Steer your certification aspirations with the unparalleled guidance found within the PCNSE dumps. Intricately meshed to mirror the diverse landscape of the curriculum, the PCNSE dumps project a plethora of practice questions, ensuring an unwavering command over the subject. Be it the concise elegance of PDFs that attracts or the lively scenarios of the VCE format that captivates, the PCNSE dumps promise a holistic experience. An extensive study guide, a hallmark feature of the PCNSE dumps, stands as a beacon, highlighting critical areas of focus. With a profound belief in the prowess of our tools, we passionately reinforce our 100% Pass Guarantee.
[Recently Updated] Equip yourself for 100% exam pass rate with the PCNSE PDF and Exam Questions, free of charge
Question 1:
Which Palo Alto Networks VM-Series firewall is supported for VMware NSX?
A. VM-100
B. VM-200
C. VM-1000-HV
D. VM-300
Correct Answer: C
Question 2:
Review the images. A firewall policy that permits web traffic includes the global-logs policy as depicted.
What is the result of traffic that matches the “Alert – Threats” Profile Match List?
A. The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.
B. The source address of traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.
C. The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.
D. The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.
Correct Answer: C
Question 3:
Which two methods can be used to mitigate resource exhaustion of an application server? (Choose two)
A. Vulnerability Object
B. DoS Protection Profile
C. Data Filtering Profile
D. Zone Protection Profile
Correct Answer: BD
Question 4:
Which event will happen if an administrator uses an Application Override Policy?
A. Threat-ID processing time is decreased.
B. The Palo Alto Networks NGFW stops App-ID processing at Layer 4.
C. The application name assigned to the traffic by the security rule is written to the Traffic log.
D. App-ID processing time is increased.
Correct Answer: B
Reference: https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-How-to- Create-an-Application-Override/ta-p/65513
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/app-id/manage-custom-or- unknown- applications#
“If you define an application override, the firewall stops processing at Layer-4. The custom application name is assigned to the session to help identify it in the logs, and the traffic is not scanned for threats.”
Question 5:
A distributed log collection deployment has dedicated log Collectors. A developer needs a device to send logs to Panorama instead of sending logs to the Collector Group. What should be done first?
A. Remove the cable from the management interface, reload the log Collector and then re- connect that cable
B. Contact Palo Alto Networks Support team to enter kernel mode commands to allow adjustments
C. remove the device from the Collector Group
D. Revert to a previous configuration
Correct Answer: C
Question 6:
An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration.
What type of service route can be used for this configuration?
A. IPv6 Source or Destination Address
B. Destination-Based Service Route
C. IPv4 Source Interface
D. Inherit Global Setting
Correct Answer: C
The IPv4 Source Interface service route allows the administrator to specify a source interface for a service based on the virtual system. This option overrides the inherited global service route configuration and provides more granular control over the service routes for each virtual system. References: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/virtual-systems/customize-service-routes-for-a-virtual-system.html
Question 7:
A users traffic traversing a Palo Alto networks NGFW sometimes can reach http //www company com At other times the session times out. At other times the session times out The NGFW has been configured with a PBF rule that the user traffic matches when it goes to http://www.company.com goes to http://www company com How can the firewall be configured to automatically disable the PBF rule if the next hop goes down?
A. Create and add a monitor profile with an action of fail over in the PBF rule in question
B. Create and add a monitor profile with an action of wait recover in the PBF rule in question
C. Configure path monitoring for the next hop gateway on the default route in the virtual router
D. Enable and configure a link monitoring profile for the external interface of the firewall
Correct Answer: A
Question 8:
A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies. Which CLI command syntax will display the rule that matches the test?
A. test security -policy- match source destination destination port protocol <protocol number
B. show security rule source destination destination port protocol
C. test security rule source destination destination port protocol
D. show security-policy-match source destination destination port protocol test security-policy-match source
Correct Answer: A
test security-policy-match source destination protocol https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Test-Which-Security- Policy-Applies-to-a-Traffic-Flow/ta-p/53693
Question 9:
While investigating a SYN flood attack, the firewall administrator discovers that legitimate traffic is also being dropped by the DoS profile. If the DoS profile action is set to Random Early Drop, what should the administrator do to limit the drop to only the attacking sessions?
A. Enable resources protection under the DoS Protection profile.
B. Change the SYN flood action from Random Early Drop to SYN cookies.
C. Increase the activate rate for the SYN flood protection.
D. Change the DoS Protection profile type from aggregate to classified.
Correct Answer: B
Question 10:
Which three authentication types can be used to authenticate users? (Choose three.)
A. Local database authentication
B. PingID
C. Kerberos single sign-on
D. GlobalProtect client
E. Cloud authentication service
Correct Answer: ACE
The three authentication types that can be used to authenticate users are:
A: Local database authentication. This is the authentication type that uses the local user database on the firewall or Panorama to store and verify user credentials1.
C: Cloud authentication service. This is the authentication type that uses a cloud- based identity provider, such as Okta, PingOne, or PingFederate, to authenticate users and provide SAML assertions to the firewall or Panorama2.
E: Kerberos single sign-on. This is the authentication type that uses the Kerberos protocol to authenticate users who are logged in to a Windows domain and provide them with seamless access to resources on the firewall or Panorama3.
Question 11:
As a best practice, which URL category should you target first for SSL decryption*?
A. Online Storage and Backup
B. High Risk
C. Health and Medicine
D. Financial Services
Correct Answer: B
https://docs.paloaltonetworks.com/best-practices/10-0/decryption-best- practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment.html Phase in decryption. Plan to decrypt the riskiest traffic first (URL Categories most likely to harbor malicious traffic, such as gaming or high-risk)
Question 12:
What are three types of Decryption Policy rules? (Choose three.)
A. SSL Inbound Inspection
B. SSH Proxy
C. SSL Forward Proxy
D. Decryption Broker
E. Decryption Mirror
Correct Answer: ABC
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/define-traffic-to- decrypt/create-a-decryption-policy-rule
Question 13:
Company.com has an in-house application that the Palo Alto Networks device doesn\’t identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.
Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?
A. Create a custom Application without signatures, then create an Application Override policy that includes the source, Destination, Destination Port/Protocol and Custom Application of the traffic.
B. Wait until an official Application signature is provided from Palo Alto Networks.
C. Modify the session timer settings on the closest referanced application to meet the needs of the in-house application
D. Create a Custom Application with signatures matching unique identifiers of the in-house application traffic
Correct Answer: D
Question 14:
A firewall administrator notices that many Host Sweep scan attacks are being allowed through the firewall sourced from the outside zone. What should the firewall administrator do to mitigate this type of attack?
A. Create a DOS Protection profile with SYN Flood protection enabled and apply it to all rules allowing traffic from the outside zone
B. Enable packet buffer protection in the outside zone.
C. Create a Security rule to deny all ICMP traffic from the outside zone.
D. Create a Zone Protection profile, enable reconnaissance protection, set action to Block, and apply it to the outside zone.
Correct Answer: D
Question 15:
Which Panorama administrator types require the configuration of at least one access domain? (Choose two)
A. Dynamic
B. Custom Panorama Admin
C. Role Based
D. Device Group
E. Template Admin
Correct Answer: DE
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0