Embrace a universe where learning knows no bounds, catalyzed by the wisdom of PCNSE dumps. As you traverse this vast expanse, the PCNSE dumps sprinkle your path with enlightening practice questions. PDFs serve as ancient scrolls, preserving knowledge, while the VCE format is the modern storyteller, making learning come alive. The accompanying study guide and PCNSE dumps together craft a map for your quest. With unwavering confidence in this odyssey, we put forth our 100% Pass Guarantee, your North Star in this journey.
[Hot Drop] Fuel your exam prep with the free PCNSE PDF and Exam Questions, promising 100% success
Question 1:
Refer to the exhibit.
Which certificates can be used as a Forwarded Trust certificate?
A. Certificate from Default Trust Certificate Authorities
B. Domain Sub-CA
C. Forward_Trust
D. Domain-Root-Cert
Correct Answer: B
The SSL Forward Proxy certificate must be a trusted CA certificate with private key. In order to use this cert as a Forward Proxy certificate, you must open the certificate and select the checkbox to enable it as a Forward Trust Certificate. See the following doc, Step 2 number 5: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os- admin/decryption/configure-ssl-forward-proxy.html
Question 2:
An engineer is troubleshooting a traffic-routing issue.
What is the correct packet-flow sequence?
A. PBF > Static route > Security policy enforcement
B. BGP NAT
C. PBF > Zone Protection Profiles > Packet Buffer Protection
D. NAT > Security policy enforcement > OSPF
Correct Answer: A
Question 3:
An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the Policies tab. Which profile is the cause of the missing Policies tab?
A. Admin Role
B. WebUI
C. Authentication
D. Authorization
Correct Answer: A
Question 4:
An administrator is using Panorama to manage me and suspects an IKE Crypto mismatch between peers, from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama. Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?
A. Export the log database.
B. Use the import option to pull logs.
C. Use the ACC to consolidate the logs.
D. Use the scp logdb export command.
Correct Answer: A
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/use-the-cli/use-secure-copy-to-import-and-export-files/export-and-import-a-complete-log-database-logdb
Question 5:
A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-andcontrol servers on the internet and SSL Forward Proxy Decryption is not enabled.
Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?
A. Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole
B. File Blocking profiles applied to outbound security policies with action set to alert
C. Vulnerability Protection profiles applied to outbound security policies with action set to block
D. Antivirus profiles applied to outbound security policies with action set to alert
Correct Answer: A
Question 6:
What can be used to create dynamic address groups?
A. dynamic address
B. region objects
C. tags
D. FODN addresses
Correct Answer: C
Question 7:
A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a Palo Alto Networks firewall that was previously being used in a lab. The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg txt. The firewall is currently running PAN-OS 10.0 and using a lab config The contents of init-cfg txi in the USB flash drive are as follows:
The USB flash drive has been inserted in the firewalls\’ USB port, and the firewall has been restarted using command:> request resort system Upon restart, the firewall fails to begin the bootstrapping process. The failure is caused because
A. Firewall must be in factory default state or have all private data deleted for bootstrapping
B. The hostname is a required parameter, but it is missing in init-cfg txt
C. The USB must be formatted using the ext3 file system, FAT32 is not supported
D. PANOS version must be 91.x at a minimum but the firewall is running 10.0.x
E. The bootstrap.xml file is a required file but it is missing
Correct Answer: A
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/bootstrap-the-firewall/bootstrap-a-firewall-using-a-usb-flash-drive.html#id8378007f-d6e5-4f2d-84a4-5d50b0b3ad7d
Question 8:
A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?
A. IKE Gateway profile
B. IPSec Crypto profile
C. IPSec Tunnel settings
D. IKE Crypto profile
Correct Answer: B
The **IKE crypto profile** is used to set up the encryption and authentication algorithms used for the key exchange process in IKE Phase 1, and lifetime of the keys, which specifies how long the keys are valid. To invoke the profile, you must attach it to the IKE Gateway configuration.
The **IPSec crypto profile** is invoked in IKE Phase 2. It specifies how the data is secured within the tunnel when Auto Key IKE is used to automatically generate keys for the IKE SAs.
Question 9:
An engineer needs to collect User-ID mappings from the company\’s existing proxies. What two methods can be used to pull this data from third party proxies? (Choose two.)
A. Syslog
B. XFF Headers
C. Client probing
D. Server Monitoring
Correct Answer: AB
Question 10:
An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration.
What type of service route can be used for this configuration?
A. IPv6 Source or Destination Address
B. Destination-Based Service Route
C. IPv4 Source Interface
D. Inherit Global Setting
Correct Answer: C
The IPv4 Source Interface service route allows the administrator to specify a source interface for a service based on the virtual system. This option overrides the inherited global service route configuration and provides more granular control over the service routes for each virtual system. References: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/virtual-systems/customize-service-routes-for-a-virtual-system.html
Question 11:
VPN traffic intended for an administrator\’s Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?
A. Zone Protection
B. Replay
C. Web Application
D. DoS Protection
Correct Answer: B
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/vpns/set-up- site-to-site-vpn/set-up-an-ipsec-tunnel#
Question 12:
Which type of interface does a firewall use to forward decrypted traffic to a security chain for inspection?
A. Layer 2
B. Tap
C. Layer 3
D. Decryption Mirror
Correct Answer: C
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking- admin/network-packet-broker/configure-routed-layer-3-security-chains Configure security chain devices with Layer 3 interfaces to connect to the security chain network. These Layer 3 interfaces must have an assigned IP address and subnet mask. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryption- broker/security-chain-layer-3-guidelines.html
Question 13:
Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)
A. Number of blocked sessions
B. TLS protocol version
C. Encryption algorithm
D. Number of security zones in decryption policies
Correct Answer: BC
According to the Palo Alto Networks documentation, decryption consumes firewall CPU resources, so it is important to evaluate the amount of SSL decryption that the firewall deployment can support. Two factors that affect the CPU consumption are the TLS protocol version and the encryption algorithm used by the encrypted traffic. The newer versions of TLS (such as TLS 1.3) and the stronger encryption algorithms (such as AES-256-GCM) require more CPU resources to decrypt than the older versions and weaker algorithms. Therefore, the correct answer is B and C. The other options are not relevant or important for sizing a decryption firewall deployment: Number of blocked sessions: This option refers to the number of sessions that the firewall blocks based on Security policy rules. It does not affect the decryption performance or resource consumption. Number of security zones in decryption policies: This option refers to the number of security zones that are used to define the source and destination of the traffic to be decrypted. It does not affect the decryption performance or resource consumption.
References: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/prepare-to-deploy-decryption/size-the-decryption-firewall-deployment
Question 14:
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall. Which priority is correct for the passive firewall?
A. 0
B. 99
C. 1
D. 255
Correct Answer: D
Reference:
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/71/pan- os/pan-os/section_5.pdf (page 9)
https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/10-0/pan-os- admin/pan-os-admin.pdf page 315
Question 15:
An enterprise information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems However a recent phisning campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets For users that need to access these systems Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.
What should the enterprise do to use PAN-OS MFA1?
A. Configure a Captive Porta1 authentication policy that uses an authentication profile that references a RADIUS profile
B. Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy
C. Configure a Captive Portal authentication policy that uses an authentication sequence
D. Use a Credential Phishing agent to detect prevent and mitigate credential phishing campaigns
Correct Answer: B
You should create an auth profile and use it in captive protal auth policy. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-authentication