[Dec 02, 2023] Get to the Top with PCNSE Practice Exam Questions [Q32-Q57]

[Dec 02, 2023] Get to the Top with PCNSE Practice Exam Questions

Use Real PCNSE Dumps Free Sample Questions and Practice Test Engine

Sample Questions

Which configuration must be made on the firewall before it can read User-ID-to-IP-address mapping tables from external sources?

• C. Captive Portal
• D. User-ID Agents
• B. Server Monitoring
• A. Group Mapping Settings

For an external device to consume a local User-ID-to-IP-address mapping table, which data is used for authentication between the devices?

• C. administrators account information on the source device with the User-ID role set
• B. User-ID agent's Server Monitor Account information
• D. certificates added to the User-ID agent configuration
• A. the source device's Data Redistribution Collector Name and Pre-Shared Key

User-ID-to IP-address mapping tables can be read by which product or service?

• A. Cortex XDR
• D. Prisma Cloud
• B. Panorama Log Collector
• C. AutoFocus

 

NEW QUESTION # 32
Where can an administrator see both the management plane and data plane CPU utilization in the WebUI?

• A. System log
• B. Resources widget
• C. CPU Utilization widget
• D. System Utilization log

Answer: B

Explanation:

NEW QUESTION # 33
An administrator needs to upgrade an NGFW to the most current version of PAN-OS software. The following is occurring:
* Firewall has internet connectivity through e 1/1.
* Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.
* Service route is configured, sourcing update traffic from e1/1.
* A communication error appears in the System logs when updates are performed.
* Download does not complete.
What must be configured to enable the firewall to download the current version of PAN-OS software?

• A. Static route pointing application PaloAlto-updates to the update servers
• B. Scheduler for timed downloads of PAN-OS software
• C. Security policy rule allowing PaloAlto-updates as the application
• D. DNS settings for the firewall to use for resolution

Answer: D

Explanation:
Explanation/Reference:

NEW QUESTION # 34
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

• A. Set the passive link state to 'shutdown.-
• B. Disable HA
• C. Disable config sync
• D. Disable the HA2 link

Answer: C

NEW QUESTION # 35
Based on the following image,

what is the correct path of root, intermediate, and end-user certificate?

• A. VeriSign > Palo Alto Networks > Symantec
• B. VeriSign > Symantec > Palo Alto Networks
• C. Palo Alto Networks > Symantec > VeriSign
• D. Symantec > VeriSign > Palo Alto Networks

Answer: D

NEW QUESTION # 36
A logging infrastructure may need to handle more than 10,000 logs per second.
Which two options support a dedicated log collector function? (Choose two)

• A. M-100 with Panorama installed
• B. Panorama virtual appliance on ESX(i) only
• C. M-500
• D. M-100

Answer: C,D

NEW QUESTION # 37
Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet 1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

• A. ethernet1/5
• B. ethernet1/7
• C. ethernet1/3
• D. ethernet1/6

Answer: A

NEW QUESTION # 38
A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.
Which two mandatory options are used to configure a VLAN interface? (Choose two.)

• A. Security zone
• B. ARP entries
• C. Netflow Profile
• D. Virtual router

Answer: A,C

NEW QUESTION # 39
When configuring the firewall for packet capture, what are the valid stage types?

• A. Receive, management , transmit , and drop
• B. Receive management , transmit, and non-syn
• C. Receive , firewall, transmit, and drop
• D. Receive , firewall, send , and non-syn

Answer: C

Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0
docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/monitor/monitor-packet-capture/packet-capture-overview.html

NEW QUESTION # 40
In High Availability, which information is transferred via the HA data link?

• A. heartbeats
• B. User-ID information
• C. HA state information
• D. session information

Answer: D

Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/high-availability/ha- concepts/ha-links-and-backup-links

NEW QUESTION # 41
A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between peers.
Where can the administrator find the corresponding logs after running a test command to initiate the VPN?

• A. Traffic logs
• B. Tunnel Inspection logs
• C. Configuration logs
• D. System logs

Answer: D

NEW QUESTION # 42
An administrator is attempting to create policies for deployment of a device group and template stack. When creating the policies, the zone drop-down list does not include the required zone.
What can the administrator do to correct this issue?

• A. Add the template as a reference template in the device group.
• B. Specify the target device as the master device in the device group.
• C. Enable "Share Unused Address and Service Objects with Devices" in Panorama settings.
• D. Add a firewall to both the device group and the template.

Answer: A

Explanation:
Explanation
In order to see what is in a template, the device-group needs the template referenced. Even if you add the firewall to both the template and device-group, the device-group will not see what is in the template.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNfeCAG

NEW QUESTION # 43
Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS version, and serial number?

• A. debug system details
• B. show system info
• C. show system details
• D. show session info

Answer: B

Explanation:
Reference:
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/technical-documentation/pan-os-60/PAN- CLI-ref.pdf

NEW QUESTION # 44
Which three log-forwarding destinations require a server profile to be configured? (Choose three)

• A. Email
• B. Panorama
• C. RADIUS
• D. SNMP Trap
• E. Kerberos
• F. Syslog

Answer: A,D,F

NEW QUESTION # 45
Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) received HTTP traffic and host B(10.1.1.101) receives SSH traffic.
Which two security policy rules will accomplish this configuration? (Choose two)

• A. Untrust (Any) to Untrust (10.1.1.1) Web-browsing -Allow
• B. Untrust (Any) to DMZ (1.1.1.100) Ssh-Allow
• C. Untrust (Any) to Untrust (10.1.1.1) Ssh-Allow
• D. Untrust (Any) to DMZ (1.1.1.100) Web-browsing -Allow

Answer: A,D

NEW QUESTION # 46
How can a candidate or running configuration be copied to a host external from Panorama?

• A. Commit a running configuration.
• B. Save a candidate configuration.
• C. Export a named configuration snapshot.
• D. Save a configuration snapshot.

Answer: C

Explanation:
Explanation/Reference: https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/ administer-panorama/back-up-panorama-and-firewall-configurations

NEW QUESTION # 47
A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)

• A. A certificate authority (CA) certificate
• B. A private key
• C. A subject alternative name
• D. A server certificate

Answer: C,D

Explanation:
When deploying SSL Forward Proxy decryption, a forward trust certificate must have a subject alternative name (SAN) and be a server certificate. SAN is an extension to the X.509 standard that allows multiple domain names to be protected by a single SSL/TLS certificate. It is used to identify the domain names or IP addresses that the certificate should be valid for. A private key is also required but it is not mentioned in the options. A certificate authority (CA) certificate is not required as the forward trust certificate itself is a CA certificate.

NEW QUESTION # 48
Which two subscriptions are available when configuring panorama to push dynamic updates to connected devices? (Choose two.)

• A. Antivirus
• B. User-ID
• C. Content-ID
• D. Applications and Threats

Answer: A,D

NEW QUESTION # 49
Where is information about packet buffer protection logged?

• A. Alert entries are in the System log Entries for dropped traffic, discarded sessions and blocked IP addresses are in the Threat log
• B. All entries are in the Alarms log
• C. Alert entries are in the Alarms log Entries for dropped traffic, discarded sessions, and blocked IP address are in the Threat log
• D. All entries are in the System log

Answer: D

Explanation:
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNGFCA4

NEW QUESTION # 50
Match each GlobalProtect component to the purpose of that component

Answer:

Explanation:

NEW QUESTION # 51
Review the screenshot of the Certificates page.

An administrator tor a small LLC has created a series of certificates as shown, to use tor a planned Decryption roll out The administrator has also installed the sell-signed root certificate <n all client systems When testing, they noticed that every time a user visited an SSL site they received unsecured website warnings What is the cause of the unsecured website warnings.

• A. The forward untrust certificate has not been signed by the self-singed root CA certificate
• B. The self-signed CA certificate has the same CN as the forward trust and untrust certificates
• C. The forward trust certificate has not been installed in client systems
• D. The forward trust certificate has not been signed by the set-singed root CA certificate

Answer: D

Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-forward-proxy

NEW QUESTION # 52
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two)

• A. GlobafProtect agent
• B. XML API
• C. log forwarding auto-tagging
• D. User-ID Windows-based agent

Answer: C,D

Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/register-ip-addresses-and-tags-dynamically.
You can enable the dynamic registration process using any of the following options:
User-ID agent for Windows*
VM Information Sources
Panorama Plugin
VMware Service Manager
XML API*
Auto-Tag*
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnse-study-guide.p Usernames can also be tagged and untagged using the auto-tagging feature in a Log Forwarding Profile. You also can program another utility to invoke PAN-OS XML API commands to tag or untag usernames.

NEW QUESTION # 53
In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?

• A. Applications configured in the rule with their dependencies
• B. Applications configured in the rule with applications seen from traffic matching the same rule
• C. The running configuration with the candidate configuration of the firewall
• D. The security rule with any other security rule selected

Answer: B

Explanation:
Explanation
The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This option helps the administrator to identify any discrepancies between the intended and actual applications allowed by the rule. The administrator can then optimize the rule by adding or removing applications as needed1. Option A is incorrect because the compare option does not compare the running configuration with the candidate configuration of the firewall. That is done by using the Commit > Commit and Push option2. Option B is incorrect because the compare option does not compare applications configured in the rule with their dependencies. That is done by using the App Dependencies tab under Policy Optimizer1.
Option D is incorrect because the compare option does not compare the security rule with any other security rule selected. That is done by using the Compare Rules option under Policies > Security3.

NEW QUESTION # 54
What are three valid options when creating a new security policy? (Choose three.)

• A. Deny All
• B. Reset All
• C. Block
• D. Allow
• E. Alert
• F. Reset client
• G. Deny

Answer: D,F,G

Explanation:

NEW QUESTION # 55
Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order.

Answer:

Explanation:

Explanation
Graphical user interface, text, application, email Description automatically generated

https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/set-up-zero-touch-provisio

NEW QUESTION # 56
A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.)

• A. Custom Service object.
• B. Security policy to identify the custom application.
• C. Custom application.
• D. Application Override policy.

Answer: A,B

NEW QUESTION # 57
......

Pass Palo Alto Networks PCNSE exam - questions - convert Tets Engine to PDF: https://www.dumpsfree.com/PCNSE-valid-exam.html

2023 Realistic Verified Free Palo Alto Networks PCNSE Exam Questions: https://drive.google.com/open?id=1Nu_tvlP4r2Bz9y4X6GuSvmg_Q480IckL