PCNSE Self-Study Guide for Becoming an Palo Alto Networks Certified Network Security Engineer Exam Expert
PCNSE Study Guide Realistic Verified PCNSE Dumps
NEW QUESTION # 89
Refer to the exhibit.
A web server in the DMZ is being mapped to a public address through DNAT.
Which Security policy rule will allow traffic to flow to the web server?
- A. Untrust (any) to Untrust (1. 1. 1. 100), web browsing - Allow
- B. Untrust (any) to DMZ (10. 1. 1. 100), web browsing - Allow
- C. Untrust (any) to Untrust (10. 1.1. 100), web browsing - Allow
- D. Untrust (any) to DMZ (1. 1. 1. 100), web browsing - Allow
Answer: D
Explanation:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-many-mapping
NEW QUESTION # 90
Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?
- A. Allow application facebook before denying application facebook-chat
- B. Deny application facebook-chat before allowing application facebook
- C. Allow application facebook on top
- D. Deny application facebook on top
Answer: B
Explanation:
Reference:
https://live.paloaltonetworks.com/t5/Configuration-Articles/Failed-to-Block-Facebook-Chat-Consistently/ta-p/11
NEW QUESTION # 91
Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?
- A. port mapping
- B. server monitoring
- C. XFF headers
- D. client probing
Answer: A
NEW QUESTION # 92
Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two)
- A. Configure Ethernet 1/1 as HA1 Backup
C Configure Ethernet 1/1 as HA2 Backup - B. Configure the management interface as HA3 Backup
- C. Configure the management interface as HA1 Backup
- D. Configure the management interface as HA2 Backup
- E. Configure ethernet1/1 as HA3 Backup
Answer: A,C
NEW QUESTION # 93
Based on the graphic which statement accurately describes the output shown in the Server Monitoring panel?
- A. The host lab-client has been found by the User-ID agent.
- B. The host lab-client has been found by a domain controller
- C. The User-ID aaent is connected to the firewall labeled lab-client
- D. The User-ID agent is connected to a domain controller labeled lab-client
Answer: D
NEW QUESTION # 94
Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)
- A. Microsoft Hyper-V
- B. Boot Strap Virtualization Module (BSVM)
- C. Red Hat Enterprise Virtualization (RHEV)
- D. Kernel Virtualization Module (KVM)
Answer: A,D
Explanation:
Reference:
https://www.paloaltonetworks.com/products/secure-the-network/virtualized-next-generation-firewall/vm-series
NEW QUESTION # 95
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
- A. find
- B. test
- C. check
- D. sim
Answer: B
Explanation:
Explanation/Reference:
Reference: http://www.shanekillen.com/2014/02/palo-alto-useful-cli-commands.html
NEW QUESTION # 96
A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5-minute window for analysis. The firewall is configured to check for verdicts every 5 minutes.
How quickly will the firewall receive back a verdict?
- A. 5 to 10 minutes
- B. More than 15 minutes
- C. 10 to 15 minutes
- D. 5 minutes
Answer: A
NEW QUESTION # 97
A network administrator wants to use a certificate for the SSL/TLS Service Profile.
Which type of certificate should the administrator use?
- A. server certificate
- B. machine certificate
- C. certificate authority (CA) certificate
- D. client certificate
Answer: A
Explanation:
Use only signed certificates, not CA certificates, in SSL/TLS service profiles.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile
NEW QUESTION # 98
An engineer is creating a template and wants to use variables to standardize the configuration across a large number of devices Which Mo variable types can be defined? (Choose two.)
- A. IP netmask
- B. FQDN
- C. Zone
- D. Path group
Answer: A,B
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-templates/panorama-templates-template-variable
NEW QUESTION # 99
An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing. What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?
- A. Create an Application Override using TCP ports 443 and 80.
- B. Add the Evernote application to the Security policy rule, then add a second Security policy rule containing both HTTP and SSL.
- C. Add the HTTP, SSL, and Evernote applications to the same Security policy
- D. Add only the Evernote application to the Security policy rule.
Answer: D
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/applications-with-implicit-support
NEW QUESTION # 100
If the firewall has the link monitoring configuration, what will cause a failover?
- A. ethernet1/3 or Ethernet1/6 going down
- B. ethernet1/3 going down
- C. ethernet1/3 and ethernet1/6 going down
- D. ethernet1/6 going down
Answer: C
NEW QUESTION # 101
A network security engineer wants to prevent resource-consumption issues on the firewall.
Which strategy is consistent with decryption best practices to ensure consistent performance?
- A. Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that are less processor-intensive
- B. Use RSA in a Decryption profile tor higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for lower-risk traffic
- C. Use Decryption profiles to drop traffic that uses processor-intensive ciphers
- D. Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for tower-risk traffic
Answer: A
Explanation:
Explanation
According to the Palo Alto Networks documentation, "Decryption Profiles define the cipher suite settings the firewall accepts so you can protect against vulnerable, weak protocols and algorithms. You can also use Decryption Profiles to downgrade processor-intensive ciphers to ciphers that are less processor-intensive." References:https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best-practices/decryption-best-prac
NEW QUESTION # 102
An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)


- A. Exhibit B
- B. Exhibit C
- C. Exhibit D
- D. Exhibit A
Answer: C,D
NEW QUESTION # 103
A network design calls for a "router on a stick" implementation with a PA-5060 performing inter-VLAN routing All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk interface Which interface type and configuration setting will support this design?
- A. Layer 3 interface type with specified tag
- B. Layer 2 interface type with a VLAN assigned
- C. Layer 3 subinterface type with specified tag
- D. Trunk interface type with specified tag
Answer: C
NEW QUESTION # 104
An administrator troubleshoots an issue that causes packet drops.
Which log type will help the engineer verify whether packet buffer protection was activated?
- A. Threat
- B. Traffic
- C. Data Filtering
- D. Configuration
Answer: A
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNGFCA4
NEW QUESTION # 105
A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.)
- A. Application Override policy.
- B. Security policy to identify the custom application.
- C. Custom Service object.
- D. Custom application.
Answer: A,D
Explanation:
Explanation
Unlike the App-ID engine, which inspects application packet contents for unique signature elements, the Application Override policy's matching conditions are limited to header-based data only. Traffic matched by an Application Override policy is identified by the App-ID entered in the Application entry box.Choices are limited to applications currently in the App-ID database.Because this traffic bypasses all Layer 7 inspection, the resulting security is that of a Layer-4 firewall. Thus, this traffic should be trusted without the need for Content-ID inspection. The resulting application assignment can be used in other firewall functions such as Security policy and QoS.Use CasesThree primary uses cases for Application Override Policy are:
To identify "Unknown" App-IDs with a different or custom application signature To re-identify an existing application signature To bypass the Signature Match Engine (within the SP3 architecture) to improve processing timesA discussion of typical uses of application override and specific implementation examples is here:
https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-How-to-C reate-an-Application- Override/ta-p/65513
NEW QUESTION # 106
A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link.
They need to assign each VLAN to its own zone and assign untagged (native) traffic to its own zone.
Which option differentiates multiple VLANs into separate zones?
- A. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the
"Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone. - B. Create V-Wire objects with two V-Wire interfaces and define a range of "0-4096" in the "Tag Allowed" field of the V-Wire object.
- C. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router.
The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface to a unique zone. Do not assign any interface an IP address. - D. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID.
Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.
Answer: A
Explanation:
Virtual wire interfaces by default allow all untagged traffic. You can, however, use a virtual wire to connect two interfaces and configure either interface to block or allow traffic based on the virtual LAN (VLAN) tags. VLAN tag 0 indicates untagged traffic.
You can also create multiple subinterfaces, add them into different zones, and then classify traffic according to a VLAN tag or a combination of a VLAN tag with IP classifiers (address, range, or subnet) to apply granular policy control for specific VLAN tags or for VLAN tags from a specific source IP address, range, or subnet.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/vlan-tagged-traffic.html
NEW QUESTION # 107
What are three valid qualifiers for a Decryption Policy Rule match? (Choose three.)
- A. App-ID
- B. Custom URL Category
- C. Destination Zone
- D. User-ID
- E. Source Interface
Answer: B,C,D
Explanation:
Explanation
The valid qualifiers for a Decryption Policy Rule match are:
* Source Zone
* Destination Zone
* Source Address
* Destination Address
* Source User
* Destination User
* Source Region
* Destination Region
* Service/URL Category
* Custom URL Category
* URL Filtering Profile
Therefore, out of the options given, Destination Zone, Custom URL Category, and User-ID are valid qualifiers. References:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-decryption-policies.html
NEW QUESTION # 108
A network Administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects> Security Profiles> Anti- Spyware and select default profile.
What should be done next?
- A. Click the Exceptions tab and then click show all signatures.
- B. View the default actions displayed in the Action column.
- C. Click the simple-critical rule and then click the Action drop-down list.
- D. Click the Rules tab and then look for rules with "default" in the Action column.
Answer: A
Explanation:
All Anti-spyware and Vulnerability Protection signatures have a default action defined by Palo Alto Networks. You can view the default action by navigating to Objects > Security Profiles > Anti- Spyware or Objects > Security Profiles >Vulnerability Protection and then selecting a profile. Click the Exceptions tab and then click Show all signatures and you will see a list of the signatures with the default action in the Action column. To change the default action, you must create a new profile and then create rules with a non-default action, and/or add individual signature exceptions to Exceptions in the profile.
https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/threat-prevention/set-up- antivirus-anti-spyware-and-vulnerability-protection.html
NEW QUESTION # 109
......
Valid PCNSE Exam Dumps Ensure you a HIGH SCORE: https://www.exams4collection.com/PCNSE-latest-braindumps.html
PCNSE Questions & Practice Test are Available On-Demand: https://drive.google.com/open?id=1Mg0gtgF3cnb97-CZPJNURAzOdH-ZnFcq
