PCNSE Free Certification Exam Material from DumpsQuestion with 337 Questions
Use Real PCNSE - 100% Cover Real Exam Questions
NEW QUESTION 131
A host attached to Ethernet 1/4 cannot ping the default gateway. The widget on the dashboard shows Ethernet
1/1 and Ethernet 1/4 to be green. The IP address of Ethernet 1/1 is 192.168.1.7 and the IP address of Ethernet
1/4 is 10.1.1.7. The default gateway is attached to Ethernet 1/1. A default route is properly configured.
What can be the cause of this problem?
- A. Interface Ethernet 1/1 is in Virtual Wire Mode.
- B. DNS has not been properly configured on the firewall.
- C. No Zone has been configured on Ethernet 1/4.
- D. DNS has not been properly configured on the host.
Answer: C
NEW QUESTION 132
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?
- A. Vulnerability Protection
- B. Anti-Spyware
- C. WildFire
- D. Antivirus
Answer: D
NEW QUESTION 133
Click the Exhibit button
An administrator has noticed a large increase in bittorrent activity. The administrator wants to determine where the traffic is going on the company.
What would be the administrator's next step?
- A. Create a global filter for bittorrent traffic and then view Traffic logs.
- B. Create local filter for bittorrent traffic and then view Traffic logs.
- C. Click on the bittorrent application link to view network activity
- D. Right-Click on the bittorrent link and select Value from the context menu
Answer: C
NEW QUESTION 134
View the GlobalProtect configuration screen capture.
What is the purpose of this configuration?
- A. It forces the firewall to perform a dynamic DNS update, which adds the internal gateway's hostname and IP address to the DNS server.
- B. It configures the tunnel address of all internal clients to an IP address range starting at 192.168.10.1.
- C. It enables a client to perform a reverse DNS lookup on 192.168.10.1 to detect that it is an internal client.
- D. It forces an internal client to connect to an internal gateway at IP address 192.168.10.1.
Answer: C
Explanation:
Reference:
https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprotect-portals/define- the-globalprotect-client-authentication-configurations/define-the-globalprotect-agent-configurations
"Select this option to allow the GlobalProtect agent to determine if it is inside the enterprise network. This option applies only to endpoints that are configured to communicate with internal gateways. When the user attempts to log in, the agent does a reverse DNS lookup of an internal host using the specified Hostname to the specified IP Address. The host serves as a reference point that is reachable if the endpoint is inside the enterprise network. If the agent finds the host, the endpoint is inside the network and the agent connects to an internal gateway; if the agent fails to find the internal host, the endpoint is outside the network and the agent establishes a tunnel to one of the external gateways"
NEW QUESTION 135
A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5-minute window for analysis. The firewall is configured to check for verdicts every 5 minutes.
How quickly will the firewall receive back a verdict?
- A. 5 to 10 minutes
- B. 10 to 15 minutes
- C. 5 minutes
- D. More than 15 minutes
Answer: A
NEW QUESTION 136
A company wants to install a NGFW firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone.
Which option differentiates multiple VLANs into separate zones?
- A. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.
- B. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the "Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.
- C. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router.
The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface to a unique zone. Do not assign any interface an IP address. - D. Create V-Wire objects with two V-Wire interfaces and define a range of "0-4096" in the "Tag Allowed" field of the V-Wire object.
Answer: C
Explanation:
Explanation
NEW QUESTION 137
A Network Administrator wants to deploy a Large Scale VPN solution. The Network Administrator has chosen a GlobalProtect Satellite solution. This configuration needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations.
How should this be accomplished?
- A. Create a Template with the appropriate IPSec tunnel settings
- B. Create a Device Group with the appropriate IPSec tunnel settings
- C. Create a Device Group with the appropriate IKE Gateway settings
- D. Create a Template with the appropriate IKE Gateway settings
Answer: A
NEW QUESTION 138
A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies.
Which CLI command syntax will display the rule that matches the test?
- A. test security -policy- match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number
- B. show security-policy-match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number> test security-policy-match source
- C. test security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number>
- D. show security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number>
Answer: A
Explanation:
Explanation: test security-policy-match source <source IP> destination <destination IP> protocol <protocol number>
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Test-Which-Security- Policy-Applies-to-a-Traffic-Flow/ta-p/53693
NEW QUESTION 139
Refer to the exhibit.
A web server in the DMZ is being mapped to a public address through DNAT.
Which Security policy rule will allow traffic to flow to the web server?
- A. Untrust (any) to DMZ (10. 1. 1. 100), web browsing - Allow
- B. Untrust (any) to Untrust (1. 1. 1. 100), web browsing - Allow
- C. Untrust (any) to DMZ (1. 1. 1. 100), web browsing - Allow
- D. Untrust (any) to Untrust (10. 1.1. 100), web browsing - Allow
Answer: C
Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destinat
NEW QUESTION 140
Which Captive Portal mode must be configured to support MFA authentication?
- A. Redirect
- B. NTLM
- C. Transparent
- D. Single Sign-On
Answer: A
Explanation:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan- os/authentication/configure-multi-factor-authentication
NEW QUESTION 141
Which three function are found on the dataplane of a PA-5050? (Choose three)
- A. Dynamic routing
- B. Signature Match
- C. Network Processing
- D. Protocol Decoder
- E. Management
Answer: A,B,C
Explanation:
In these devices, dataplane zero, or dp0 for short, functions as the master dataplane and determines which dataplane will be used as the session owner that is responsible for processing and inspection.
The data plane provides all data processing and security detection and enforcement, including:
* (B) All networking connectivity, packet forwarding, switching, routing, and network address translation
* Application identification, using the content of the applications, not just port or protocol
* SSL forward proxy, including decryption and re-encryption
* Policy lookups to determine what security policy to enforce and what actions to take, including scanning for threats, logging, and packet marking
* Application decoding, threat scanning for all types of threats and threat prevention
* Logging, with all logs sent to the control plane for processing and storage E: The following diagram depicts both the hardware and software architecture of the next- generation firewall
Incorrect Answers:
C: Management is done in the control plane.
https://www.niap-ccevs.org/st/st_vid10392-st.pdf
NEW QUESTION 142
Which feature must you configure to prevent users from accidentally submitting their corporate credentials to a phishing website?
- A. Anti-Spyware profile
- B. Vulnerability Protection profile
- C. Zone Protection profile
- D. URL Filtering profile
Answer: D
Explanation:
Explanation/Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/prevent- credential-phishing
NEW QUESTION 143
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?
- A. Automatically "download only" and then install Applications and Threats later, after the administrator approves the update.
- B. Automatically "download and install" but with the "disable new applications" option used.
- C. Configure the option for "Threshold".
- D. Disable automatic updates during weekdays.
Answer: A
NEW QUESTION 144
Which three authentication services can administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.)
- A. LDAP
- B. Kerberos
- C. SAML
- D. PAP
- E. RADIUS
- F. TACACS+
Answer: A,B,C
Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/firewall-administration/manage-firewall-administrat The administrative accounts are defined on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML server. PAN-OS maps the attributes to administrator roles, access domains, user groups, and virtual systems that you define on the firewall. For details, see:
Configure SAML AuthenticationConfigure TACACS+ AuthenticationConfigure RADIUS Authentication
NEW QUESTION 145
If an administrator wants to decrypt SMTP traffic and possesses the server's certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?
- A. SSL Inbound Inspection
- B. TLS Bidirectional Inspection
- C. SMTP Inbound Decryption
- D. SSH Forward Proxy
Answer: A
Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/configure-ssl- inbound-inspection
NEW QUESTION 146
View the GlobalProtect configuration screen capture.
What is the purpose of this configuration?
- A. It forces the firewall to perform a dynamic DNS update, which adds the internal gateway's hostname and IP address to the DNS server.
- B. It configures the tunnel address of all internal clients to an IP address range starting at 192.168.10.1.
- C. It enables a client to perform a reverse DNS lookup on 192.168.10.1 to detect that it is an internal client.
- D. It forces an internal client to connect to an internal gateway at IP address 192.168.10.1.
Answer: C
Explanation:
Reference: https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprotect-portals/define-the-globalprotect-client-authentication-configurations/define-the-globalprotect-agent-configurations
NEW QUESTION 147
An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?
- A. Importation of a certificate from an HSM
- B. Security policy rule allowing SSL to the target server
- C. Root certificate imported into the firewall with "Trust" enabled
- D. Firewall connectivity to a CRL
Answer: C
NEW QUESTION 148
Where can an administrator see both the management plane and data plane CPU utilization in the WebUI?
- A. Resources widget
- B. System Utilization log
- C. CPU Utilization widget
- D. System log
Answer: A
NEW QUESTION 149
Which is the maximum number of samples that can be submitted to WildFire per day, based on wildfire subscription?
- A. 75,00
- B. 5,000
- C. 15,000
- D. 10,000
Answer: D
NEW QUESTION 150
DRAG DROP
When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action.
Answer options may be used more than once or not at all.
Answer:
Explanation:
NEW QUESTION 151
......
Dumps Brief Outline Of The PCNSE Exam: https://www.dumpsquestion.com/PCNSE-exam-dumps-collection.html
PCNSE Training & Certification Get Latest PCNSE : https://drive.google.com/open?id=1IQKU-LRR3cBQlneC6u1bRSTUfEVPkKZi