Free Palo Alto Networks (PCNSE) Certification Sample Questions with Online Practice Test [Q55-Q73]

Free Palo Alto Networks (PCNSE) Certification Sample Questions with Online Practice Test

PCNSE  Certification Study Guide Pass PCNSE Fast

NEW QUESTION 55
Which GlobalProtect Client connect method requires the distribution and use of machine certificates?

• A. On-demand
• B. Pre-logon
• C. At-boot
• D. User-logon (Always on)

Answer: B

Explanation:
Client certificate refers to user cert, it can be used for 'user-logon'/'on-demand' connect methods. Used to authenticate a user. -Machine certificate refers to device cert, it can be used for 'pre-logon' connect method. This is used to authenticate a device, not a user.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK

 

NEW QUESTION 56
Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

• A. Create a Dynamic Address Group for untrusted sites
• B. Create a Security Policy rule with vulnerability Security Profile attached.
• C. Create a no-decrypt Decryption Policy rule.
• D. Configure an EDL to pull IP addresses of known sites resolved from a CRL.
• E. Enable the "Block sessions with untrusted issuers" setting.

Answer: C,E

Explanation:
https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/objects/objects-decryption-profile

 

NEW QUESTION 57
The certificate information displayed in the following image is for which type of certificate?

• A. Public CA signed certificate
• B. Self-Signed Root CA certificate
• C. Forward Trust certificate
• D. Web Server certificate

Answer: A

 

NEW QUESTION 58
Which two features does PAN-OS software use to identify applications? (Choose two)

• A. session number
• B. transaction characteristics
• C. port number
• D. application layer payload

Answer: B,C

Explanation:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/app-id/application-level-gateways# The Palo Alto Networks firewall does not classify traffic by port and protocol; instead it identifies the application based on its unique properties and transaction characteristics using the App-ID technology. Some applications, however, require the firewall to dynamically open pinholes to establish the connection, determine the parameters for the session and negotiate the ports that will be used for the transfer of data; these applications use the application-layer payload to communicate the dynamic TCP or UDP ports on which the application opens data connections. For such applications, the firewall serves as an Application Level Gateway (ALG), and it opens a pinhole for a limited time and for exclusively transferring data or control traffic. The firewall also performs a NAT rewrite of the payload when necessary.

 

NEW QUESTION 59
An administrator has 750 firewalls The administrator's central-management Panorama instance deploys dynamic updates to the firewalls The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.
If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear what is the root cause?

• A. Panorama does not have valid licenses to push the dynamic updates
• B. Panorama has no connection to Palo Alto Networks update servers
• C. No service route is configured on the firewalls to Palo Alto Networks update servers
• D. Locally-defined dynamic update settings take precedence over the settings that Panorama pushed

Answer: D

Explanation:
Explanation
Locally defined dynamic updates setting on a managed Palo Alto Networks firewall take preference over the Panorama pushed setting.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKQCA0

 

NEW QUESTION 60
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?

• A. A web server certificate signed by the organization's PKI
• B. A subordinate Certificate Authority certificate signed by the organization's PKI
• C. A self-signed Certificate Authority certificate generated by the firewall
• D. A Machine Certificate for the firewall signed by the organization's PKI

Answer: C

 

NEW QUESTION 61
When configuring the firewall for packet capture, what are the valid stage types?

• A. Receive management , transmit, and non-syn
• B. Receive , firewall, send , and non-syn
• C. Receive, management , transmit , and drop
• D. Receive , firewall, transmit, and drop

Answer: D

Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0
docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/monitor/monitor-packet-capture/packet-capture-overview.html

 

NEW QUESTION 62
Which tool provides an administrator the ability to see trends in traffic over periods of time, such as threats detected in the last 30 days?

• A. Session Browser
• B. TCP Dump
• C. Packet Capture
• D. Application Command Center

Answer: D

 

NEW QUESTION 63
PAN-OS 7.0 introduced an automated correlation engine that analyzes log patterns and generates correlation events visible in the new Application Command Center (ACC).
Which license must the firewall have to obtain new correlation objectives?

• A. Threat Prevention
• B. URL Filtering
• C. GlobalProtect
• D. Application Center

Answer: A

 

NEW QUESTION 64
Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS® version, and serial number?

• A. show system details
• B. debug system details
• C. show system info
• D. show session info

Answer: C

Explanation:
Reference:
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/technical-documentation/pan-os-60/PAN-OS-6.0- CLI-ref.pdf

 

NEW QUESTION 65
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )

• A. certificate-logon
• B. on-demand (manual user initiated connection)
• C. post-logon (always on)
• D. user-logon (always on)
• E. pre-logon then on-demand

Answer: D,E

 

NEW QUESTION 66
Place the steps in the WildFire process workflow in their correct order.

Answer:

Explanation:

 

NEW QUESTION 67
Which feature must you configure to prevent users form accidentally submitting their corporate credentials to a phishing website?

• A. Anti-Spyware profile
• B. Zone Protection profile
• C. Vulnerability Protection profile
• D. URL Filtering profile

Answer: D

Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/prevent- credential-phishing

 

NEW QUESTION 68
An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?

• A. Configure and apply Zone Protection Profiles for all egress zones.
  Enable Packet Buffer Protection pre egress zone.
• B. Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits.
  Enable Zone Buffer Protection per zone.
• C. Enable and then configure Packet Buffer thresholds
  Enable Interface Buffer protection.
• D. Enable and configure the Packet Buffer protection thresholds.
  Enable Packet Buffer Protection per ingress zone.
• E. Create and Apply Zone Protection Profiles in all ingress zones.
  Enable Packet Buffer Protection per ingress zone.

Answer: D

Explanation:
You can configure Packet Buffer Protection at two levels: the device level (global) and if enabled globally, you can also enable it at the zone level. Global packet buffer protection (Device > Setup > Session) is to protect firewall resources and ensure that malicious traffic does not cause the firewall to become non-responsive.
Packet buffer protection per ingress zone (Network > Zones) is a second layer of protection that starts blocking the offending IP address if it continues to exceed the packet buffer protection thresholds. The firewall can block all traffic from the offending source IP address. Keep in mind that if the source IP address is a translated NAT IP address, many users can be using the same IP address. If one abusive user triggers packet buffer protection and the ingress zone has packet buffer protection enabled, all traffic from that offending source IP address (even from non-abusive users) can be blocked when the firewall puts the IP address on its block list.
The most effective way to block DoS attacks against a service behind the firewall is to configure packet buffer protection globally and per ingress zone. You can Enable Packet Buffer Protection for a zone, but it is not active until you enable packet buffer protection globally and specify the settings.
Reference:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/zone-protection-and-dos- protection/configure-zone-protection-to-increase-network-security/configure-packet-buffer- protection

 

NEW QUESTION 69
Which three fields can be included in a pcap filter? (Choose three)

• A. Egress interface
• B. Source IP
• C. Destination IP
• D. Rule number
• E. Ingress interface

Answer: B,C,E

Explanation:
https://knowledgebase.paloaltonetworks.com/servlet/rtaImage?eid=ka10g000000U0KT&feoid=00 N0g000003VPSv&refid=0EM0g000001Ja97

 

NEW QUESTION 70
Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order.

Answer:

Explanation:

Explanation
Graphical user interface, text, application, email Description automatically generated

https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/set-up-zero-touch-provisio

 

NEW QUESTION 71
Which four NGFW multi-factor authentication factors are supported by PAN-OS®? (Choose four.)

• A. SSH key
• B. Voice
• C. One-Time Password
• D. Push
• E. User logon
• F. Short message service

Answer: B,C,D,F

Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure- multi-factor-authentication

 

NEW QUESTION 72
A firewall should be advertising the static route 10 2 0 0/24 into OSPF The configuration on the neighbor is correct but the route is not in the neighbor's routing table Which two configurations should you check on the firewall'? (Choose two )

• A. Within the redistribution profile ensure that Redist is selected
• B. In the redistribution profile check that the source type is set to "ospf"
• C. Ensure that the OSPF neighbor state is "2-Way"
• D. In the OSFP configuration ensure that the correct redistribution profile is selected in the OSPF Export Rules section

Answer: A,D

Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/network/network-virtual-routers/ospf/o
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGTCA0

 

NEW QUESTION 73
......

How much does PCNSE Exam Cost

The price of PCNSE exam is $160 USD.

 

Get Perfect Results with Premium PCNSE Dumps Updated 211 Questions: https://www.examsreviews.com/PCNSE-pass4sure-exam-review.html

PCNSE Dumps PDF 2023 Program Your Preparation EXAM SUCCESS: https://drive.google.com/open?id=1fPOyrUQ659emHK_IIqJ0VL26WhQoE6KM