Free Palo Alto Networks PCNSE Test Practice Test Questions Exam Dumps
Prepare Top Palo Alto Networks PCNSE Exam Audio Study Guide Practice Questions Edition
Palo Alto Networks is a leading provider of cybersecurity solutions that help organizations protect their networks, data, and applications from cyber threats. In order to ensure that their customers have the necessary skills and knowledge to effectively deploy and manage their products, Palo Alto Networks offers a variety of certification programs, including the Palo Alto Networks Certified Security Engineer (PCNSE) Certification.
NEW QUESTION # 42
A logging infrastructure may need to handle more than 10,000 logs per second.
Which two options support a dedicated log collector function? (Choose two)
- A. M-500
- B. M-100
- C. Panorama virtual appliance on ESX(i) only
- D. M-100 with Panorama installed
Answer: A,B
NEW QUESTION # 43
To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?
- A. Device>Setup> Management> Logging and Reporting Settings
- B. Device>Setup>WildFire>AutoFocus
- C. AutoFocus is enabled by default on the Palo Alto Networks NGFW
- D. Device> Setup>Management >AutoFocus
- E. Device>Setup>Services>AutoFocus
Answer: D
NEW QUESTION # 44
A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.
Which two mandatory options are used to configure a VLAN interface? (Choose two.)
- A. Virtual router
- B. Security zone
- C. ARP entries
- D. Netflow Profile
Answer: B,D
Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/network/ network-interfaces/pa-7000-series-layer-2-interface#idd2bcaacc-54b9-4ec9-a1dd-8064499f5b9d
NEW QUESTION # 45
An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?
- A. OSPF
- B. ASBR
- C. ECMP
- D. OSPFv3
Answer: D
Explanation:
Explanation
Support for multiple instances per link-With OSPFv3, you can run multiple instances of the OSPF protocol over a single link. This is accomplished by assigning an OSPFv3 instance ID number. An interface that is assigned to an instance ID drops packets that contain a different ID.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/ospf/ospf-concepts/ospfv3
NEW QUESTION # 46
Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a "No
Decrypt" action? (Choose two.)
- A. Block sessions with expired certificates
- B. Block sessions with unsupported cipher suites
- C. Block sessions with client authentication
- D. Block sessions with untrusted issuers
- E. Block credential phishing
Answer: A,D
Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/decryption/define-traffic-
to-decrypt/create-a-decryption-profile
NEW QUESTION # 47
Which menu item enables a firewall administrator to see details about traffic that is currently active through the NGFW?
- A. Session Browser
- B. System Logs
- C. ACC
- D. App Scope
Answer: A
NEW QUESTION # 48
An administrator has a PA-820 firewall with an active Threat Prevention subscription The administrator is considering adding a WildFire subscription How does adding the WildFire subscription improve the security posture of the organization1?
- A. WildFire and Threat Prevention combine to minimize the attack surface
- B. After 24 hours WildFire signatures are included in the antivirus update
- C. Protection against unknown malware can be provided in near real-time
- D. WildFire and Threat Prevention combine to provide the utmost security posture for the firewall
Answer: A
NEW QUESTION # 49
Which event will happen if an administrator uses an Application Override Policy?
- A. The Palo Alto Networks NGFW stops App-ID processing at Layer 4.
- B. App-ID processing time is increased.
- C. Threat-ID processing time is decreased.
- D. The application name assigned to the traffic by the security rule is written to the Traffic log.
Answer: A
Explanation:
Reference:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/app-id/manage-custom-or-unknown-applications#
NEW QUESTION # 50
The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong?
- A. External Dynamic Lists do not support SSL connections.
- B. A Certificate Profile that contains the client certificate needs to be selected.
- C. A Certificate Profile that contains the CA certificate needs to be selected.
- D. The source address supports only files hosted with an ftp://<address/file>.
Answer: C
NEW QUESTION # 51
After configuring HA in Active/Passive mode on a pair of firewalls the administrator gets a failed commit with the following details.
What are two explanations for this type of issue? (Choose two)
- A. The Backup Peer HA1 IP Address was not configured when the commit was issued
- B. Either management or a data-plane interface is used as HA1-backup
- C. The peer IP is not included in the permit list on Management Interface Settings
- D. One of the firewalls has gone into the suspended state
Answer: A,B
Explanation:
Cause The issue is seen when the HA1-backup is configured with either management (MGT) or an in-band interface. The "Backup Peer HA1 IP Address" is not configured : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UmPCAU&lang=en_US%E2%80%A9
NEW QUESTION # 52
Which two firewall components enable you to configure SYN flood protection thresholds?
(Choose two)
- A. DoS Protection Profile
- B. Zone Protection Profile
- C. Dos Protection policy
- D. QoS Profile
Answer: A,B
Explanation:
Flood Attack Protection
Zone Protection Profiles protect against of five types of floods:
* SYN (TCP)
* UDP
* ICMP
* ICMPv6
* Other IP
NEW QUESTION # 53
How can a candidate or running configuration be copied to a host external from Panorama?
- A. Save a candidate configuration.
- B. Commit a running configuration.
- C. Export a named configuration snapshot.
- D. Save a configuration snapshot.
Answer: C
Explanation:
Explanation/Reference: https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/ administer-panorama/back-up-panorama-and-firewall-configurations
NEW QUESTION # 54
Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS® software?
- A. XML API
- B. Client Probing
- C. Port Mapping
- D. Server Monitoring
Answer: A
Explanation:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/user-id-concepts
NEW QUESTION # 55
If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?
- A. The settings assigned to the template that is on top of the stack.
- B. The administrator will be promoted to choose the settings for that chosen firewall.
- C. Depending on the firewall location, Panorama decides with settings to send.
- D. All the settings configured in all templates.
Answer: A
Explanation:
Reference:
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/manage-firewalls/manage- templates-and-template-stacks/configure-a-template-stack
NEW QUESTION # 56
An administrator is attempting to create policies for deployment of a device group and template stack. When creating the policies, the zone drop-down list does not include the required zone.
What can the administrator do to correct this issue?
- A. Add the template as a reference template in the device group.
- B. Specify the target device as the master device in the device group.
- C. Add a firewall to both the device group and the template.
- D. Enable "Share Unused Address and Service Objects with Devices" in Panorama settings.
Answer: A
NEW QUESTION # 57
An engineer is tasked with configuring a Zone Protection profile on the untrust zone.
Which three settings can be configured on a Zone Protection profile? (Choose three.)
- A. Protocol Protection
- B. Ethernet SGT Protection
- C. Reconnaissance Protection
- D. DoS Protection
- E. Resource Protection
Answer: A,C,D
Explanation:
Explanation
Protocol Protection: is used to protect against known protocol vulnerabilities, such as buffer overflows and malformed packets.
DoS Protection: is used to protect against denial-of-service (DoS) attacks, such as SYN floods and ICMP floods.
Reconnaissance Protection: is used to protect against reconnaissance attacks, such as port scans and ping sweeps.
NEW QUESTION # 58
An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not
in "the cloud"). Bootstrapping is the most expedient way to perform this task.
Which option describes deployment of a bootstrap package in an on-premise virtual environment?
- A. Create and attach a virtual hard disk (VHD).
- B. Use a virtual CD-ROM with an ISO.
- C. Use config-drive on a USB stick.
- D. Use an S3 bucket with an ISO.
Answer: B
Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/80/virtualization/virtualization/set-up-the-vm-
series-firewall-on-kvm/install-the-vm-series-firewall-on-kvm/use-an-iso-file-to-deploy-the-vm-series-firewall
NEW QUESTION # 59
What file type upload is supported as part of the basic WildFire service?
- A. VBS
- B. PE
- C. ELF
- D. BAT
Answer: B
NEW QUESTION # 60
An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
Answer:
Explanation:
NEW QUESTION # 61
An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware passively monitors behavior without the user's knowledge.
What is the expected verdict from WildFire?
- A. Grayware
- B. Phishing
- C. Spyware
- D. Malware
Answer: A
Explanation:
Wildfire verdictions are as follow 1-Begnin 2-Greyware 3-Mallicious 4-Phishing
https://www.paloaltonetworks.com/documentation/80/wildfire/wf_admin/wildfire-overview/wildfire-concepts/verdicts
The sample does not pose a direct security threat, but might display otherwise obtrusive behavior. Grayware typically includes adware, spyware, and Browser Helper Objects (BHOs)
NEW QUESTION # 62
Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.
Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution How can Information Security extract and learn iP-to-user mapping information from authentication events for VPN and wireless users?
- A. Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping.
- B. Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users.
- C. Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS.
- D. Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution
Answer: D
Explanation:
Explanation
According to the Palo Alto Networks documentation , the User-ID XML API is a feature that allows external systems to send user mapping information to the firewall or Panorama using XML messages over HTTPS. The User-ID XML API can be used to integrate with third-party identity management solutions (IDM) that can provide authentication events for VPN and wireless users. Therefore, the correct answer is C.
The other options are not effective or relevant for extracting and learning IP-to-user mapping information from authentication events for VPN and wireless users:
Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users: This option would not help because the root cause analysis showed that authentication events were not captured on the domain controllers that were being monitored. Adding more domain controllers would not change this fact, unless they were configured to receive authentication events from RADIUS servers, which is not mentioned in the scenario.
Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS: This option would not help because it assumes that the IDM solution can send Syslog messages over TLS, which is not mentioned in the scenario. Moreover, Syslog messages are less reliable and secure than XML messages for user mapping information.
Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping: This option would not help because it assumes that the VPN concentrators and wireless controllers can provide IP-to-User mapping information, which is not mentioned in the scenario. Moreover, this option would require additional configuration and maintenance of Windows User-ID agents, which may not be feasible or scalable.
References: 1:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/send-user-mappin
NEW QUESTION # 63
An administrator is troubleshooting why video traffic is not being properly classified.
If this traffic does not match any QoS classes, what default class is assigned?
- A. 0
- B. 1
- C. 2
- D. 3
Answer: B
Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/qos-concepts/qos-classes
NEW QUESTION # 64
What can you use with Global Protect to assign user-specific client certificates to each GlobalProtect user?
- A. Certificate profile
- B. SCEP
- C. SSL/TLS Service profile
- D. OCSP Responder
Answer: B
Explanation:
Explanation
If you have a Simple Certificate Enrollment Protocol (SCEP) server in your enterprise PKI, you can configure a SCEP profile to automate the generation and distribution of unique client certificates.https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/obtain-certifica
NEW QUESTION # 65
Place the steps in the WildFire process workflow in their correct order.
Answer:
Explanation:
Explanation
Timeline Description automatically generated
https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire-overview/about-wildfire.html
NEW QUESTION # 66
......
Go to PCNSE Questions - Try PCNSE dumps pdf: https://testinsides.actualpdf.com/PCNSE-real-questions.html
