Palo Alto Networks. Pcnse PDF

Preview

Summary

Q12.An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant. Which two statements are correct regarding the bootstrap package contents? (Choose two.)
A. The /config /content and /software folders are mandatory while the /license an...

Description

PaloAltoNetworks.PCNSE.v2021-10-14.q117 Exam Code:

PCNSE

Exam Name:

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.0

Certification Provider:

Palo Alto Networks

Free Question Number:

117

Version:

v2021-10-14

# of views:

108

# of Questions views:

1304

https://www.freecram.com/torrent/PaloAltoNetworks.PCNSE.v2021-10-14.q117.html NEW QUESTION: 1 A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule. Given the following zone information: * DMZ zone: DMZ-L3 * Public zone: Untrust-L3 * Guest zone: Guest-L3 * Web server zone: Trust-L3 * Public IP address (Untrust-L3): 1.1.1.1 * Private IP address (Trust-L3): 192.168.1.50 What should be configured as the destination zone on the Original Packet tab of NAT Policy rule? A. Guest-L3 B. Trust-L3 C. Untrust-L3 D. DMZ-L3 Answer: (SHOW ANSWER) NEW QUESTION: 2 What are three valid actions in a File Blocking Profile? (Choose three) A. Forward B. Block C. Alret D. Upload E. Reset-both

F. Continue Answer: A,B,C (LEAVE A REPLY) https://live.paloaltonetworks.com/t5/Configuration-Articles/File-Blocking-Rulebase-and-ActionPrecedence/ta-p/53623 NEW QUESTION: 3 Which three options are available when creating a security profile? (Choose three) A. IDS/ISP B. Anti-Malware C. Threat Prevention D. File Blocking E. Url Filtering F. Antivirus Answer: (SHOW ANSWER) NEW QUESTION: 4 Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS 8.0? (Choose two.) A. VMware NSX B. VMware ESX C. KVM D. AWS Answer: (SHOW ANSWER) NEW QUESTION: 5 At which stage of the cyber-attack lifecycle would the attacker attach an infected PDF file to an email? A. IP command and control B. delivery C. reconnaissance D. exploitation Answer: C (LEAVE A REPLY) NEW QUESTION: 6 A file sharing application is being permitted and no one knows what this application is used for. How should this application be blocked? A. Create a WildFire Analysis Profile that blocks Layer 4 and Layer 7 attacks B. Block all known internal custom applications C. Block all unauthorized applications using a security policy D. Create a File blocking profile that blocks Layer 4 and Layer 7 attacks Answer: D (LEAVE A REPLY)

NEW QUESTION: 7 Which operation will impact performance of the management plane? A. decrypting SSL sessions B. DoS protection C. WildFire submissions D. generating a SaaS Application report Answer: D (LEAVE A REPLY) NEW QUESTION: 8 A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule. Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web- browsing traffic to this server on tcp/443. A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow B. Rule #1: application: web-browsing; service: service-https; action: allow Rule #2: application: ssl; service: application-default; action: allow C. Rule # 1: application: ssl; service: application-default; action: allow Rule #2: application: webbrowsing; service: application-default; action: allow D. Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl; service: application-default; action: allow Answer: B (LEAVE A REPLY) https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEyCAK NEW QUESTION: 9 Click the Exhibit button below,

A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address. He makes an HTTPS connection to 172.16.10.20. Which is the next hop IP address for the HTTPS traffic from Will's PC? A. 172.20.30.1 B. 172.20.10.1 C. 172.20.40.1 D. 172.20.20.1 Answer: (SHOW ANSWER) NEW QUESTION: 10 Palo Alto Networks maintains a dynamic database of malicious domains. Which two Security Platform components use this database to prevent threats? (Choose two) A. Brute-force signatures B. DNS-based command-and-control signatures C. PAN-DB URL Filtering D. BrightCloud Url Filtering Answer: B,C (LEAVE A REPLY) NEW QUESTION: 11 An administrator sees several inbound sessions identified as unknown-tcp in the traffic logs. The administrator determines that these sessions are from external users accessing the company's proprietary accounting application. The administrator wants to reliably identify this as their accounting application and to scan this traffic for threats. Which option would achieve this result? A. Create a custom App-ID and use the "ordered conditions" check box B. Create a custom App ID and enable scanning on the advanced tab C. Create an Application Override policy D. Create an Application Override policy and a custom threat signature for the application Answer: B (LEAVE A REPLY) NEW QUESTION: 12

An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall. Which priority is correct for the passive firewall? A. 0 B. 99 C. 1 D. 255 Answer: D (LEAVE A REPLY) Reference: https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/10-0/pan-osadmin/pan-os-admin.pdf page 315 NEW QUESTION: 13 A network administrator wants to use a certificate for the SSL/TLS Service Profile Which type of certificate should the administrator use? A. machine certificate B. certificate authority (CA) certificate C. client certificate D. server certificate Answer: (SHOW ANSWER) NEW QUESTION: 14 Which data flow describes redistribution of user mappings? A. User-ID agent to firewall B. firewall to firewall C. Domain Controller to User-ID agent D. User-ID agent to Panorama Answer: B (LEAVE A REPLY) https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/configure-firewalls-toredistribute-user-mapping-information NEW QUESTION: 15 Starting with PAN-OS version 9.1, Global logging information is now recoded in which firewall log? A. Authentication B. System C. Configuration D. Globalprotect Answer: (SHOW ANSWER) NEW QUESTION: 16

An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing and preemption is disabled. What must be verified to upgrade the firewalls to the most recent version of PAN-OS software? A. Application and Threats update package B. Wildfire update package C. User-ID agent D. Anti virus update package Answer: (SHOW ANSWER)

Valid PCNSE Dumps shared by Fast2test.com for Helping Passing PCNSE Exam! Fast2test.com now offer the newest PCNSE exam dumps, the Fast2test.com PCNSE exam questions have been updated and answers have been corrected get the newest Fast2test.com PCNSE dumps with Test Engine here: https://www.fast2test.com/PCNSEpractice-test.html (337 Q&As Dumps, 30%OFF Special Discount: freecram) NEW QUESTION: 17 The IT department has received complaints abou VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter. Which feature can be used to identify, in real time, the applications taking up the most bandwidth? A. QoS Log B. QoS Statistics C. Application Command Center (ACC) D. Applications Report Answer: B (LEAVE A REPLY) NEW QUESTION: 18 Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services? A. Configure a Decryption Profile and select SSL/TLS services. B. Set up Security policy rule to allow SSL communication. C. Configure an SSL/TLS Profile. D. Set up SSL/TLS under Polices > Service/URL Category>Service. Answer: C (LEAVE A REPLY) NEW QUESTION: 19 A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server.

What can be done to simplify the NAT policy? A. Configure ECMP to handle matching NAT traffic B. Configure a NAT Policy rule with Dynamic IP and Port C. Create a new Source NAT Policy rule that matches the existing traffic and enable the Bidirectional option D. Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bidirectional option Answer: C (LEAVE A REPLY) https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-configurationexamples NEW QUESTION: 20 Refer to the exhibit.

An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panoram a. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct? A)

B)

C)

D)

A. Option A B. Option B C. Option C

D. Option D Answer: A (LEAVE A REPLY) https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-logcollection/configure-log-forwarding-to-panorama.html NEW QUESTION: 21 Starling with PAN-OS version 9.1, GlobalProtect logging information is now recorded in which firewall log? A. GlobalProtect B. System C. Configuration D. Authentication Answer: D (LEAVE A REPLY) NEW QUESTION: 22 An administrator wants to upgrade an NGFW from PAN-OS® 9.0 to PAN-OS® 10.0. The firewall is not a part of an HA pair. What needs to be updated first? A. XML Agent B. Applications and Threats C. WildFire D. PAN-OS® Upgrade Agent Answer: (SHOW ANSWER) https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/upgrade-to-panos-80/upgrade-the-firewall-to-pan-os-80/upgrade-a-firewall-to-pan-os-80 NEW QUESTION: 23 A company needs to preconfigure firewalls to be sent to remote sites with the least amount of preconfiguration Once deployed each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers Which VPN preconfigured configuration would adapt to changes when deployed to the future site? A. IPsec tunnels using IKEv2 B. GlobalProtect satellite C. GlobalProtect client D. PPTP tunnels Answer: (SHOW ANSWER) NEW QUESTION: 24 Which two methods can be used to mitigate resource exhaustion of an application server? (Choose two) A. DoS Protection Profile B. Zone Protection Profile

C. Data Filtering Profile D. Vulnerability Object Answer: A,B (LEAVE A REPLY) NEW QUESTION: 25 Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log? A. web-browsing and 443 B. SSL and 80 C. SSL and 443 D. web-browsing and 80 Answer: A (LEAVE A REPLY) We know that SSL decryption is supposed to give us visibility of traffic that would otherwise be encrypted. Therefore, we'd expect decrypted traffic to be identified as the underlying applications, such as web-browsing, facebook-base or other, but not as SSL. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmdLCAS NEW QUESTION: 26 An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in "the cloud"). Bootstrapping is the most expedient way to perform this task. Which option describes deployment of a bootstrap package in an on-premise virtual environment? A. Use a virtual CD-ROM with an ISO. B. Use config-drive on a USB stick. C. Create and attach a virtual hard disk (VHD). D. Use an S3 bucket with an ISO. Answer: (SHOW ANSWER) NEW QUESTION: 27 How does Panorama handle incoming logs when it reaches the maximum storage capacity? A. Panorama discards incoming logs when storage capacity full. B. Panorama stops accepting logs until licenses for additional storage space are applied C. Panorama stops accepting logs until a reboot to clean storage space. D. Panorama automatically deletes older logs to create space for new ones. Answer: D (LEAVE A REPLY) (https://www.paloaltonetworks.com/documentation/60/panorama/panorama_adminguide/set-uppanorama/determine-panorama-log-storage-requirements) NEW QUESTION: 28 A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a Palo Alto Networks firewall that was previously being used in a lab. The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file

named init-cfg txt. The firewall is currently running PAN-OS 10.0 and using a lab config The contents of init-cfg txi in the USB flash drive are as follows:

The USB flash drive has been inserted in the firewalls' USB port, and the firewall has been restarted using command:> request resort system Upon restart, the firewall fails to begin the bootstrapping process The failure is caused because A. The bootstrap.xml file is a required file but it is missing B. Firewall must be m factory default state or have all private data deleted for bootstrapping C. The USB must be formatted using the ext3 file system, FAT32 is not supported D. The hostname is a required parameter, but it is missing in imt-cfg txt E. PANOS version must be 91.x at a minimum but the firewall is running 10.0.x Answer: C (LEAVE A REPLY) NEW QUESTION: 29 Which protection feature is available only in a Zone Protection Profile? A. SYN Flood Protection using SYN Flood Cookies B. ICMP Flood Protection C. Port Scan Protection D. UDP Flood Protections Answer: A (LEAVE A REPLY) https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/network/networknetwork-profiles-zone-protection NEW QUESTION: 30 Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.

Which method should company.com use to immediately address this traffic on a Palo Alto Networks device? A. Create a custom Application without signatures, then create an Application Override policy that includes the source, Destination, Destination Port/Protocol and Custom Application of the traffic. B. Create a Custom Application with signatures matching unique identifiers of the in-house application traffic C. Wait until an official Application signature is provided from Palo Alto Networks. D. Modify the session timer settings on the closest referanced application to meet the needs of the in-house application Answer: B (LEAVE A REPLY) NEW QUESTION: 31 An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage? A. Security policy rule allowing SSL to the target server B. Firewall connectivity to a CRL C. Root certificate imported into the firewall with "Trust" enabled D. Importation of a certificate from an HSM Answer: A (LEAVE A REPLY) https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/configure-ssl-inboundinspection.html

Valid PCNSE Dumps shared by Fast2test.com for Helping Passing PCNSE Exam! Fast2test.com now offer the newest PCNSE exam dumps, the Fast2test.com PCNSE exam questions have been updated and answers have been corrected get the newest Fast2test.com PCNSE dumps with Test Engine here: https://www.fast2test.com/PCNSEpractice-test.html (337 Q&As Dumps, 30%OFF Special Discount: freecram) NEW QUESTION: 32 Several offices are connected with VPNs using static IPV4 routes. An administrator has been tasked with implementing OSPF to replace static routing. Which step is required to accoumplish this goal? A. Create new VPN zones at each site to terminate each VPN connection B. Assign an IP address on each tunnel interface at each site C. Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces D. Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0 Answer: C (LEAVE A REPLY) NEW QUESTION: 33

What file type upload is supported as part of the basic WildFire service? A. ELF B. PE C. BAT D. VBS Answer: (SHOW ANSWER) NEW QUESTION: 34 PBF can address which two scenarios? (Select Two) A. routing FTP to a backup ISP link to save bandwidth on the primary ISP link B. enabling the firewall to bypass Layer 7 inspection C. forwarding all traffic by using source port 78249 to a specific egress interface D. providing application connectivity the primary circuit fails Answer: (SHOW ANSWER) NEW QUESTION: 35 An administrator has configured a QoS policy rule and a QoS profile that limits the maximum allowable bandwidth for the YouTube application. However , YouTube is consuming more than the maximum bandwidth allotment configured. Which configuration step needs to be configured to enable QoS? A. Enable QoS Data Filtering Profile B. Enable QoS monitor C. Enable Qos interface D. Enable Qos in the interface Management Profile. Answer: C (LEAVE A REPLY) https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/network/networkqos/qos-interface-settings# NEW QUESTION: 36 An administrator wants to enable zone protection Before doing so, what must the administrator consider? A. The zone protection profile will apply to all interfaces within that zone B. Activate a zone protection subscription. C. Security policy rules do not prevent lateral movement of traffic between zones D. To increase bandwidth no more than one firewall interface should be connected to a zone Answer: B (LEAVE A REPLY) NEW QUESTION: 37 Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site A connects directly to the internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect to the internet.

How should NAT Traversal be implemented for the VPN connection to be established between Site-A and Site-B? A. Enable on Site-B only B. Enable on Site-A and Site-B C. Enable on Site-B only with passive mode D. Enable on Site-A only Answer: B (LEAVE A REPLY) NEW QUESTION: 38 A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5-minute window for analysis. The firewall is configured to check for verdicts every 5 minutes. How quickly will the firewall receive back a verdict? A. More than 15 minutes B. 5 minutes C. 10 to 15 minutes D. 5 to 10 minutes Answer: D (LEAVE A REPLY) NEW QUESTION: 39 Which method does an administrator use to integrate all non-native MFA platforms in PAN-OS® software? A. Okta B. DUO C. RADIUS D. PingID Answer: (SHOW ANSWER) https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/authenticationtypes/multi-factor-authentication NEW QUESTION: 40 Match each SD-WAN configuration element to the description of that element.

Answer:

NEW QUESTION: 41 An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.) A. Traffic Logs B. System Logs C. Task Manager D. Configuration Logs Answer: B,C (LEAVE A REPLY) NEW QUESTION: 42 Which statement accurately describes service routes and virtual systems? A. Virtual systems cannot have dedicated service routes configured: and virtual systems always use the global service and service route settings for the firewall B. Virtual systems can only use one interface for all global service and service routes of the firewall C. Virtual systems that do not have specific service routes configured inherit the global service and service route settings for the firewall

D. The interface must be used for traffic to the required external services Answer: B (LEAVE A REPLY) NEW QUESTION...