Ultimate Guide to Prepare PCNSE Certification Exam for PCNSE in 2021
Use Real PCNSE Dumps - Palo Alto Networks Correct Answers updated on 2021
NEW QUESTION 22
An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator's home and experiencing issues completing the connection. The following is th output from the command:
less mp-log ikemgr.log:
What could be the cause of this problem?
- A. The public IP addresse do not match for both the Palo Alto Networks Firewall and the ASA.
- B. The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the ASA.
- C. The shared secerts do not match between the Palo Alto firewall and the ASA
- D. The deed peer detection settings do not match between the Palo Alto Networks Firewall and the ASA
Answer: B
NEW QUESTION 23
A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled.
Which component once enabled on a perimeter firewall will allow the identification of existing infected hosts in an environment?
- A. Antivirus profiles applied to outbound security policies with action set to alert
- B. Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole
- C. Vulnerability Protection profiles applied to outbound security policies with action set to block
- D. File Blocking profiles applied to outbound security policies with action set to alert
Answer: B
Explanation:
Starting with PAN-OS 6.0, DNS sinkhole is an action that can be enabled in Anti-Spyware profiles. A DNS sinkhole can be used to identify infected hosts on a protected network using DNS traffic in environments where the firewall can see the DNS query to a malicious URL.
The DNS sinkhole enables the Palo Alto Networks device to forge a response to a DNS query for a known malicious domain/URL and causes the malicious domain name to resolve to a definable IP address (fake IP) that is given to the client. If the client attempts to access the fake IP address and there is a security rule in place that blocks traffic to this IP, the information is recorded in the logs.
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-DNS-Sinkhole/ta- p/58891
NEW QUESTION 24
Which event will happen if an administrator uses an Application Override Policy?
- A. The application name assigned to the traffic by the security rule is written to the Traffic log.
- B. The Palo Alto Networks NGFW stops App-ID processing at Layer 4.
- C. App-ID processing time is increased.
- D. Threat-ID processing time is decreased.
Answer: B
Explanation:
Reference: https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-How-to-Create- an-Application-Override/ta-p/65513
NEW QUESTION 25
Which three authentication services can administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.)
- A. LDAP
- B. Kerberos
- C. SAML
- D. PAP
- E. RADIUS
- F. TACACS+
Answer: A,B,C
Explanation:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication The administrative accounts are defined on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML server. PAN-OS maps the attributes to administrator roles, access domains, user groups, and virtual systems that you define on the firewall. For details, see:
Configure SAML Authentication Configure TACACS+ Authentication Configure RADIUS Authentication
NEW QUESTION 26
Based on the image, what caused the commit warning?
- A. The CA certificate for FWDtrust has not been imported into the firewall.
- B. SSL Forward Proxy requires a public certificate to be imported into the firewall.
- C. The FWDtrust certificate has not been flagged as Trusted Root CA.
- D. The FWDtrust certificate does not have a certificate chain.
Answer: D
NEW QUESTION 27
A network design calls for a "router on a stick" implementation with a PA-5060 performing inter- VLAN routing. All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk interface.
Which interface type and configuration setting will support this design?
- A. Layer 3 interface type with specified tag
- B. Layer 2 interface type with a VLAN assigned
- C. Layer 3 subinterface type with specified tag
- D. Trunk interface type with specified lag
Answer: C
Explanation:
The interface ethernet1/15 is configured as a layer 3 interface. Subinterfaces corresponding to each one of the VLAN are created off of the parent interface Ethernet 1/15. Each subinterface is assigned a VLAN tag and an IP address corresponding to the VLAN provides connectivity.
Note: Inter VLAN routing with each VLAN in a unique IP subnet In order for network devices in different VLANs to communicate, a router must be used to route traffic between the VLANs. While VLANs help to control local traffic, if a device in one VLAN needs to communicate with a device in another VLAN, one or more routers must be used for inter VLAN communication. In this configuration a Palo Alto networks firewall can used to securely route traffic within the VLAN. This is also commonly called "one arm routing" or "router on a stick".
NEW QUESTION 28
If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method, which login will be detected as credential theft?
- A. Marching any valid corporate username.
- B. Using the same user's corporate username and password.
- C. Mapping to the IP address of the logged-in user.
- D. First four letters of the username matching any valid corporate username.
Answer: B
Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-new-features/content-inspection-features/credential- ention Reference:
https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/content-inspection-features/crede phishing-prevention
NEW QUESTION 29
Which four NGFW multi-factor authentication factors are supported by PAN-OS? (Choose four.)
- A. Short message service
- B. Voice
- C. Push
- D. One-Time Password
- E. SSH key
- F. User logon
Answer: A,B,C,D
NEW QUESTION 30
Which two settings can be configured only locally on the firewall and not pushed from a Panorama template or stack template? (Choose two.)
- A. Network Interface Type
- B. Master Key
- C. HA1 IP Address
- D. Zone Protection Profile
Answer: B,C
NEW QUESTION 31
Which User-ID method should be configured to map IP addresses to usernames for users connected
through a terminal server?
- A. XFF headers
- B. client probing
- C. port mapping
- D. server monitoring
Answer: C
Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/configure-user-
mapping-for-terminal-server-users
NEW QUESTION 32
Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)
- A. Microsoft Hyper-V
- B. Kernel Virtualization Module (KVM)
- C. Boot Strap Virtualization Module (BSVM)
- D. Red Hat Enterprise Virtualization (RHEV)
Answer: A,B
Explanation:
Reference:
docs.paloaltonetworks.com/vm-series/8-0/vm-series-deployment/about-the-vm-series-firewall/vm-series-deployments
NEW QUESTION 33
Which operation will impact performance of the management plane?
- A. WildFire submissions
- B. decrypting SSL sessions
- C. generating a SaaS Application report
- D. DoS protection
Answer: C
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK
NEW QUESTION 34
An engineer must configure a new SSL decryption deployment
Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?
- A. A Decryption profile must be attached to the Security policy that the traffic matches
- B. A Decryption profile must be attached to the Decryption policy that the traffic matches
- C. There must be a certificate with only the Forward Trust option selected
- D. There must be a certificate with both the Forward Trust option and Forward Untrust option selected
Answer: D
NEW QUESTION 35
Refer to the exhibit.
Which certificates can be used as a Forwarded Trust certificate?
- A. Certificate from Default Trust Certificate Authorities
- B. Forward_Trust
- C. Domain Sub-CA
- D. Domain-Root-Cert
Answer: C
NEW QUESTION 36
An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to
the virtual router.
Which two options enable the administrator to troubleshoot this issue? (Choose two.)
- A. View System logs.
- B. Add a redistribution profile to forward as BGP updates.
- C. Perform a traffic pcap at the routing stage.
- D. View Runtime Stats in the virtual router.
Answer: A,D
NEW QUESTION 37
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?
- A. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.
- B. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.
- C. Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP.
- D. The firewalls do not use floating IPs in active/active HA.
Answer: B
NEW QUESTION 38
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?
- A. Vulnerability Protection
- B. Anti-Spyware
- C. WildFire
- D. Antivirus
Answer: D
Explanation:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/antivirus-profiles
NEW QUESTION 39
Refer to the exhibit.
An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
- A.

- B.

- C.

- D.

Answer: C
NEW QUESTION 40
......
PCNSE -PCNSE Exam-Practice-Dumps: https://www.fast2test.com/PCNSE-premium-file.html
PCNSE Premium Files Test pdf - Free Dumps Collection: https://drive.google.com/open?id=1ggPeZsB6UXiENRk-TYTCsOCG_C7Ixq3W