Palo Alto Networks PCNSE Real Exam Questions Test Engine Dumps Training With 363 Questions [Q159-Q180]

Share

Palo Alto Networks PCNSE Real Exam Questions Test Engine Dumps Training With 363 Questions

PCNSE Actual Questions Answers PDF 100% Cover Real Exam Questions


Sample Questions

Which configuration must be made on the firewall before it can read User-ID-to-IP-address mapping tables from external sources?

  • B. Server Monitoring
  • C. Captive Portal
  • A. Group Mapping Settings
  • D. User-ID Agents

For an external device to consume a local User-ID-to-IP-address mapping table, which data is used for authentication between the devices?

  • D. certificates added to the User-ID agent configuration
  • C. administrators account information on the source device with the User-ID role set
  • B. User-ID agent’s Server Monitor Account information
  • A. the source device’s Data Redistribution Collector Name and Pre-Shared Key

User-ID-to IP-address mapping tables can be read by which product or service?

  • B. Panorama Log Collector
  • D. Prisma Cloud
  • C. AutoFocus
  • A. Cortex XDR

 

NEW QUESTION 159
Which hardware firewall platforms include both built-in front-to-back airflow and redundant power supplies?

  • A. All Palo Alto Networks hardware firewall platforms
  • B. All PA-5000 and PA-7000 series firewall platforms
  • C. The PA-7000 series firewall platforms
  • D. The PA-3060 firewall platform

Answer: D

 

NEW QUESTION 160
Which four NGFW multi-factor authentication factors are supported by PAN-OS®? (Choose four.)

  • A. SSH key
  • B. Short message service
  • C. Push
  • D. User logon
  • E. One-Time Password
  • F. Voice

Answer: B,C,E,F

Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure- multi-factor-authentication

 

NEW QUESTION 161
How does Panorama prompt VMWare NSX to quarantine an infected VM?

  • A. Email Server Profile
  • B. SNMP Server Profile
  • C. HTTP Server Profile
  • D. Syslog Server Profile

Answer: C

Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/80/virtualization/virtualization/set-up-the-vm-
series-firewall-on-vmware-nsx/dynamically-quarantine-infected-guests

 

NEW QUESTION 162
Which data flow describes redistribution of user mappings?

  • A. User-ID agent to Panorama
  • B. Domain Controller to User-ID agent
  • C. User-ID agent to firewall
  • D. firewall to firewall

Answer: D

Explanation:
Explanation
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/configure-firewalls-to-redistribute-u

 

NEW QUESTION 163
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

  • A. Configure the option for "Threshold".
  • B. Automatically "download and install" but with the "disable new applications" option used.
  • C. Automatically "download only" and then install Applications and Threats later, after the administrator approves the update.
  • D. Disable automatic updates during weekdays.

Answer: C

 

NEW QUESTION 164
Which three items are import considerations during SD-WAN configuration planning? (Choose three.)

  • A. IP Addresses
  • B. the name of the ISP
  • C. branch and hub locations
  • D. link requirements

Answer: A,C,D

 

NEW QUESTION 165
After Migrating from an ASA firewall to a Palo Alto Networks Firewall, the VPN connection between a remote network and the Palo Alto Networks Firewall is not establishing correctly.
The following entry is appearing in the logs:
Pfs group mismatched: my:0 peer:2
Which setting should be changed on the Palo Alto Networks Firewall to resolve this error message?

  • A. Update the IKE Crypto profile for the Vendor IKE gateway from group2 to no pfs
  • B. Update- the IPSec Crypto profile for the Vendor IPSec Tunnel from group2 to no-pfs.
  • C. Update the IPSec Crypto profile for the Vendor IPSec Tunnel from no-pfs to group2.
  • D. Update the IKE Crypto profile for the Vendor IKE gateway from no pfs to group2.

Answer: C

 

NEW QUESTION 166
A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web- browsing traffic to this server on tcp/443.

  • A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow
  • B. Rule # 1: application: ssl; service: application-default; action: allow Rule #2: application: web-browsing; service: application-default; action: allow
  • C. Rule #1: application: web-browsing; service: service-https; action: allow Rule #2: application: ssl; service: application-default; action: allow
  • D. Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl; service: application-default; action: allow

Answer: C

Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEyCAK

 

NEW QUESTION 167
Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.) Which two security policy rules will accomplish this configuration? (Choose two.)

  • A. Untrust (Any) to DMZ (1.1.1.100), web-browsing -Allow
  • B. Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow
  • C. Untrust (Any) to Untrust (10.1.1.1), SSH -Allow
  • D. Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow
  • E. Untrust (Any) to DMZ (1.1.1.100), SSH -Allow

Answer: A,E

Explanation:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-many-mapping#

 

NEW QUESTION 168
Which three options are supported in HA Lite? (Choose three.)

  • A. Synchronization of IPsec security associations
  • B. Configuration synchronization
  • C. Active/passive deployment
  • D. Virtual link
  • E. Session synchronization

Answer: A,B,C

Explanation:
Explanation/Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-high- availability/ha-lite

 

NEW QUESTION 169
Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS 8.0? (Choose two.)

  • A. VMware NSX
  • B. VMware ESX
  • C. AWS
  • D. KVM

Answer: B,D

 

NEW QUESTION 170
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.
Which VPN configuration would adapt to changes when deployed to the future site?

  • A. Preconfigured IPsec tunnels
  • B. Preconfigured GlobalProtect satellite
  • C. Preconfigured PPTP Tunnels
  • D. Preconfigured GlobalProtect client

Answer: B

 

NEW QUESTION 171
A firewall administrator has been asked to configure a Palo Alto Networks NGFW to prevent against compromised hosts trying to phone-home or beacon out to external command-and-control (C2) servers.
Which Security Profile type will prevent these behaviors?

  • A. Antivirus
  • B. Anti-Spyware
  • C. Vulnerability Protection
  • D. WildFire

Answer: B

Explanation:
Explanation/Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/anti-spyware-profiles

 

NEW QUESTION 172
Which two actions would be part of an automatic solution that would block sites with untrusted certificates
without enabling SSL Forward Proxy? (Choose two.)

  • A. Enable the "Block sessions with untrusted issuers" setting.
  • B. Create a Security Policy rule with vulnerability Security Profile attached.
  • C. Create a Dynamic Address Group for untrusted sites
  • D. Create a no-decrypt Decryption Policy rule.
  • E. Configure an EDL to pull IP addresses of known sites resolved from a CRL.

Answer: B,D

Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/objects/
objects-decryption-profile

 

NEW QUESTION 173
An enterprise information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems However a recent phisning campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets For users that need to access these systems Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.
What should the enterprise do to use PAN-OS MFA1?

  • A. Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy
  • B. Use a Credential Phishing agent to detect prevent and mitigate credential phishing campaigns
  • C. Configure a Captive Portal authentication policy that uses an authentication sequence
  • D. Configure a Captive Porta1 authentication policy that uses an authentication profile that references a RADIUS profile

Answer: C

 

NEW QUESTION 174
Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT.

Which Security policy rule will allow traffic to flow to the web server?

  • A. Untrust (any) to Untrust (10.1.1.100), web browsing - Allow
  • B. Untrust (any) to DMZ (10.1.1.100), web browsing - Allow
  • C. Untrust (any) to Untrust (1.1.1.100), web browsing - Allow
  • D. Untrust (any) to DMZ (1.1.1.100), web browsing - Allow

Answer: D

 

NEW QUESTION 175
If the firewall has the link monitoring configuration, what will cause a failover?

  • A. ethernet1/3 or Ethernet1/6 going down
  • B. ethernet1/6 going down
  • C. ethernet1/3 going down
  • D. ethernet1/3 and ethernet1/6 going down

Answer: D

 

NEW QUESTION 176
An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair.
Which NGFW receives the configuration from Panorama?

  • A. Both the active and passive firewalls independently, with no synchronization afterward
  • B. The passive firewall, which then synchronizes to the active firewall
  • C. The active firewall, which then synchronizes to the passive firewall
  • D. Both the active and passive firewalls, which then synchronize with each other

Answer: A

 

NEW QUESTION 177
Given the following configuration, which route is used for destination 10.10.0.4?

  • A. Route 3
  • B. Route 3
  • C. Route 4
  • D. Route 1

Answer: C

 

NEW QUESTION 178
Which option describes the operation of the automatic commit recovery feature?

  • A. It enables a firewall to revert to the previous configuration if a commit causes Panorama connectivity failure.
  • B. It enables a firewall to revert to the previous configuration if rule shadowing is detected.
  • C. It enables a firewall to revert to the previous configuration if application dependency errors are found.
  • D. It enables a firewall to revert to the previous configuration if a commit causes HA partner connectivity failure.

Answer: A

Explanation:
Explanation/Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/panorama-features/automatic- panorama-connection-recovery.html

 

NEW QUESTION 179
A network design calls for a "router on a stick" implementation with a PA-5060 performing inter- VLAN routing. All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk interface.
Which interface type and configuration setting will support this design?

  • A. Layer 3 interface type with specified tag
  • B. Layer 3 subinterface type with specified tag
  • C. Layer 2 interface type with a VLAN assigned
  • D. Trunk interface type with specified lag

Answer: B

Explanation:
The interface ethernet1/15 is configured as a layer 3 interface. Subinterfaces corresponding to each one of the VLAN are created off of the parent interface Ethernet 1/15. Each subinterface is assigned a VLAN tag and an IP address corresponding to the VLAN provides connectivity.

Note: Inter VLAN routing with each VLAN in a unique IP subnet In order for network devices in different VLANs to communicate, a router must be used to route traffic between the VLANs. While VLANs help to control local traffic, if a device in one VLAN needs to communicate with a device in another VLAN, one or more routers must be used for inter VLAN communication. In this configuration a Palo Alto networks firewall can used to securely route traffic within the VLAN. This is also commonly called "one arm routing" or "router on a stick".

 

NEW QUESTION 180
......

Exams4Collection PCNSE  Exam Practice Test Questions : https://www.exams4collection.com/PCNSE-latest-braindumps.html

PCNSE Exam questions and answers: https://drive.google.com/open?id=1nd9U_xoIvahBYLnHvVe8gXeebYnzKE9S