Palo Alto Networks PCNSE Real 2021 Braindumps Mock Exam Dumps
PCNSE Exam Questions | Real PCNSE Practice Dumps
Conclusion
There’s no arguing that the PCNSE exam and certification will be great for you and your career in IT. Choose your learning materials wisely to ensure your success in the official test, particularly if you’re a beginner. Reading sub-par learning materials is going to prove to be a giant waste of time.
NEW QUESTION 50
Which virtual router feature determines if a specific destination IP address is reachable?
- A. Ping-Path
- B. Path Monitoring
- C. Failover
- D. Heartbeat Monitoring
Answer: B
Explanation:
Explanation/Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/policy-based-forwarding/ pbf/path-monitoring-for-pbf
NEW QUESTION 51
In a security-first network what is the recommended threshold value for content updates to be dynamically updated?
- A. 36 hours
- B. 6 to 12 hours
- C. 24 hours
- D. 1 to 4 hours
Answer: B
Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-content-and-thre
NEW QUESTION 52
When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action.
Answer options may be used more than once or not at all.
Answer:
Explanation:
Explanation
IMAP , POP3 , SMTP - > Alert
HTTP,FTP,SMB -> Reset-both
NEW QUESTION 53
If the firewall has the link monitoring configuration, what will cause a failover?
- A. ethernet1/3 or Ethernet1/6 going down
- B. ethernet1/6 going down
- C. ethernet1/3 going down
- D. ethernet1/3 and ethernet1/6 going down
Answer: D
NEW QUESTION 54
What will be the source address in the ICMP packet?
- A. 10.46.72.93
- B. 10.46.64.94
- C. 10.30.0.93
- D. 192.168.93.1
Answer: B
NEW QUESTION 55
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
- A. test
- B. find
- C. check
- D. sim
Answer: A
Explanation:
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQSCA0
NEW QUESTION 56
Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)
- A. Enable the "Block sessions with untrusted issuers" setting.
- B. Create a Security Policy rule with vulnerability Security Profile attached.
- C. Create a Dynamic Address Group for untrusted sites
- D. Create a no-decrypt Decryption Policy rule.
- E. Configure an EDL to pull IP addresses of known sites resolved from a CRL.
Answer: B,D
Explanation:
Explanation/Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/objects/objects- decryption-profile
NEW QUESTION 57
A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers.
Which option will protect the individual servers?
- A. Use the DNS App-ID with application-default.
- B. Apply a classified DoS Protection Profile.
- C. Enable packet buffer protection on the Zone Protection Profile.
- D. Apply an Anti-Spyware Profile with DNS sinkholing.
Answer: B
Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/do To protect critical web or DNS servers on your network, protect the individual servers. To do this, set appropriate flooding and resource protection thresholds in a DoS protection profile, and create a DoS protection policy rule that applies the profile to each server's IP address by adding the IP addresses as the rule's destination criteria.
NEW QUESTION 58
Which feature prevents the submission of corporate login information into website forms?
- A. Data filtering
- B. User-ID
- C. Credential phishing prevention
- D. File blocking
Answer: C
Explanation:
Reference:
https://www.paloaltonetworks.com/cyberpedia/how-the-next-generation-security-platform-contributes-to-gdpr-co
"Credential phishing prevention works by scanning username and password submissions to websites and comparing those submissions against valid corporate credentials. You can choose what websites you want to either allow, alert on, or block corporate credential submissions to based on the URL category of the website. Alternatively, you can present a page that warns users against submitting credentials to sites classified in certain URL categories. This gives you the opportunity to educate users against reusing corporate credentials, even on legitimate, non-phishing sites. In the event that corporate credentials are compromised, this feature allows you to identify the user who submitted credentials so that you can remediate."
NEW QUESTION 59
An engineer is planning an SSL decryption implementation
Which of the following statements is a best practice for SSL decryption?
- A. Use an enterprise CA-signed certificate for the Forward Untrust certificate
- B. Obtain an enterprise CA-signed certificate for the Forward Trust certificate
- C. Use the same Forward Trust certificate on all firewalls in the network
- D. Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate
Answer: C
NEW QUESTION 60
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system.
Which Security Profile type will prevent this attack?
- A. Vulnerability Protection
- B. URL Filtering
- C. Anti-Spyware
- D. Antivirus
Answer: A
Explanation:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface- help/objects/objects-security-profiles- vulnerability-protection
NEW QUESTION 61
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system.
Which Security Profile type will prevent this attack?
- A. Vulnerability Protection
- B. URL Filtering
- C. Anti-Spyware
- D. Antivirus
Answer: A
Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/objects/ objects-security-profiles-vulnerability-protection
NEW QUESTION 62
An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required.
Which interface type would support this business requirement?
- A. Layer 3 or Aggregate Ethernet interfaces, but configuring EIGRP on subinterfaces only
- B. Layer 3 interfaces, but configuring EIGRP on the attached virtual router
- C. Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel (with the GlobalProtect License to support LSVPN and EIGRP protocols)
- D. Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ
Answer: D
NEW QUESTION 63
YouTube videos are consuming too much bandwidth on the network, causing delays in mission- critical traffic. The administrator wants to throttle YouTube traffic.
The following interfaces and zones are in use on the firewall:
- ethernet 1/1, Zone: Untrust (Internet-facing)
- ethernet 1/2, Zone: Trust (client-facing)
A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface Ethernet 1/1 has a QoS profile called Outbound, and interface Ethernet 1/21 has a QoS profile called Inbound.
Which setting for Class 6 will throttle YouTube traffic?
- A. Inbound profile with Maximum Egress
- B. Outbound profile with Maximum Ingress
- C. Inbound profile with Guaranteed Egress
- D. Outbound profile with Guaranteed Ingress
Answer: A
Explanation:
Identify the egress interface for applications that you identified as needing QoS treatment.
The egress interface for traffic depends on the traffic flow. If you are shaping incoming traffic, the egress interface is the internal-facing interface. If you are shaping outgoing traffic, the egress interface is the external-facing interface.
https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/quality-of-service/configure- qos
NEW QUESTION 64
An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port.
Which log entry can the administrator use to verify that sessions are being decrypted?
- A. In the details of the Traffic log entries
- B. Data Filtering log
- C. In the details of the Threat log entries
- D. Decryption log
Answer: A
Explanation:
Reference: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and- Test-SSL-Decryption/ta-p/59719
NEW QUESTION 65
Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs?
(Choose two)
- A. The interface are pingable.
- B. The management interface has an IP address of 192.168.1.1 and allows SSH and HTTPS connections.
- C. A default bidirectional rule is configured that allows Untrust zone traffic to go to the Trust zone.
- D. The devices are pre-configured with a virtual wire pair out the first two interfaces.
- E. The devices are licensed and ready for deployment.
Answer: B,E
NEW QUESTION 66
If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?
- A. Depending on the firewall location, Panorama decides with settings to send.
- B. The settings assigned to the template that is on top of the stack.
- C. The administrator will be promoted to choose the settings for that chosen firewall.
- D. All the settings configured in all templates.
Answer: C
Explanation:
Reference:
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/manage-firewalls/manag templates-and-template-stacks/configure-a-template-stack
NEW QUESTION 67
While troubleshooting an SSL Forward Proxy decryption issue which PAN-OS CLI command would you use to check the details of the end-entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?
- A. show systen setting ssl-decrypt certificate
- B. show systea setting ssl-decrypt certificate-cache
- C. show system setting ssl-decrypt certs
- D. debug dataplane show ssl-decrypt ssl-stats
Answer: A
NEW QUESTION 68
The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to 10.1.1.100 on TCP Port 8080.
Which NAT and security rules must be configured on the firewall? (Choose two)
- A. A security policy with a source of any from untrust-I3 zone to a destination of 1.1.100 in dmz-I3 zone using web-browsing application.
- B. A NAT rule with a source of any from untrust-I3 zone to a destination of 1.1.1.100 in untrust-I3 zone using service-http service.
- C. A NAT rule with a source of any from untrust-I3 zone to a destination of 10.1.1.100 in dmz-zone using service-http service.
- D. A security policy with a source of any from untrust-I3 Zone to a destination of 10.1.1.100 in dmz-I3 zone using web-browsing application
Answer: A,C
NEW QUESTION 69
TRUE or FALSE: Many customers purchase Palo Alto Networks NGFWs (Next Generation Firewalls) just to gain previously unavailable levels of visibility into their traffic flows.
- A. FALSE
- B. TRUE
Answer: B
NEW QUESTION 70
Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS software?
- A. Port Mapping
- B. Server Monitoring
- C. Client Probing
- D. XML API
Answer: D
Explanation:
Captive Portal and the other standard user mapping methods might not work for certain types of user access. For example, the standard methods cannot add mappings of users connecting from a third-party VPN solution or users connecting to a 802.1x-enabled wireless network. For such cases, you can use the PAN-OS XML API to capture login events and send them to the PAN-OS integrated User-ID agent Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/user-id-concepts/ group-mapping#id93306080-fd9b-4f1b-96a6-4bfe1c8e69df
NEW QUESTION 71
Refer to the exhibit.
A web server in the DMZ is being mapped to a public address through DNAT.
Which Security policy rule will allow traffic to flow to the web server?
- A. Untrust (any) to DMZ (10. 1. 1. 100), web browsing - Allow
- B. Untrust (any) to Untrust (1. 1. 1. 100), web browsing - Allow
- C. Untrust (any) to DMZ (1. 1. 1. 100), web browsing - Allow
- D. Untrust (any) to Untrust (10. 1.1. 100), web browsing - Allow
Answer: C
Explanation:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-many-mapping
NEW QUESTION 72
......
PCNSE: Career Bonuses
The professionals with the PCNSE certification will have a good position and will be chosen over other candidates. Besides that, they can receive higher salaries. Their knowledge base can be useful for the job roles, such as a Network Security Engineer, an Enterprise Network Engineer/Admin, an Information Security Analyst, a Senior Palo Alto Network Specialist, a Network Administrator, and more. The average salary ranges from $75,000 to $120,000 per year.
Verified PCNSE Exam Dumps Q&As - Provide PCNSE with Correct Answers: https://www.exams4collection.com/PCNSE-latest-braindumps.html
Pass Your PCNSE Dumps Free Latest Palo Alto Networks Practice Tests: https://drive.google.com/open?id=1Mg0gtgF3cnb97-CZPJNURAzOdH-ZnFcq
