Embark on a journey of certification enlightenment, with the PCNSE dumps as your unwavering companion. Crafted with an eye for detail to align with the diverse curriculum, the PCNSE dumps offer a wide expanse of practice questions, solidifying your expertise. Whether the unerring clarity of PDFs engages you or the dynamic depths of the VCE format entrances, the PCNSE dumps have you covered. An all-encompassing study guide, central to the PCNSE dumps, sheds light on elusive concepts, simplifying your journey. With an unwavering commitment to these offerings, we confidently champion our 100% Pass Guarantee.
[Latest Release] Secure a 100% pass by downloading the PCNSE PDF and Exam Questions for free
Question 1:
A customer wants to set up a site-to-site VPN using tunnel interfaces. What format is the correct naming convention for tunnel interfaces?
A. tun.1025
B. tunnel.50
C. vpn.1024
D. gre1/2
Correct Answer: B
Question 2:
What best describes the HA Promotion Hold Time?
A. the time that is recommended to avoid an HA failover due to the occasional flapping of neighboring devices
B. the time that is recommended to avoid a failover when both firewalls experience the same link/path monitor failure simultaneously
C. the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost
D. the time that a passive firewall with a low device priority will wait before taking over as the active firewall if the firewall is operational again
Correct Answer: C
Question 3:
A VPN connection is set up between Site-A and Site-B, but no traffic is passing in the system log of Site-A, there is an event logged as like-nego-p1-fail-psk. What action will bring the VPN up and allow traffic to start passing between the sites?
A. Change the Site-B IKE Gateway profile version to match Site-A,
B. Change the Site-A IKE Gateway profile exchange mode to aggressive mode.
C. Enable NAT Traversal on the Site-A IKE Gateway profile.
D. Change the pre-shared key of Site-B to match the pre-shared key of Site-A
Correct Answer: D
Question 4:
An administrator discovers that a file blocked by the WildFire inline ML feature on the firewall is a false-positive action. How can the administrator create an exception for this particular file?
A. Add partial hash and filename in the file section of the WildFire inline ML tab of the Antivirus profile.
B. Set the WildFire inline ML action to allow for that protocol on the Antivirus profile.
C. Add the related Threat ID in the Signature exceptions tab of the Antivirus profile.
D. Disable the WildFire profile on the related Security policy.
Correct Answer: A
Question 5:
A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.
Which two steps are likely to mitigate the issue? (Choose TWO)
A. Exclude video traffic
B. Enable decryption
C. Block traffic that is not work-related
D. Create a Tunnel Inspection policy
Correct Answer: AC
This is because excluding video traffic from being sent over the VPN will reduce the amount of bandwidth being used during peak hours, allowing more bandwidth to be available for other types of traffic. Blocking non-work related traffic will also reduce the amount of bandwidth being used, further freeing up bandwidth for work-related traffic. Enabling decryption and creating a Tunnel Inspection policy are not likely to mitigate the issue of decreased performance during peak-use hours, as they do not directly address the issue of limited bandwidth availability during these times.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW
Question 6:
When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?
A. Certificate profile
B. Path Quality profile
C. SD-WAN Interface profile
D. Traffic Distribution profile
Correct Answer: C
Question 7:
A customer is replacing their legacy remote access VPN solution The current solution is in place to secure internet egress and provide access to resources located in the main datacenter for the connected clients. Prisma Access has been selected to replace the current remote access VPN solution. During onboarding the following options and licenses were selected and enabled.
What must be configured on Prisma Access to provide connectivity to the resources in the datacenter?
A. Configure a mobile user gateway in the region closest to the datacenter to enable connectivity to the datacenter
B. Configure a remote network to provide connectivity to the datacenter
C. Configure Dynamic Routing to provide connectivity to the datacenter
D. Configure a service connection to provide connectivity to the datacenter
Correct Answer: B
Question 8:
An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors. How would the administrator establish the chain of trust?
A. Use custom certificates
B. Enable LDAP or RADIUS integration
C. Set up multi-factor authentication
D. Configure strong password authentication
Correct Answer: A
Reference:
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/pa norama-overview/plan-your- panorama-deployment
Question 9:
A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama. What are the next steps to migrate configuration from the firewalls to Panorama?
A. Use API calls to retrieve the configuration directly from the managed devices
B. Export Named Configuration Snapshot on each firewall followed by Import Named Configuration Snapshot in Panorama
C. import Device Configuration to Panorama followed by Export or Push Device Config Bundle
D. Use the Firewall Migration plugin to retrieve the configuration directly from the managed devices
Correct Answer: C
Question 10:
A firewall administrator wants to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply Security rules on segment X after getting the visibility.
There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes.
What is the best option for the administrator to take?
A. Configure the TAP interface for segment X on the firewall.
B. Configure vwire interfaces for segment X on the firewall.
C. Configure a Layer 3 interface for segment X on the firewall.
D. Configure a new vsys for segment X on the firewall.
Correct Answer: B
Question 11:
An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy
Which PAN-OS proxy method should be configured to maintain this type of traffic flow?
A. DNS proxy
B. Explicit proxy
C. SSL forward proxy
D. Transparent proxy
Correct Answer: D
A transparent proxy is a type of web proxy that intercepts and redirects HTTP and HTTPS requests without requiring any configuration on the client browser1. The firewall acts as a gateway between the client and the web server, and performs security checks on the traffic. A transparent proxy can be configured on PAN-OS 11.0 firewalls by performing the following steps1: Enable Web Proxy under Device > Setup > Services Select Transparent Proxy as the Proxy Type Configure a Service Route for Web Proxy Configure SSL/TLS Service Profile for Web Proxy Configure Security Policy Rules for Web Proxy Traffic By configuring a transparent proxy on PAN-OS 11.0 firewalls, an organization can migrate from their existing web proxy architecture without changing their network topology or client settings2. The firewall will maintain the same type of traffic flow as before, where HTTP and HTTPS requests contain the IP address of the web server and the client browser is redirected to the proxy1. Answer A is not correct because DNS proxy is a type of web proxy that intercepts DNS queries from clients and resolves them using an external DNS server3. This type of proxy does not redirect HTTP or HTTPS requests to the firewall.
Question 12:
In a virtual router, which object contains all potential routes?
A. MIB
B. RIB
C. SIP
D. FIB
Correct Answer: B
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/virtual-routers
Question 13:
An administrator has left a firewall to use the data of port for all management service which there functions are performed by the data face? (Choose three.)
A. NTP
B. Antivirus
C. Wildfire updates
D. NAT
E. File tracking
Correct Answer: ACD
Question 14:
How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?
A. Use the debug dataplane packet-diag set capture stage firewall file command.
B. Enable all four stages of traffic capture (TX, RX, DROP, Firewall).
C. Use the debug dataplane packet-diag set capture stage management file command.
D. Use the tcpdump command.
Correct Answer: D
Reference: https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet- Capture/ta-p/62390 https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/take-packet- captures/take-a-packet-capture-on-the-management-interface.html
Question 15:
The UDP-4501 protocol-port is used between which two GlobalProtect components?
A. GlobalProtect app and GlobalProtect gateway
B. GlobalProtect portal and GlobalProtect gateway
C. GlobalProtect app and GlobalProtect satellite
D. GlobalProtect app and GlobalProtect portal
Correct Answer: A
UDP 4501 Used for IPSec tunnel connections between GlobalProtect apps and gateways. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall- administration/reference-port-number-usage/ports-used-for-globalprotect.html