Download the Latest PCNSE Dumps - 2023 PCNSE Exam Questions
Latest Palo Alto Networks PCNSE Certification Practice Test Questions
NEW QUESTION 76
Which three authentication factors does PAN-OS® software support for MFA (Choose three.)
- A. Pull
- B. SMS
- C. Voice
- D. Push
- E. Okta Adaptive
Answer: B,C,D
NEW QUESTION 77
If the firewall has the link monitoring configuration, what will cause a failover?
- A. ethernet1/3 and ethernet1/6 going down
- B. ethernet1/6 going down
- C. ethernet1/3 or Ethernet1/6 going down
- D. ethernet1/3 going down
Answer: A
NEW QUESTION 78
An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama.
All 84 firewalls have an active WildFire subscription On each firewall WildFire logs are available.
This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?
- A. Traffic logs
- B. System logs
- C. Threat logs
- D. WildFire logs
Answer: D
NEW QUESTION 79
Which GlobalProtect gateway setting is required to enable split-tunneling by access route, destination domain, and application?
- A. IPSec mode
- B. Tunnel mode
- C. No Direct Access to local networks
- D. Satellite mode
Answer: C
Explanation:
Explanation
https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-tra
NEW QUESTION 80
When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action.
Answer options may be used more than once or not at all.
Answer:
Explanation:
NEW QUESTION 81
What are three reasons for excluding a site from SSL decryption? (Choose three.)
- A. mutual authentication
- B. unsupported ciphers
- C. certificate pinning
- D. the website is not present in English
- E. unsupported browser version
Answer: A,B,C
Explanation:
Explanation
Reasons that sites break decryption technically include pinned certificates, client authentication, incomplete certificate chains, and unsupported ciphers.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption- exclusions/exclude-a-server-from-decryption.html
NEW QUESTION 82
A
user's traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user's traffic matches when it goes to http://www.company.com.
How can the firewall be configured automatically disable the PBF rule if the next hop goes down?
- A. Configure path monitoring for the next hop gateway on the default route in the virtual router.
- B. Create and add a Monitor Profile with an action of Fail Over in the PBF rule in question.
- C. Create and add a Monitor Profile with an action of Wait Recover in the PBF rule in question:.
- D. Enable and configure a Link Monitoring Profile for the external interface of the firewall.
Answer: B
Explanation:
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK
NEW QUESTION 83
Which CLI command displays the physical media that are connected to ethernetl/8?
- A. > show system state filter-pretty sys.si.p8.stats
- B. > show interface ethernetl/8
- C. > show system state filter-pretty sys.sl.p8.phy
- D. > show system state filter-pretty sys.si.p8.med
Answer: C
Explanation:
Example output:
> show system state filter-pretty sys.s1.p1.phy
sys.s1.p1.phy: {
link-partner: { },
media: CAT5,
type: Ethernet,
}
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cld3CAC
NEW QUESTION 84
Which Zone Pair and Rule Type will allow a successful connection for a user on the internet zone to a web server hosted in the DMZ zone? The web server is reachable using a destination Nat policy in the Palo Alto Networks firewall.
- A. Zone Pair:
Source Zone: Internet
Destination Zone: DMZ
Rule Type:
"intrazone" - B. Zone Pair:
Source Zone: Internet
Destination Zone: Internet
Rule Type:
"intrazone" or "universal" - C. Zone Pair:
Source Zone: Internet
Destination Zone: DMZ
Rule Type:
"intrazone" or "universal" - D. Zone Pair:
Source Zone: Internet
Destination Zone: Internet
Rule Type:
"intrazone"
Answer: C
NEW QUESTION 85
Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT.
Which Security policy rule will allow traffic to flow to the web server?
- A. Untrust (any) to DMZ (10.1.1.100), web browsing - Allow
- B. Untrust (any) to Untrust (10.1.1.100), web browsing - Allow
- C. Untrust (any) to DMZ (1.1.1.100), web browsing - Allow
- D. Untrust (any) to Untrust (1.1.1.100), web browsing - Allow
Answer: C
NEW QUESTION 86
Match each GlobalProtect component to the purpose of that component
Answer:
Explanation:
NEW QUESTION 87
A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?
- A. Create V-Wire objects with two V-Wire sub interface and assign only a single VLAN ID to the "Tag Allowed field one of the V-Wire object Repeat for every additional VLAN and use a VIAN ID of 0 for untagged traffic. Assign each interface/subinterfaceto a unique zone.
- B. Create Layer 3 sub interfaces that are each assigned to a single VLAN ID and a common virtual router.
The physical Layer 3interface would handle untagged traffic. Assign each interface /subinterface to a unique zone. Do not assign any interface anIP address - C. Create V-Wire objects with two V-Wire interfaces and define a range "0- 4096" in the 'Tag Allowed filed of the V-Wire object.
- D. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLANand use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.
Answer: C
NEW QUESTION 88
A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies.
Which CLI command syntax will display the rule that matches the test?
- A. test security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number>
- B. show security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number>
- C. test security -policy- match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number
- D. show security-policy-match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number> test security-policy-match source
Answer: C
Explanation:
If you know the source or destination IP address, the test command from the CLI will search the security policies and display the best match:
Example:
> test security-policy-match source <source IP> destination <destination IP> protocol <protocol number> The output will show which policy rule will be applied to this traffic match based on the source and destination IP addresses.
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Test-Which-Security-Policy- Applies-to-a-Traffic-Flow/ta-p/53693
NEW QUESTION 89
The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router.
Which two options would help the administrator troubleshoot this issue? (Choose two.)
- A. View the ACC tab to isolate routing issues.
- B. Perform a traffic pcap on the NGFW to see any BGP problems.
- C. View the System logs and look for the error messages about BGP.
- D. View the Runtime Stats and look for problems with BGP configuration.
Answer: C,D
NEW QUESTION 90
Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)
- A. The firewall's DP CPU is higher than 50%.
- B. The traffic is offloaded.
- C. The firewall is in multi-vsys mode.
- D. The traffic does not match the packet capture filter.
Answer: B,D
Explanation:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/take- packet-captures/disable-hardware- offload
NEW QUESTION 91
An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet gateway and wants to be sure of the functions that are supported on the vwire interface What are three supported functions on the VWire interface? (Choose three )
- A. IPSec
- B. SSL Decryption
- C. QoS
- D. OSPF
- E. NAT
Answer: A,C,E
NEW QUESTION 92
Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a "No Decrypt" action? (Choose two.)
- A. Block sessions with untrusted issuers
- B. Block sessions with expired certificates
- C. Block sessions with client authentication
- D. Block credential phishing
- E. Block sessions with unsupported cipher suites
Answer: A,B
Explanation:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/configure-decryption-exceptions Block sessions based on certificate status, including blocking sessions with expired certificates, untrusted issuers, unknown certificate status, certificate status check timeouts, and certificate extensions. Block sessions with unsupported versions and cipher suites, and that require using client authentication. <-- this req client Auth, which is not stated Block sessions if the resources to perform decryption are not available or if a hardware security module is not available to sign certificates. Define the protocol versions and key exchange, encryption, and authentication algorithms allowed for SSL Forward Proxy and SSL Inbound Inspection traffic in the SSL Protocol Settings.
NEW QUESTION 93
To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?
- A. Reference the targeted device's templates in the target device group
- B. Add the policy to the target device group and apply a master device to the device group
- C. Add the policy in the shared device group as a pre-rule
- D. Clone the security policy and add it to the other device groups
Answer: C
Explanation:
Explanation
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-overview/centralized-firewall-conf
NEW QUESTION 94
You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.
For Which three severity levels should single-packet captures be enabled to meet the Best Practice standard?
(Choose three)
- A. Critical
- B. High
- C. Informational
- D. Low
- E. Medium
Answer: A,B,E
Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles
NEW QUESTION 95
......
Palo Alto Networks PCNSE Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
| Topic 6 |
|
| Topic 7 |
|
| Topic 8 |
|
| Topic 9 |
|
| Topic 10 |
|
| Topic 11 |
|
Verified PCNSE Dumps Q&As - 1 Year Free & Quickly Updates: https://testking.vceengine.com/PCNSE-vce-test-engine.html
