information and dumps questions for all IT certification exams. You can study all the latest exam dumps questions online.

[email protected]

Mon - Sat 9:00am - 6:00pm