[Jan-2024] Get 100% Real PCNSE Free Online Practice Test
BEST Verified Palo Alto Networks PCNSE Exam Questions (2024)
NEW QUESTION # 36
Which User-ID method maps IP addresses to usernames for users connecting through an
802.1x-enabled wireless network device that has no native integration with PAN-OS?software?
- A. Server Monitoring
- B. Client Probing
- C. XML API
- D. Port Mapping
Answer: A
Explanation:
To obtain user mappings from existing network services that authenticate users--such as wireless controllers, 802.1x devices, Apple Open Directory servers, proxy servers, or other Network Access Control (NAC) mechanisms--Configure User-ID to Monitor Syslog Senders for User Mapping.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/map-ip-addresses-to- users.html#id61f141da-8b89-49c9-b34a-ed11b434d1db
NEW QUESTION # 37
Refer to the exhibit.
Which certificates can be used as a Forwarded Trust certificate?
- A. Forward_Trust
- B. Domain-Root-Cert
- C. Certificate from Default Trust Certificate Authorities
- D. Domain Sub-CA
Answer: D
NEW QUESTION # 38
What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)
- A. Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode
- B. Configure a device block list
- C. Add administrator accounts
- D. Change the firewall management IP address
- E. Rename a vsys on a multi-vsys firewall
Answer: A,C,D
Explanation:
Explanation
A: Change the firewall management IP address C. Add administrator accounts E. Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode Short Explanation of Correct Answer Only: These tasks cannot be configured from Panorama by using a template stack because they are device-specific settings that must be configured locally on each firewall1. A template stack can only configure settings that are common to multiple firewalls2. References: 1:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-conf
2
:https://docs.paloaltonetworks.com/best-practices/10-1/best-practices-for-managing-firewalls-with-panorama/con
NEW QUESTION # 39
Which PAN-OS policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data?
- A. Security policy
- B. Decryption policy
- C. Authentication policy
- D. Application Override policy
Answer: A
NEW QUESTION # 40
Which event will happen if an administrator uses an Application Override Policy?
- A. Threat-ID processing time is decreased.
- B. The Palo Alto Networks NGFW stops App-ID processing at Layer 4.
- C. App-ID processing time is increased.
- D. The application name assigned to the traffic by the security rule is written to the Traffic log.
Answer: B
Explanation:
Reference: https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-How-to-Create- an-Application-Override/ta-p/65513
NEW QUESTION # 41
Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?
- A. Yes because the action is set to "alert"
- B. Yes. because the action is set to "allow ''
- C. No because WildFire classified the seventy as "high."
- D. No because WildFire categorized a file with the verdict "malicious"
Answer: B
NEW QUESTION # 42
Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)
- A. Kernel Virtualization Module (KVM)
- B. Red Hat Enterprise Virtualization (RHEV)
- C. Microsoft Hyper-V
- D. Boot Strap Virtualization Module (BSVM)
Answer: A,C
Explanation:
Reference:
docs.paloaltonetworks.com/vm-series/8-0/vm-series-deployment/about-the-vm-series-firewall/vm-series-deployments
NEW QUESTION # 43
Which GlobalProtect component must be configured to enable Chentless VPN?
- A. GlobalProtect portal
- B. GlobalProtect app
- C. GlobalProtect satellite
- D. GlobalProtect gateway
Answer: A
Explanation:
Creating the GlobalProtect portal is as simple as letting it know if you have accessed it already. A new gateway for accessing the GlobalProtect portal will appear. Client authentication can be used with an existing one.
https://www.nstec.com/how-to-configure-clientless-vpn-in-palo-alto/#5
NEW QUESTION # 44
Review the screenshot of the Certificates page.
An administrator tor a small LLC has created a series of certificates as shown, to use tor a planned Decryption roll out The administrator has also installed the sell-signed root certificate <n all client systems When testing, they noticed that every time a user visited an SSL site they received unsecured website warnings What is the cause of the unsecured website warnings.
- A. The self-signed CA certificate has the same CN as the forward trust and untrust certificates
- B. The forward trust certificate has not been signed by the set-singed root CA certificate
- C. The forward untrust certificate has not been signed by the self-singed root CA certificate
- D. The forward trust certificate has not been installed in client systems
Answer: B
Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-forward-proxy
NEW QUESTION # 45
Place the steps in the WildFire process workflow in their correct order.
Answer:
Explanation:
NEW QUESTION # 46
A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP
port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be
configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from
Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to
allow cleartext web-browsing traffic to this server on tcp/443?
- A. Rule # 1: application: ssl; service: application-default; action: allow
Rule #2: application: web-browsing; service: application-default; action: allow - B. Rule #1: application: web-browsing; service: service-https; action: allow
Rule #2: application: ssl; service: application-default; action: allow - C. Rule #1: application: web-browsing; service: application-default; action: allow
Rule #2: application: ssl; service: application-default; action: allow - D. Rule #1: application: web-browsing; service: service-http; action: allow
Rule #2: application: ssl; service: application-default; action: allow
Answer: C
NEW QUESTION # 47
A client has a sensitive application server in their data center and is particularly concerned about session flooding because of denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against session floods originating from a single IP address?
- A. Define a custom App-ID to ensure that only legitimate application traffic reaches the server
- B. Add a tuned DoS Protection Profile
- C. Add an Anti-Spyware Profile to block attacking IP address
- D. Add QoS Profiles to throttle incoming requests
Answer: B
Explanation:
Protection profiles and DoS Protection policy rules combine to protect specific groups of critical resources and individual critical resources against session floods. Compared to Zone Protection profiles, which protect entire zones from flood attacks, DoS protection provides granular defense for specific systems, especially critical systems that users access from the internet and are often attack targets, such as web servers and database servers. Apply both types of protection because if you only apply a Zone Protection profile, then a DoS attack that targets a particular system in the zone can succeed if the total connections-per-second (CPS) doesn't exceed the zone's Activate and Maximum rates. DoS Protection is resource-intensive, so use it only for critical systems. Similar to Zone Protection profiles, DoS Protection profiles specify flood thresholds. DoS Protection policy rules determine the devices, users, zones, and services to which DoS Profiles apply.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/zone-protection-and-dos- protection/zone-defense/dos-protection-profiles-and-policy-rules
NEW QUESTION # 48
Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?
- A. Yes because the action is set to "alert"
- B. Yes. because the action is set to "allow ''
- C. No because WildFire classified the seventy as "high."
- D. No because WildFire categorized a file with the verdict "malicious"
Answer: B
Explanation:
Explanation
Threats that have the ability to become critical but have mitigating factors; for example, they may be difficult to exploit, do not result in elevated privileges, or do not have a large victim pool. WildFire Submissions log entries with a malicious verdict and an action set to allow are logged as High.https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/view-and-manage-logs/log-types-
NEW QUESTION # 49
Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)
- A. Log Forwarding
- B. Log Ingestion
- C. HTTP
- D. LDAP
Answer: A,C
NEW QUESTION # 50
Refer to the exhibit.
An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
A)
B)
C)
D)
- A. Option C
- B. Option A
- C. Option D
- D. Option B
Answer: C
NEW QUESTION # 51
A customer has an application that is being identified as unknown-tcp for one of their custom PostgreSQL database connections.
Which two configuration options can be used to correctly categorize their custom database application?
(Choose two.)
- A. Custom Service object.
- B. Custom application.
- C. Security policy to identify the custom application.
- D. Application Override policy.
Answer: B,C
NEW QUESTION # 52
When using SSH keys for CLI authentication for firewall administration, which method is used for authorization?
- A. Local
- B. Radius
- C. Kerberos
- D. LDAP
Answer: A
Explanation:
When using SSH keys for CLI authentication for firewall administration, the method used for authorization is local. This is described in the Palo Alto Networks PCNSE Study Guide in Chapter 4: Authentication and Authorization, under the section "CLI Authentication with SSH Keys":
"SSH keys use public key cryptography to authenticate users, but they do not provide a mechanism for authorization. Therefore, when using SSH keys for CLI authentication, authorization is always performed locally on the firewall."
NEW QUESTION # 53
Which processing order will be enabled when a Panorama administrator selects the setting "Objects defined in ancestors will take higher precedence?"
- A. Ancestor objects will have precedence over other ancestor objects.
- B. Descendant objects will take precedence over other descendant objects.
- C. Descendant objects will take precedence over ancestor objects.
- D. Ancestor objects will have precedence over descendant objects.
Answer: D
Explanation:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface- help/device/device-setup-management
NEW QUESTION # 54
Firewall administrators cannot authenticate to a firewall GUI.
Which two logs on that firewall will contain authentication-related information useful in troubleshooting this issue? (Choose two.)
- A. System log
- B. authd log
- C. dp-monitor .log
- D. Traffic log
- E. ms log
Answer: A,B
NEW QUESTION # 55
Which option describes the operation of the automatic commit recovery feature?
- A. It enables a firewall to revert to the previous configuration if a commit causes Panorama connectivity failure.
- B. It enables a firewall to revert to the previous configuration if rule shadowing is detected
- C. It enables a firewall to revert to the previous configuration if application dependency errors are found
- D. It enables a firewall to revert to the previous configuration if a commit causes HA partner connectivity failure
Answer: B
NEW QUESTION # 56
What is the purpose of the firewall decryption broker?
- A. Reduce SSL traffic to a weaker cipher before sending it to a security chain of inspection tools
- B. Inspection traffic within IPsec tunnel
- C. Decrypt SSL traffic a then send it as cleartext to a security chain of inspection tools
- D. Force decryption of previously unknown cipher suites
Answer: C
Explanation:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/decryption-features/decryption-broker
NEW QUESTION # 57
......
PCNSE Exam Dumps, Practice Test Questions BUNDLE PACK: https://www.actual4test.com/PCNSE_examcollection.html
The Best Practice Test Preparation for the PCNSE Certification Exam: https://drive.google.com/open?id=1YunB7-Htdh0T8FbpKvmig5k0dW5RXPWK