Embark on a journey of certification enlightenment, with the PCNSE dumps as your unwavering companion. Crafted with an eye for detail to align with the diverse curriculum, the PCNSE dumps offer a wide expanse of practice questions, solidifying your expertise. Whether the unerring clarity of PDFs engages you or the dynamic depths of the VCE format entrances, the PCNSE dumps have you covered. An all-encompassing study guide, central to the PCNSE dumps, sheds light on elusive concepts, simplifying your journey. With an unwavering commitment to these offerings, we confidently champion our 100% Pass Guarantee.
[Hot Pick] Navigate to success with the free PCNSE PDF and Exam Questions, ensuring a 100% pass rate
Question 1:
A company has a pair of Palo Alto Networks firewalls configured as an Acitve/Passive High Availability (HA) pair. What allows the firewall administrator to determine the last date a failover event occurred?
A. From the CLI issue use the show System log
B. Apply the filter subtype eq ha to the System log
C. Apply the filter subtype eq ha to the configuration log
D. Check the status of the High Availability widget on the Dashboard of the GUI
Correct Answer: B
Question 2:
In an enterprise deployment, a network security engineer wants to assign to a group of administrators without creating local administrator accounts on the firewall. Which authentication method must be used?
A. LDAP
B. Kerberos
C. Certification based authentication
D. RADIUS with Vendor-Specific Attributes
Correct Answer: D
Question 3:
To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure.
A. BGP (Border Gateway Protocol)
B. PBP (Packet Buffer Protection)
C. PGP (Packet Gateway Protocol)
D. PBP (Protocol Based Protection)
Correct Answer: D
Question 4:
A Network Administrator wants to deploy a Large Scale VPN solution. The Network Administrator has chosen a GlobalProtect Satellite solution. This configuration needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations.
How should this be accomplished?
A. Create a Template with the appropriate IKE Gateway settings
B. Create a Template with the appropriate IPSec tunnel settings
C. Create a Device Group with the appropriate IKE Gateway settings
D. Create a Device Group with the appropriate IPSec tunnel settings
Correct Answer: B
Question 5:
Based on the image, what caused the commit warning?
A. The CA certificate for FWDtrust has not been imported into the firewall.
B. The FWDtrust certificate has not been flagged as Trusted Root CA.
C. SSL Forward Proxy requires a public certificate to be imported into the firewall.
D. The FWDtrust certificate does not have a certificate chain.
Correct Answer: A
Question 6:
A Panorama administrator configures a new zone and uses the zone in a new Security policy.
After the administrator commits the configuration to Panorama, which device-group commit push operation should the administrator use to ensure that the push is successful?
A. force template values
B. merge with candidate config
C. specify the template as a reference template
D. include device and network templates
Correct Answer: D
Question 7:
What are three types of Decryption Policy rules? (Choose three.)
A. SSL Inbound Inspection
B. SSH Proxy
C. SSL Forward Proxy
D. Decryption Broker
E. Decryption Mirror
Correct Answer: ABC
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/define-traffic-to- decrypt/create-a-decryption-policy-rule
Question 8:
An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third-party, deep-level packet inspection appliance. Which interface type and license feature are necessary to meet the requirement?
A. Decryption Mirror interface with the Threat Analysis license
B. Virtual Wire interface with the Decryption Port Export license
C. Tap interface with the Decryption Port Mirror license
D. Decryption Mirror interface with the associated Decryption Port Mirror license
Correct Answer: D
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan- os/decryption/decryption-mirroring
“Before you can enable Decryption Mirroring, you must obtain and install a Decryption Port Mirror license. The license is free of charge and can be activated through the support portal as described in the following procedure. After you install the Decryption Port Mirror license and reboot the firewall, you can enable decryption port mirroring. ”
Question 9:
A network security engineer configured IP multicast in the virtual router to support a new application. Users in different network segments are reporting that they are unable to access the application. What must be enabled to allow an interface to forward multicast traffic?
A. IGMP
B. PIM
C. BFD
D. SSM
Correct Answer: B
A protocol that enables routers to forward multicast traffic efficiently based on the source and destination addresses. PIM can operate in two modes: sparse mode (PIM- SM) or dense mode (PIM-DM). PIM-SM uses a rendezvous point (RP) as a central point for distributing multicast traffic, while PIM-DM uses flooding and pruning techniques2. to enable PIM on the interface which allows routers to forward multicast traffic using either sparse mode or dense mode depending on your network topology and requirements.
Question 10:
An administrator has configured the Palo Alto Networks NGFW\’s management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?
A. A scheduler will need to be configured for application signatures.
B. A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers.
C. A Threat Prevention license will need to be installed.
D. A service route will need to be configured.
Correct Answer: A
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface- help/device/device-dynamic-updates
Question 11:
Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?
A. Yes, because the action is set to alert
B. No, because this is an example from a defeated phishing attack
C. No, because the severity is high and the verdict is malicious.
D. Yes, because the action is set to allow.
Correct Answer: D
As long as the action is set to allow, then it will still allow it. Threats that have the ability to become critical but have mitigating factors; for example, they may be difficult to exploit, do not result in elevated privileges, or do not have a large victim pool. WildFire Submissions log entries with a malicious verdict and an action set to allow are logged as High. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/view-and-manage-logs/log-types-and-severity-levels/ threat-logs#id5cea1511-a153-4005-9d5f-ab2482e838ae
Question 12:
A network Administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects> Security Profiles> Anti- Spyware and select default profile. What should be done next?
A. Click the simple-critical rule and then click the Action drop-down list.
B. Click the Exceptions tab and then click show all signatures.
C. View the default actions displayed in the Action column.
D. Click the Rules tab and then look for rules with “default” in the Action column.
Correct Answer: B
Question 13:
An administrator is configuring SSL decryption and needs 10 ensure that all certificates for both SSL Inbound inspection and SSL Forward Proxy are installed properly on the firewall. When certificates are being imported to the firewall for these purposes, which three certificates require a private key? (Choose three.)
A. Forward Untrust certificate
B. Forward Trust certificate
C. Enterprise Root CA certificate
D. End-entity (leaf) certificate
E. Intermediate certificate(s)
Correct Answer: ABD
Question 14:
Engineer was tasked to simplify configuration of multiple firewalls with a specific set of configurations shared across all devices. Which two advantages would be gained by using multiple templates in a stack? (Choose two.)
A. inherits address-objects from the templates
B. standardizes server profiles and authentication configuration across all stacks
C. standardizes log-forwarding profiles for security policies across all stacks
D. defines a common standard template configuration for firewalls
Correct Answer: BD
Question 15:
An engineer receives reports from users that applications are not working and that websites are only partially loading in an asymmetric environment. After investigating, the engineer observes the flow_tcp_non_syn_drop counter increasing in the show counters global output.
Which troubleshooting command should the engineer use to work around this issue?
A. set deviceconfig setting tcp asymmetric-path drop
B. set deviceconfig setting session tcp-reject-non-syn no
C. set session tcp-reject-non-syn yes
D. set deviceconfig setting tcp asymmetric-path bypass
Correct Answer: B
To work around this issue, one possible troubleshooting command is set deviceconfig setting session tcp-reject-non-syn no which disables TCP reject non-SYN temporarily (until reboot)4. This command allows non-SYN first packet through without dropping it. The flow_tcp_non_syn_drop counter increases when the firewall receives packets with the ACK flag set, but not the SYN flag, which indicates asymmetric traffic flow. The tcp-reject- non-syn option enables or disables the firewall to drop non-SYN TCP packets. In this case, disabling the tcp-reject-non-syn option using the “set deviceconfig setting session tcp- reject-non-syn no” command can help work around the issue. This allows the firewall to accept non-SYN packets and create a session for the existing flow.