• Home
  • Articles
  • Check Real Palo Alto Networks PCNSE Exam Question for Free (2023) [Q51-Q75]

Check Real Palo Alto Networks PCNSE Exam Question for Free (2023) [Q51-Q75]

Share

Check Real Palo Alto Networks PCNSE Exam Question for Free (2023)

Get Ready to Boost your Prepare for your PCNSE Exam with 91 Questions


The PCNSE certification program has been designed to ensure that candidates have a deep understanding of the Palo Alto Networks security platform, including Next-Generation Firewalls, Panorama management, and other related technologies. The program covers a wide range of topics, including firewall configuration, network security, VPN setup, user identification, and application control. Candidates need to demonstrate their proficiency in these areas to pass the exam and earn the certification.

 

NEW QUESTION # 51
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two)

  • A. XML API
  • B. GlobafProtect agent
  • C. log forwarding auto-tagging
  • D. User-ID Windows-based agent

Answer: C,D

Explanation:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/register-ip-addresses-and-tags-dynamically.html
You can enable the dynamic registration process using any of the following options:
User-ID agent for Windows*
VM Information Sources
Panorama Plugin
VMware Service Manager
XML API*
Auto-Tag*
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnse-study-guide.pdf
Usernames can also be tagged and untagged using the auto-tagging feature in a Log Forwarding Profile. You also can program another utility to invoke PAN-OS XML API commands to tag or untag usernames.


NEW QUESTION # 52
What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?

  • A. It stops the tunnel-establishment processing to the GlobalProtect gateway immediately.
  • B. It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway.
  • C. It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS.
  • D. It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS.

Answer: C

Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfoCAC "Should the IPSec connection fail, VPN will fall back to SSL protocol."


NEW QUESTION # 53
You have upgraded your Panorama and Log Collectors lo 10.2 x. Before upgrading your firewalls using Panorama, what do you need do?

  • A. Refresh the Mastor Key in Panorama/Master Key and Diagnostic
  • B. Refresh your licenses with Palo Alto Network Support - Panorama/Licenses/Retrieve License Keys from License Server.
  • C. Re-associate the firewalls in Panorama/Managed Devices/Summary.
  • D. Commit and Push the configurations to the firewalls.

Answer: D

Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan-os/upg


NEW QUESTION # 54
Refer to the diagram. Users at an internal system want to ssh to the SSH server The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.
In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?

A)

B)

C)

D)

  • A. Option A
  • B. Option C
  • C. Option D
  • D. Option B

Answer: B


NEW QUESTION # 55
Which two subscriptions are available when configuring panorama to push dynamic updates to connected devices? (Choose two.)

  • A. Antivirus
  • B. Applications and Threats
  • C. User-ID
  • D. Content-ID

Answer: A,B

Explanation:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface- help/device/device-dynamic-updates


NEW QUESTION # 56
Which processing order will be enabled when a Panorama administrator selects the setting "Objects defined in ancestors will take higher precedence?"

  • A. Descendant objects will take precedence over other descendant objects.
  • B. Ancestor objects will have precedence over other ancestor objects.
  • C. Descendant objects will take precedence over ancestor objects.
  • D. Ancestor objects will have precedence over descendant objects.

Answer: D


NEW QUESTION # 57
Cortex XDR notifies an administrator about grayware on the endpoints. There are no entries about grayware in any of the logs of the corresponding firewall. Which setting can the administrator configure on the firewall to log grayware verdicts?

  • A. in WildFire General Settings, select "Report Grayware Files"
  • B. within the log forwarding profile attached to the Security policy rule
  • C. in Threat General Settings, select "Report Grayware Files"
  • D. within the log settings option in the Device tab

Answer: A

Explanation:
https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/monitor-wildfire-activity/use-the-firewall-to-monitor-malware/configure-wildfire-submissions-log-settings/enable-logging-for-benign-and-grayware-samples


NEW QUESTION # 58
What are two benefits of nested device groups in Panorama? (Choose two.)

  • A. Reuse of the existing Security policy rules and objects
  • B. Overwrites local firewall configuration
  • C. Requires configuring both function and location for every device
  • D. All device groups inherit settings form the Shared group

Answer: A,D

Explanation:
Explanation
https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/panorama-overview/centralized-firewall-conf


NEW QUESTION # 59
An engineer receives reports from users that applications are not working and that websites are only partially loading in an asymmetric environment. After investigating, the engineer observes the flow_tcp_non_syn_drop counter increasing in the show counters global output.
Which troubleshooting command should the engineer use to work around this issue?

  • A. set deviceconfig setting tcp asymmetric-path drop
  • B. set session tcp-reject-non-syn yes
  • C. set deviceconfig setting tcp asymmetric-path bypass
  • D. set deviceconfig setting session tcp-reject-non-syn no

Answer: D

Explanation:
To work around this issue, one possible troubleshooting command is set deviceconfig setting session tcp-reject-non-syn no which disables TCP reject non-SYN temporarily (until reboot)4. This command allows non-SYN first packet through without dropping it.
The flow_tcp_non_syn_drop counter increases when the firewall receives packets with the ACK flag set, but not the SYN flag, which indicates asymmetric traffic flow. The tcp-reject-non-syn option enables or disables the firewall to drop non-SYN TCP packets. In this case, disabling the tcp-reject-non-syn option using the "set deviceconfig setting session tcp-reject-non-syn no" command can help work around the issue. This allows the firewall to accept non-SYN packets and create a session for the existing flow.


NEW QUESTION # 60
A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link aggregation. Which two formats are correct for naming aggregate interfaces? (Choose two.)

  • A. aggregate.8
  • B. ae.1
  • C. aggregate.1
  • D. ae.8

Answer: B,D


NEW QUESTION # 61
Match each SD-WAN configuration element to the description of that element.

Answer:

Explanation:


NEW QUESTION # 62
Refer to the exhibit.

An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
A)

B)

C)

D)

  • A. Option C
  • B. Option A
  • C. Option D
  • D. Option B

Answer: B

Explanation:
Explanation
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-log-collection/configure-log-forward


NEW QUESTION # 63
During the packet flow process, which two processes are performed in application identification? (Choose two.)

  • A. Application override policy match
  • B. Session application identified.
  • C. Pattern based application identification
  • D. Application changed from content inspection

Answer: A,B

Explanation:
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309


NEW QUESTION # 64
What are three valid actions in a File Blocking Profile? (Choose three)

  • A. Forward
  • B. Block
  • C. Alret
  • D. Reset-both
  • E. Continue
  • F. Upload

Answer: A,B,C

Explanation:
Explanation
https://live.paloaltonetworks.com/t5/Configuration-Articles/File-Blocking-Rulebase-and-Action-Precedence/ta-p


NEW QUESTION # 65
A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time. How can they achieve this?

  • A. Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to commit all Panorama changes.
  • B. Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices.
  • C. Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices.
  • D. Use the Scheduled Config Push to schedule Push lo Devices and separately schedule an API call to commit all Panorama changes.

Answer: C

Explanation:
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/schedule-a-configuration-push-to-managed-firewalls Log in to the Panorama Web Interface. Create a scheduled configuration push. Select PanoramaScheduled Config Push and Add a new scheduled configuration push. You can also schedule a configuration push to managed firewalls when you push to devices (CommitPush to Devices).


NEW QUESTION # 66
In a firewall, which three decryption methods are valid? (Choose three )

  • A. SSL Inbound Proxy
  • B. Decryption Mirror
  • C. SSH Proxy
  • D. SSL Outbound Proxyless Inspection
  • E. SSL Inbound Inspection

Answer: B,C,E

Explanation:
Explanation
You can also use Decryption Mirroring to forward decrypted traffic as plaintext to a third party solution for additional analysis and archiving.
Ref:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-overview.html#idd71f8b4d-c


NEW QUESTION # 67
During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.
Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

  • A. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.
  • B. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust
  • C. Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.
  • D. Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.

Answer: A

Explanation:
Generate a CA certificate for Forward Trust (step 2) a self-signed CA for Forward Untrust (step 4) https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


NEW QUESTION # 68
Refer to exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?

  • A. Any configuration on an M-500 would address the insufficient bandwidth concerns.
  • B. Configure log compression and optimization features on all remote firewalls.
  • C. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW.
  • D. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.

Answer: D

Explanation:
https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/panorama-overview/centralized-logging-and-reporting


NEW QUESTION # 69
A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)?

  • A. Add QoS Profiles to throttle incoming requests.
  • B. Add a DoS Protection Profile with defined session count.
  • C. Define a custom App-ID to ensure that only legitimate application traffic reaches the server.
  • D. Add a Vulnerability Protection Profile to block the attack.

Answer: B

Explanation:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/dos- protection-profiles


NEW QUESTION # 70
A Security policy rule is configured with a Vulnerability Protection Profile and an action of "Deny." Which action will this configuration cause on the matched traffic?

  • A. The configuration will allow the matched session unless a vulnerability signature is detected.
  • B. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit
  • C. The "Deny" action will supersede the per-severity defined actions defined in the associated Vulnerability Protection Profile It will cause the firewall to deny the matched sessions.
  • D. The Profile Settings section will be grayed out when the Action is set to "Deny"

Answer: C

Explanation:
Any configured Security Profiles have no effect if the Security policy rule action is set to "Deny" Explanation:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/security-profiles.html First note in above link states:
"Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan traffic after the application or category is allowed by the security policy." The first thing the firewall checks per it's flow is the security policy match and action. The Security Profile never gets checked if a match happens on a policy set to deny that match.


NEW QUESTION # 71
What are two best practices for incorporating new and modified App-IDs? (Choose two)

  • A. Configure a security policy rule to allow new App-lDs that might have network-wide impact
  • B. Study the release notes and install new App-IDs if they are determined to have low impact
  • C. Run the latest PAN-OS version in a supported release tree to have the best performance for the new App-IDs
  • D. Perform a Best Practice Assessment to evaluate the impact or the new or modified App-IDs

Answer: A,B


NEW QUESTION # 72
A super user is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups m their hierarchy to deploy policies and objects.
Which type of role-based access is most appropriate for this project?

  • A. Create a Dynamic Admin with the Panorama Administrator role.
  • B. Create a Dynamic Read only superuser
  • C. Create a Custom Panorama Admin.
  • D. Create a Device Group and Template Admin.

Answer: C

Explanation:
A Custom Panorama Admin is a type of role-based access that allows a super user to create separate Panorama administrator accounts for each of the three contractors. This will allow each contractor to work with different device-groups in their hierarchy and deploy policies and objects in accordance with the organization's compliance requirements. The Custom Panorama Admin role also allows the super user to assign separate permissions to each contractor's account, granting them access to only the resources they are authorized to use. This type of role-based access is the most appropriate for this project as it will ensure that each contractor is only able to access the resources they need in order to do their job.


NEW QUESTION # 73
An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet.
Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22 Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?

A:

B:

C:

D:

  • A. Option A
  • B. Option C
  • C. Option D
  • D. Option B

Answer: B


NEW QUESTION # 74
An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS software?

  • A. Anti virus update package
  • B. Wildfire update package
  • C. Application and Threats update package
  • D. User-ID agent

Answer: C

Explanation:
Dependencies : Before upgrade, make sure the firewall is running a version of app + threat (content version) that meets the minimum requirement of the new PAN-OS Upgrade.
https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045


NEW QUESTION # 75
......

Use Free PCNSE Exam Questions that Stimulates Actual EXAM : https://actualtests.vceprep.com/PCNSE-latest-vce-prep.html

Related Articles

more
Palo Alto Networks PCNSE Certification Practice Exam