Set your sights on certification excellence, with the bedrock of the PCNSE dumps ensuring a solid foundation. Shaped with precision to match the evolving nuances of the syllabus, the PCNSE dumps introduce a kaleidoscope of practice questions, cementing your mastery. Whether the systematic elegance of PDFs strikes a chord or the vivid scenarios crafted by the VCE format mesmerize, the PCNSE dumps stand unmatched. An extensive study guide, seamlessly woven into the PCNSE dumps, unravels the intricacies, offering unparalleled clarity. Confident in the transformative power of these tools, we proudly emphasize our 100% Pass Guarantee.
Kickstart your PCNSE exam prep journey with our gratis materials enriched with authentic questions
Question 1:
An engineer is tasked with configuring a Zone Protection profile on the untrust zone. Which three settings can be configured on a Zone Protection profile? (Choose three.)
A. Ethernet SGT Protection
B. Protocol Protection
C. DoS Protection
D. Reconnaissance Protection
E. Resource Protection
Correct Answer: BCD
B. Protocol Protection: is used to protect against known protocol vulnerabilities, such as buffer overflows and malformed packets. C. DoS Protection: is used to protect against denial-of-service (DoS) attacks, such as SYN floods and ICMP floods.
D. Reconnaissance Protection: is used to protect against reconnaissance attacks, such as port scans and ping sweeps.
Question 2:
When deploying PAN-OS SD-WAN, which routing protocol can you use to build a routing overlay?
A. OSPFv3
B. BGP
C. OSPF
D. RIP
Correct Answer: C
Question 3:
Which Zone Pair and Rule Type will allow a successful connection for a user on the internet zone to a web server hosted in the DMZ zone?
The web server is reachable using a destination Nat policy in the Palo Alto Networks firewall.
A. Zone Pair: Source Zone: Internet Destination Zone: DMZ Rule Type: “intrazone”
B. Zone Pair: Source Zone: Internet Destination Zone: DMZ Rule Type: “intrazone” or “universal”
C. Zone Pair: Source Zone: Internet Destination Zone: Internet Rule Type: “intrazone” or “universal”
D. Zone Pair: Source Zone: Internet Destination Zone: Internet Rule Type: “intrazone”
Correct Answer: B
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/zone-protection-and-dos- protection/zone-defense/zone-defense-tools.html
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat- configuration-examples/destination-nat-exampleone-to-one-mapping
Question 4:
DRAG DROP Match each type of DoS attack to an example of that type of attack
Select and Place:
Correct Answer:
Plan to defend your network against different types of DoS attacks:
Application-Based Attacks
–Target weaknesses in a particular application and try to exhaust its resources so legitimate users can\’t use it. An example of this is the Slowloris attack.
Protocol-Based Attacks
–Also known as state-exhaustion attacks, these attacks target protocol weaknesses. A common example is a SYN flood attack.
Volumetric Attacks
–High-volume attacks that attempt to overwhelm the available network resources, especially bandwidth, and bring down the target to prevent legitimate users from accessing those resources. An example of this is a UDP flood attack.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense.html
Question 5:
If an administrator wants to apply QoS to traffic based on source, what must be specified in a QoS policy rule?
A. Post-NAT destination address
B. Pre-NAT destination address
C. Pre-NAT source address
D. Post-NAT source address
Correct Answer: C
Question 6:
View the screenshots. A QoS profile and policy rules are configured as shown. Based on this information, which two statements are correct? (Choose two.)
A. DNS has a higher priority and more bandwidth than SSH.
B. Google-video has a higher priority and more bandwidth than WebEx.
C. SMTP has a higher priority but lower bandwidth than Zoom.
D. Facetime has a higher priority but lower bandwidth than Zoom.
Correct Answer: AD
Question 7:
An engineer needs to see how many existing SSL decryption sessions are traversing a firewall
What command should be used?
A. show dataplane pool statistics I match proxy
B. debug dataplane pool statistics I match proxy
C. debug sessions I match proxy
D. show sessions all
Correct Answer: B
Question 8:
What must be used in Security Policy Rule that contain addresses where NAT policy applies?
A. Pre-NAT addresse and Pre-NAT zones
B. Post-NAT addresse and Post-Nat zones
C. Pre-NAT addresse and Post-Nat zones
D. Post-Nat addresses and Pre-NAT zones
Correct Answer: C
Question 9:
A client is concerned about web shell attacks against their servers. Which profile will protect the individual servers?
A. Anti-Spyware profile
B. Zone Protection profile
C. DoS Protection profile
D. Antivirus profile
Correct Answer: A
Web shell attacks are part of the Spyware Signatures. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/threat-prevention/threat-signatures
Question 10:
In a device group, which two configuration objects are defined? (Choose two )
A. DNS Proxy
B. address groups
C. SSL/TLS profiles
D. URL Filtering profiles
Correct Answer: CD
Question 11:
If the firewall is configured for credential phishing prevention using the “Domain Credential Filter” method, which login will be detected as credential theft?
A. Mapping to the IP address of the logged-in user.
B. First four letters of the username matching any valid corporate username.
C. Using the same user\’s corporate username and password.
D. Marching any valid corporate username.
Correct Answer: C
The Windows-based User‐ID agent is installed on a Read-Only Domain Controller (RODC). The User ‐ID agent collects password hashes that correspond to users for which you want to enable credential detection and sends these mappings to the firewall. The firewall then checks if the source IP address of a session matches a username and if the password submitted to the webpage belongs to that username. With this mode, the firewall blocks or alerts on the submission only when the password submitted matches a user password.
Question 12:
Refer to the exhibit.
Which will be the egress interface if the traffic\’s ingress interface is ethernet 1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?
A. ethernet1/6
B. ethernet1/3
C. ethernet1/7
D. ethernet1/5
Correct Answer: D
PBF is to e1/5, but the current time is not in time schedule. the normal routing will go to e1/3
Question 13:
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two)
A. log forwarding auto-tagging
B. GlobafProtect agent
C. User-ID Windows-based agent
D. XML API
Correct Answer: AC
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/register- ip-addresses-and-tags-dynamically.html
You can enable the dynamic registration process using any of the following options:
User-ID agent for Windows*
VM Information Sources
Panorama Plugin
VMware Service Manager
XML API*
Auto-Tag*
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/educatio n/pcnse-study-guide.pdf
Usernames can also be tagged and untagged using the auto-tagging feature in a Log Forwarding Profile. You also can program another utility to invoke PAN-OS XML API commands to tag or untag usernames.
Question 14:
An ISP manages a Palo Alto Networks firewall with multiple virtual systems for its tenants.
Where on this firewall can the ISP configure unique service routes for different tenants?
A. Setup > Services > Virtual Systems > Set Location > Service Route Configuration > Inherit Global Service Route Configuration
B. Setup > Services > Global > Service Route Configuration > Customize
C. Setup > Services > Virtual Systems > Set Location > Service Route Configuration > Customize
D. Setup > Services > Global > Service Route Configuration > Use Management Interface for all
Correct Answer: C
The best option for the ISP to configure unique service routes for different tenants is to use the Setup > Services > Virtual Systems > Set Location > Service Route Configuration > Customize option on the firewall. This option allows the ISP to customize the service routes for each virtual system that represents a tenant. A service route is the path from the interface to the service on a server, such as DNS, email, or Panorama. By customizing the service routes for each virtual system, the ISP can ensure that each tenant uses a different interface or IP address to access these services. Option A is incorrect because it is used to inherit the global service route configuration for a virtual system, not to customize it. Option B is incorrect because it is used to customize the global service route configuration for all virtual systems, not for a specific one. Option D is incorrect because it is used to use the management interface for all service routes, not to customize them.
Question 15:
During a laptop-replacement project, remote users must be able to establish a GlobalProtect VPN connection to the corporate network before logging in to their new Windows 10 endpoints.
The new laptops have the 5.2.10 GlobalProtect Agent installed, so the administrator chooses to use the Connect Before Logon feature to solve this issue.
What must be configured to enable the Connect Before Logon feature?
A. The GlobalProtect Portal Agent App Settings Connect Method to Pre-logon then On- demand.
B. Registry keys on the Windows system.
C. X-Auth Support in the GlobalProtect Gateway Tunnel Settings.
D. The Certificate profile in the GlobalProtect Portal Authentication Settings.
Correct Answer: B