Updated Palo Alto Networks PCNSE Certification Real Questions

test2023-01-16T08:08:35+00:00

By test PCNSE Certification, PCNSE free dumps, Updated Palo Alto Networks PCNSE Certification Real Questions 0 Comments

The Palo Alto Networks PCNSE (Palo Alto Networks Certified Network Security Engineer) exam is a highly sought-after certification for professionals in the cybersecurity industry. The updated exam questions provide a more realistic and comprehensive assessment of a candidate’s knowledge and skills, giving them the opportunity to demonstrate their proficiency in configuring, managing, and troubleshooting Palo Alto Networks security platforms.

One of the key benefits of the updated PCNSE exam questions is that they align with the latest industry standards and best practices. This ensures that professionals who pass the exam have the most current and relevant knowledge to protect their organization’s network from cyber threats.

Overall, the updated PCNSE exam questions provide a more comprehensive and realistic assessment of a candidate’s knowledge and skills, and help to ensure that professionals who pass the exam have the most current and relevant knowledge and experience to protect their organization’s network from cyber threats.

Page 1 of 4

1. An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network.

What is a common obstacle for decrypting traffic from guest devices?

Guest devices may not trust the CA certificate used for the forward untrust certificate.

Guests may use operating systems that can't be decrypted.

The organization has no legal authority to decrypt their traffic.

Guest devices may not trust the CA certificate used for the forward trust certificate.

2. Which profile generates a packet threat type found in threat logs?

Zone Protection

WildFire

Anti-Spyware

Antivirus

3. Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

PAN-OS integrated User-ID agent

GlobalProtect

Windows-based User-ID agent

LDAP Server Profile configuration

4. A firewall administrator needs to be able to inspect inbound HTTPS traffic on servers hosted in their DMZ to prevent the hosted service from being exploited.

Which combination of features can allow PAN-OS to detect exploit traffic in a session with TLS encapsulation?

Decryption policy and a Data Filtering profile

a WildFire profile and a File Blocking profile

Vulnerability Protection profile and a Decryption policy

a Vulnerability Protection profile and a QoS policy

5. The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate and set them as such

The admin has not yet installed the root certificate onto client systems

What effect would this have on decryption functionality?

Decryption will function and there will be no effect to end users

Decryption will not function because self-signed root certificates are not supported

Decryption will not function until the certificate is installed on client systems

Decryption will function but users will see certificate warnings for each SSL site they visit

6. An engineer is pushing configuration from Panorama lo a managed firewall.

What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?

The firewall rejects the pushed configuration, and the commit fails.

The firewall renames the duplicate local objects with "-1" at the end signifying they are clones; it will update the references to the objects accordingly and fully commit the pushed configuration.

The firewall fully commits all of the pushed configuration and overwrites its locally configured objects

The firewall ignores only the pushed objects that have the same name as the locally configured objects, and it will commit the rest of the pushed configuration.

7. Which configuration is backed up using the Scheduled Config Export feature in Panorama?

Panorama running configuration

Panorama candidate configuration

Panorama candidate configuration and candidate configuration of all managed devices

Panorama running configuration and running configuration of all managed devices

8. In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

wildcard server certificate

enterprise CA certificate

client certificate

server certificate

self-signed CA certificate

9. During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted

How should the engineer proceed?

Allow the firewall to block the sites to improve the security posture

Add the sites to the SSL Decryption Exclusion list to exempt them from decryption

Install the unsupported cipher into the firewall to allow the sites to be decrypted

Create a Security policy to allow access to those sites

10. WildFire will submit for analysis blocked files that match which profile settings?

files matching Anti-Spyware signatures

files that are blocked by URL filtering

files that are blocked by a File Blocking profile

files matching Anti-Virus signatures

Page 2 of 4

11. Which GlobalProtect component must be configured to enable Clientless VPN?

GlobalProtect satellite

GlobalProtect app

GlobalProtect portal

GlobalProtect gateway

12. When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?

Certificate profile

Path Quality profile

SD-WAN Interface profile

Traffic Distribution profile

13. What is the best description of the HA4 Keep-Alive Threshold (ms)?

the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.

The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.

The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.

14. An engineer is configuring SSL Inbound Inspection for public access to a company's application.

Which certificate(s) need to be installed on the firewall to ensure that inspection is performed successfully?

Self-signed CA and End-entity certificate

Root CA and Intermediate CA(s)

Self-signed certificate with exportable private key

Intermediate CA (s) and End-entity certificate

15. Where is information about packet buffer protection logged?

Alert entries are in the Alarms log. Entries for dropped traffic, discarded sessions, and blocked IP address are in the Threat log

All entries are in the System log

Alert entries are in the System log. Entries for dropped traffic, discarded sessions and blocked IP addresses are in the Threat log

All entries are in the Alarms log

16. What is a correct statement regarding administrative authentication using external services with a local authorization method?

Prior to PAN-OS 10.2. an administrator used the firewall to manage role assignments, but access domains have not been supported by this method.

Starting with PAN-OS 10.2. an administrator needs to configure Cloud Identity Engine to use external authentication services for administrative authentication.

The administrative accounts you define locally on the firewall serve as references to the accounts defined on an external authentication server.

The administrative accounts you define on an external authentication server serve as references to the accounts defined locally on the firewall.

17. What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain'?

a Security policy with 'known-user" selected in the Source User field

an Authentication policy with 'unknown' selected in the Source User field

a Security policy with 'unknown' selected in the Source User field

an Authentication policy with 'known-user' selected in the Source User field

18. A client wants to detect the use of weak and manufacturer-default passwords for loT devices.

Which option will help the customer?

Configure a Data Filtering profile with alert mode.

Configure an Antivirus profile with alert mode.

Configure a Vulnerability Protection profile with alert mode

Configure an Anti-Spyware profile with alert mode.

19. Which GlobalProtect component must be configured to enable Clientless VPN?

GlobalProtect satellite

GlobalProtect app

GlobalProtect portal

GlobalProtect gateway

20. An administrator discovers that a file blocked by the WildFire inline ML feature on the firewall is a false-positive action.

How can the administrator create an exception for this particular file?

Add partial hash and filename in the file section of the WildFire inline ML tab of the Antivirus profile.

Set the WildFire inline ML action to allow for that protocol on the Antivirus profile.

Add the related Threat ID in the Signature exceptions tab of the Antivirus profile.

Disable the WildFire profile on the related Security policy.

Page 3 of 4

21. An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group.

How should the administrator identify the configuration changes?

review the configuration logs on the Monitor tab

click Preview Changes under Push Scope

use Test Policy Match to review the policies in Panorama

context-switch to the affected firewall and use the configuration audit tool

22. An engineer must configure the Decryption Broker feature

Which Decryption Broker security chain supports bi-directional traffic flow?

Layer 2 security chain

Layer 3 security chain

Transparent Bridge security chain

Transparent Proxy security chain

23. What is the best description of the HA4 Keep-Alive Threshold (ms)?

the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.

The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.

The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.

24. An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring Is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."

Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?

Non-functional

Passive

Active-Secondary

Active

25. Which statement regarding HA timer settings is true?

Use the Recommended profile for typical failover timer settings

Use the Moderate profile for typical failover timer settings

Use the Aggressive profile for slower failover timer settings.

Use the Critical profile for faster failover timer settings.

26. A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.

Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?

Syslog listener

agentless User-ID with redistribution

standalone User-ID agent

captive portal

27. What are three valid qualifiers for a Decryption Policy Rule match? (Choose three.)

Destination Zone

App-ID

Custom URL Category

User-ID

Source Interface

28. A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.

Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set "Asymmetric Path" to Bypass

> set session tcp-reject-non-syn no

Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set "Asymmetric Path" to Global

# set deviceconfig setting session tcp-reject-non-syn no

29. Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)

inherit address-objects from templates

define a common standard template configuration for firewalls

standardize server profiles and authentication configuration across all stacks

standardize log-forwarding profiles for security polices across all stacks

30. A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward traffic logs to Panorama. In which section is this configured?

Panorama > Managed Devices

Monitor > Logs > Traffic

Device Groups > Objects > Log Forwarding

Templates > Device > Log Settings

Page 4 of 4

31. An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment.

What is the best solution for the customer?

Configure a remote network on PAN-OS

Upgrade to a PAN-OS SD-WAN subscription

Deploy Prisma SD-WAN with Prisma Access

Configure policy-based forwarding

32. Which Panorama mode should be used so that all logs are sent to, and only stored in. Cortex Data Lake?

Legacy

Log Collector

Panorama

Management Only

33. A network security engineer wants to prevent resource-consumption issues on the firewall.

Which strategy is consistent with decryption best practices to ensure consistent performance?

Use RSA in a Decryption profile tor higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for lower-risk traffic

Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for tower-risk traffic

Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that are less processor-intensive

Use Decryption profiles to drop traffic that uses processor-intensive ciphers

34. What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

IP Netmask

IP Wildcard Mask

IP Address

IP Range

35. What are two best practices for incorporating new and modified App-IDs? (Choose two.)

Run the latest PAN-OS version in a supported release tree to have the best performance for the new App-IDs

Configure a security policy rule to allow new App-IDs that might have network-wide impact

Perform a Best Practice Assessment to evaluate the impact of the new or modified App-IDs

Study the release notes and install new App-IDs if they are determined to have low impact

36. A user at an internal system queries the DNS server for their web server with a private IP of 10 250 241 131 in the. The DNS server returns an address of the web server's public

address, 200.1.1.10.

In order to reach the web server, which security rule and U-Turn NAT rule must be configured on the firewall?

Option A

Option B

Option C

Option D

37. Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection

Create a zone protection profile with flood protection configured to defend an entire egress zone against SY

ICMP ICMPv6, UD

and other IP flood attacks

Add a WildFire subscription to activate DoS and zone protection features

Replace the hardware firewall because DoS and zone protection are not available with VM-Series systems

38. A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443 A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.

Which combination of service and application, and order of Security policy rules, needs to be configured to allow cJeartext web-browsing traffic to this server on tcp/443?

Rule #1 application: web-browsing; service application-default; action: allow Rule #2 application: ssl; service: application-default; action: allow

Rule #1: application; web-browsing; service: service-https; action: allow Rule #2 application: ssl; service: application-default, action: allow

Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl; service: application-default; action: allow

Rule tf1 application: ssl; service: application-default; action: allow Rule #2 application; web-browsing; service application-default; action: allow

39. A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link.

They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?

Create V-Wire objects with two V-Wire interfaces and define a range of "0-4096 in the "Tag Allowed" field of the V-Wire object.

Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface to a unique zone.

Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface t

unique zone. Do not assign any interface an IP address.

Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN I

Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface to a unique zone.