Paloalto-Networks PCNSE Rapidshare 2021

NEW QUESTION 1
In the following image from Panorama, why are some values shown in red?

• A. sg2 session count is the lowest compared to the other managed devices.
• B. us3 has a logging rate that deviates from the administrator-configured thresholds.
• C. uk3 has a logging rate that deviates from the seven-day calculated baseline.
• D. sg2 has misconfigured session thresholds.

Answer: C

NEW QUESTION 2
A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall. Which method shows the global counters associated with the traffic after configuring the appropriate packet filters?

• A. From the CLI, issue the show counter global filter pcap yes command.
• B. From the CLI, issue the show counter global filter packet-filter yes command.
• C. From the GUI, select show global counters under the monitor tab.
• D. From the CLI, issue the show counter interface command for the ingress interface.

Answer: B

NEW QUESTION 3
What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1 version?

• A. Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or template stacks.
• B. An administrator must use the Expedition tool to adapt the configuration to the pre-PAN-OS 8.1 state.
• C. When Panorama is reverted to an earlier PAN-OS release, variables used in templates or template stacks will be removed automatically.
• D. Administrators need to manually update variable characters to those used in pre-PAN-OS 8.1.

Answer: A

NEW QUESTION 4
The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong?

• A. A Certificate Profile that contains the client certificate needs to be selected.
• B. The source address supports only files hosted with an ftp://<address/file>.
• C. External Dynamic Lists do not support SSL connections.
• D. A Certificate Profile that contains the CA certificate needs to be selected.

Answer: D

NEW QUESTION 5
A company is upgrading its existing Palo Alto Networks firewall from version 7.0.1 to 7.0.4.
Which three methods can the firewall administrator use to install PAN-OS 8.0.4 across the enterprise?( Choose three)

• A. Download PAN-OS 8.0.4 files from the support site and install them on each firewall after manually uploading.
• B. Download PAN-OS 8.0.4 to a USB drive and the firewall will automatically update after the USB drive is inserted in the firewall.
• C. Push the PAN-OS 8.0.4 updates from the support site to install on each firewall.
• D. Push the PAN-OS 8.0.4 update from one firewall to all of the other remaining after updating one firewall.
• E. Download and install PAN-OS 8.0.4 directly on each firewall.
• F. Download and push PAN-OS 8.0.4 from Panorama to each firewall.

Answer: ACF

NEW QUESTION 6
A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server.
What can be done to simplify the NAT policy?

• A. Configure ECMP to handle matching NAT traffic
• B. Configure a NAT Policy rule with Dynamic IP and Port
• C. Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi-directional option
• D. Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bi- directional option

Answer: C

Explanation:
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-configuration-examples

NEW QUESTION 7
To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?

• A. Device>Setup>Services>AutoFocus
• B. Device> Setup>Management >AutoFocus
• C. AutoFocus is enabled by default on the Palo Alto Networks NGFW
• D. Device>Setup>WildFire>AutoFocus
• E. Device>Setup> Management> Logging and Reporting Settings

Answer: B

Explanation:
Reference: https://www.paloaHYPERLINK
"https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/getting-started/enable-autofocus-threat-intelligence"ltonetworks.com/documentation/71/pan-os/pan-os/getting-started/enable-autofocus-threat-intelligence

NEW QUESTION 8
Which User-ID method maps IP address to usernames for users connecting through a web proxy that has already authenticated the user?

• A. Client Probing
• B. Port mapping
• C. Server monitoring
• D. Syslog listening

Answer: D

NEW QUESTION 9
Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

• A. Create a no-decrypt Decryption Policy rule.
• B. Configure an EDL to pull IP addresses of known sites resolved from a CRL.
• C. Create a Dynamic Address Group for untrusted sites
• D. Create a Security Policy rule with vulnerability Security Profile attached.
• E. Enable the “Block sessions with untrusted issuers” setting.

Answer: AD

NEW QUESTION 10
A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?

• A. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN I
• B. Repeat forevery additional VLANand use a VLAN ID of 0 for untagged traffi
• C. Assign each interface/subinterface to a unique zone.
• D. Create V-Wire objects with two V-Wire sub interface and assign only a single VLAN ID to the "Tag Allowed field one of the V-Wire object Repeat for every additional VLAN and use a VIAN ID of 0 for untagged traffi
• E. Assign each interface/subinterfaceto a unique zone.
• F. Create V-Wire objects with two V-Wire interfaces and define a range “0- 4096" in the 'Tag Allowed filed of the V-Wire object.
• G. Create Layer 3 sub interfaces that are each assigned to a single VLAN ID and a common virtual route
• H. The physical Layer 3interface would handle untagged traffi
• I. Assign each interface /subinterface to a unique zon
• J. Do not assign any interface anIP address

Answer: C

NEW QUESTION 11
Which command can be used to validate a Captive Portal policy?

• A. eval captive-portal policy <criteria>
• B. request cp-policy-eval <criteria>
• C. test cp-policy-match <criteria>
• D. debug cp-policy <criteria>

Answer: C

NEW QUESTION 12
SAML SLO is supported for which two firewall features? (Choose two.)

• A. GlobalProtect Portal
• B. CaptivePortal
• C. WebUI
• D. CLI

Answer: AB

NEW QUESTION 13
An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet. Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22

Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?
A)

B)

C)

D)

• A. Option A
• B. Option B
• C. Option C
• D. Option D

Answer: D

NEW QUESTION 14
Which is not a valid reason for receiving a decrypt-cert-validation error?

• A. Unsupported HSM
• B. Unknown certificate status
• C. Client authentication
• D. Untrusted issuer

Answer: A

NEW QUESTION 15
Which feature must you configure to prevent users form accidentally submitting their corporate
credentials to a phishing website?

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/prevent-credential-phishing

NEW QUESTION 16
An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing.
The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL.
Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL?

• A. Create a decryption rule matching the encrypted BitTorrent traffic with action “No-Decrypt,” and place the rule at the top of the Decryption policy.
• B. Create a Security policy rule that matches application “encrypted BitTorrent” and place the rule at the top of the Security policy.
• C. Disable the exclude cache option for the firewall.
• D. Create a Decryption Profile to block traffic using unsupported cyphers, and attach the profile to the decryption rule.

Answer: D

NEW QUESTION 17
A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web- browsing traffic to this server on tcp/443.

• A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow
• B. Rule #1: application: web-browsing; service: service-https; action: allow Rule #2: application: ssl; service: application-default; action: allow
• C. Rule # 1: application: ssl; service: application-default; action: allowRule #2: application: web-browsing; service: application-default; action: allow
• D. Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl; service: application-default; action: allow

Answer: A

NEW QUESTION 18
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)

• A. CRL
• B. CRT
• C. OCSP
• D. Cert-Validation-Profile
• E. SSL/TLS Service Profile

Answer: AC

NEW QUESTION 19
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?

• A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.
• B. Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP.
• C. The firewalls do not use floating IPs in active/active HA.
• D. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.

Answer: A

NEW QUESTION 20
Which four NGFW multi-factor authentication factors are supported by PAN-OSS? (Choose four.)

• A. User logon
• B. Short message service
• C. Push
• D. SSH keyE.One-Time Password F.Voice

Answer: BCEF

NEW QUESTION 21
Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured to dynamically create the routes between the sites. The OSPF configuration in Site-A is configured properly, but the route for the tunner is not being established. The Site-B interfaces in the graphic are using a broadcast Link Type. The administrator has determined that the OSPF configuration in Site-B is using the wrong Link Type for one of its interfaces.

Which Link Type setting will correct the error?

• A. Set tunne
• B. 1 to p2p
• C. Set tunne
• D. 1 to p2mp
• E. Set Ethernet 1/1 to p2mp
• F. Set Ethernet 1/1 to p2p

Answer: A

NEW QUESTION 22
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?

• A. check
• B. find
• C. test
• D. sim

Answer: C

Explanation:
Reference: http://www.shanekillen.com/2014/02/palo-alto-useful-cli-commands.html

NEW QUESTION 23
A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects. How would an administrator configure the interface to 1Gbps?

• A. set deviceconfig interface speed-duplex 1Gbps-full-duplex
• B. set deviceconfig system speed-duplex 1Gbps-duplex
• C. set deviceconfig system speed-duplex 1Gbps-full-duplex
• D. set deviceconfig Interface speed-duplex 1Gbps-half-duplex

Answer: B

Explanation:
Reference: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-Speed-and-Duplex-of-the-Management-Port/ta-p/59034

NEW QUESTION 24
How is the Forward Untrust Certificate used?

• A. It issues certificates encountered on the Untrust security zone when clients attempt to connect to a site that has be decrypted/
• B. It is used when web servers request a client certificate.
• C. It is presented to clients when the server they are connecting to is signed by a certificate authority that is not trusted by firewall.
• D. It is used for Captive Portal to identify unknown users.

Answer: C

NEW QUESTION 25
Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?

• A. port mapping
• B. server monitoring
• C. client probing
• D. XFF headers

Answer: A

Explanation:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/configure-user-mapping-for-terminal-server-users

NEW QUESTION 26
Where can an administrator see both the management plane and data plane CPU utilization in the WebUI?

• A. System log
• B. CPU Utilization widget
• C. Resources widget
• D. System Utilization log

Answer: C

NEW QUESTION 27
A file sharing application is being permitted and no one knows what this application is used for. How should this application be blocked?

• A. Block all unauthorized applications using a security policy
• B. Block all known internal custom applications
• C. Create a WildFire Analysis Profile that blocks Layer 4 and Layer 7 attacks
• D. Create a File blocking profile that blocks Layer 4 and Layer 7 attacks

Answer: D

NEW QUESTION 28
......