You are on page 1of 95

Vendor: Palo Alto Networks

Exam Code: PCNSE

Exam Name: Palo Alto Networks Certified Security Engineer
(PCNSE) PAN-OS 8.0

Version: 18.042

Important Notice
Product
Our Product Manager keeps an eye for Exam updates by Vendors. Free update is available within
One year after your purchase.

You can login member center and download the latest product anytime. (Product downloaded
from member center is always the latest.)

PS: Ensure you can pass the exam, please check the latest product in 2-3 days before the exam
again.

Feedback
We devote to promote the product quality and the grade of service to ensure customers interest.

If you have any questions about our product, please provide Exam Number, Version, Page
Number, Question Number, and your Login Account to us, please contact us at
support@passleader.com and our technical experts will provide support in 24 hours.

Copyright
The product of each order has its own encryption code, so you should use it independently.

If anyone who share the file we will disable the free update and account access.

Any unauthorized changes will be inflicted legal punishment. We will reserve the right of final
explanation for this statement.

Order ID: ****************

PayPal Name: ****************

PayPal ID: ****************

QUESTION 1
A company.com wants to enable Application Override. Given the following screenshot:
Which two statements are true if Source and Destination traffic match the Application Override
policy? (Choose two)

A. Traffic that matches "rtp-base" will bypass the App-ID and Content-ID engines.
B. Traffic will be forced to operate over UDP Port 16384.
C. Traffic utilizing UDP Port 16384 will now be identified as "rtp-base".
D. Traffic utilizing UDP Port 16384 will bypass the App-ID and Content-ID engines.

Answer: CD
Explanation:
An application override policy is changes how the Palo Alto Networks firewall classifies network
traffic into applications. An application override with a custom application prevents the session
from being processed by the App-ID engine, which is a Layer-7 inspection.
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-an-Application-
Override-Policy/ta-p/60044

QUESTION 2
Which three fields can be included in a pcap filter? (Choose three)

A. Egress interface
B. Source IP
C. Rule number
D. Destination IP
E. Ingress interface

Answer: BDE

QUESTION 3
What are three possible verdicts that WildFire can provide for an analyzed sample? (Choose
three)

A. Clean

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 2
http://www.passleader.com

Malware. https://www. Syslog B. C. DNS has not been properly configured on the firewall Answer: B Explanation: In a Layer 2 deployment.passleader. Grayware F. M-100 Answer: BD QUESTION 5 What are three valid method of user mapping? (Choose three) A. Which two options support a dedicated log collector function? (Choose two) A. Interface ethernet1/3 is in Layer 2 mode and interface ethernet1/4 is in Layer 3 mode. XML API C.B.000 logs per second. M-100 with Panorama installed D. Malware Answer: BEF Explanation: The WildFire verdicts are: Benign. After troubleshooting. 3 http://www. Server Monitoring Answer: ABE QUESTION 6 A host attached to ethernet1/3 cannot access the internet. M-500 C. D. Adware D. the firewall provides switching between two or more interfaces. The default gateway is attached to ethernet1/4. It is determined that traffic cannot pass from the ethernet1/3 to ethernet1/4. Interface ethernet1/3 and ethernet1/4 are in Virtual Wire Mode. Panorama virtual appliance on ESX(i) only B. Grayware. Suspicious E.com . Bengin C. Each group of interfaces must be assigned to a VLAN object in order for the firewall to switch between them.1X D. B. DHCP has been set to Auto. Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.paloaltonetworks.com/documentation/70/pan-os/pan-os/monitoring/log-severity- levels-and-wildfire-verdicts QUESTION 4 A logging infrastructure may need to handle more than 10. WildFire E. What can be the cause of the problem? A. 802.

Which tab in the Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.com/documentation/70/pan-os/pan-os/getting-started/basic- interface-deployments QUESTION 7 The IT department has received complaints abou VoIP call jitter when the sales staff is making or receiving calls.passleader. QoS is enabled on all firewall interfaces. Applications Report C. Which feature can be used to identify. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter. the firewall routes traffic between ports. see the statistics for ethernet 1/1 with QoS enabled: https://www. QoS Log Answer: A Explanation: Select Network > QoS to view the QoS Policies page and click the Statistics link to view QoS bandwidth. the applications taking up the most bandwidth? A. but there is no QoS policy written in the rulebase. and active applications for the selected QoS node or class. QoS Statistics B.paloaltonetworks. Choose this option when routing is required.paloaltonetworks. For example. https://www. active sessions of a selected QoS node or class.In a Layer 3 deployment. An IP address must be assigned to each interface and a virtual router must be defined to route the traffic.com . Application Command Center (ACC) D. in real time.com/documentation/61/pan-os/pan-os/quality-of-service/configure- qos QUESTION 8 A network security engineer is asked to provide a report on bandwidth usage. 4 http://www.

you can also view network activity by source or destination zone. 5 http://www. or IP address. https://www. region.html QUESTION 9 Which three options does the WF-500 appliance support for local analysis? (Choose three) A. Blocked Activity B.com/documentation/70/pan-os/pan-os/monitoring/acc-tabs.com . E-mail links B. Network Activity Answer: D Explanation: The Network Activity tab of the Application Command Center (ACC) displays an overview of traffic and user activity on your network including: Top applications in use Top users who generate traffic (with a drill down into the bytes. and GlobalProtect host information such as the operating systems of the devices most commonly used on the network.passleader. jar files D. Portable Executable (PE) files Answer: ACE Explanation: Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. ingress or egress interfaces. threats or URLs accessed by the user) Most used security rules against which traffic matches occur In addition. content. Threat Activity D. PNG files E. Bandwidth Activity C.ACC provides the information needed to create the report? A.paloaltonetworks. APK files C.

6 http://www.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. Create a Custom Application with signatures matching unique identifiers of the in-house application traffic Answer: D QUESTION 11 After pushing a security policy from Panorama to a PA-3020 firewall.QUESTION 10 Company. B.com use to immediately address this traffic on a Palo Alto Networks device? A. Destination. then create an Application Override policy that includes the source. C. Create a custom Application without signatures.com . Destination Port/Protocol and Custom Application of the traffic. Modify the session timer settings on the closest referanced application to meet the needs of the in-house application D. the firewall administrator Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Which method should company. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine. Wait until an official Application signature is provided from Palo Alto Networks.passleader.

B. None of the firewall's policies have been assigned a Log Forwarding profile Answer: D Explanation: In order to see entries in the Panorama Monitor > Traffic or Monitor > Log screens. SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled. Under Log Setting. The firewall is not licensed for logging to this Panorama device. 7 http://www. select New for Log Forwarding to create a new forwarding profile: Etc. A Server Profile has not been configured for logging to this Panorama device. C. 2.notices that traffic logs from the PA-3020 are not appearing in Panorama's traffic logs. a profile must be created on the Palo Alto Networks device (or pushed from Panorama) to forward log traffic to Panorama.com/t5/Configuration-Articles/How-to-Create-a-Profile-to-Forward- Logs-to-Panorama/ta-p/54038 QUESTION 12 A critical US-CERT notification is published regarding a newly discovered botnet. Panorama is not licensed to receive logs from this particular firewall. Go to Policies > Security and open the Options for a rule. What could be the problem? A. Which component once enabled on a perimeter firewall will allow the identification of existing infected hosts in an environment? A. D. Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.passleader. https://live.paloaltonetworks.com . Furthermore. Steps: 1. The malware is very evasive and is not reliably detected by endpoint antivirus software.

24 through vr1 on the firewall.passleader. A DNS sinkhole can be used to identify infected hosts on a protected network using DNS traffic in environments where the firewall can see the DNS query to a malicious URL. File Blocking profiles applied to outbound security policies with action set to alert C.0. D. E. The devices are licensed and ready for deployment. Configuration and serial number files C. Device state and license files B. Which CLI command will help identify the issue? Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. The management interface has an IP address of 192.139. Vulnerability Protection profiles applied to outbound security policies with action set to block D. The routing table on this firewall is extensive and complex. If the client attempts to access the fake IP address and there is a security rule in place that blocks traffic to this IP.183.paloaltonetworks. Antivirus profiles applied to outbound security policies with action set to alert Answer: A Explanation: Starting with PAN-OS 6. C.1.com .wordpress. the information is recorded in the logs. The devices are pre-configured with a virtual wire pair out the first two interfaces. The interfaces are pingable. The DNS sinkhole enables the Palo Alto Networks device to forge a response to a DNS query for a known malicious domain/URL and causes the malicious domain name to resolve to a definable IP address (fake IP) that is given to the client. A default bidirectional rule is configured that allows Untrust zone traffic to go to the Trust zone. Answer: AC Explanation: https://popravak. https://live.com/2014/07/31/initial-setup-of-palo-alto-networks-next-generation- firewall/ QUESTION 14 A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a firewall Which part of files needs to be imported back into the replacement firewall that is using Panorama? A. Configuration and Large Scale VPN (LSVPN) setups file Answer: A QUESTION 15 A network engineer has revived a report of problems reaching 98. DNS sinkhole is an action that can be enabled in Anti-Spyware profiles. B.1 and allows SSH and HTTPS connections.B. 8 http://www. Configuration and statistics files D.com/t5/Configuration-Articles/How-to-Configure-DNS-Sinkhole/ta- p/58891 QUESTION 13 Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs? (Choose two) A.168.

Specify a destination IP address: > test routing fib-lookup virtual-router default ip <ip address> https://live.com/t5/Learning-Articles/How-to-Perform-FIB-Lookup-for-a- Particular-Destination/ta-p/52188 QUESTION 16 Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two) A.com/documentation/60/pan-os/pan-os/high-availability/configure- active-passive-ha QUESTION 17 What are three valid actions in a File Blocking Profile? (Choose three) A. Use the management port for the HA1 link and ensure that the management ports can connect to each other across your network. test routing fib virtual-router vr1 B.24 C. select two data interfaces for the HA2 link and the backup HA1 link.paloaltonetworks.24 virtual-router vr1 D. show routing interface Answer: C Explanation: This document explains how to perform a fib lookup for a particular destination within a particular virtual router on a Palo Alto Networks firewall.com . show routing route type static destination 98. Block C.183. Set the IP address and netmask. https://www. 1. B: 1. In Device > High Availability > General. Alret D. Upload E. Configure the management interface as HA2 Backup E. Forward B. Configure ethernet1/1 as HA3 Backup Answer: BE Explanation: E: For firewalls without dedicated HA ports. Configure the management interface as HA1 Backup F.A. Then. test routing fib-lookup ip 98.paloaltonetworks. Do not add a gateway if the devices are directly connected. Select the desired virtual router from the list of virtual routers configured with the command: > test routing fib-lookup virtual-router <value> 2. Configure Ethernet 1/1 as HA2 Backup D. 9 http://www.passleader.139. Enter a Gateway IP address only if the HA1 interfaces are on separate subnets.183. 2. Reset-both F. Select the interface that you have cabled for use as the HA1 link in the Port drop down menu. Configure the management interface as HA3 Backup B. edit the Control Link (HA1) section. Configure Ethernet 1/1 as HA1 Backup C. use an Ethernet cable to connect these in-band HA interfaces across both firewalls. Continue Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.139.

The user can click through the page to download the file.paloaltonetworks. The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the ASA. Because this type of forwarding action requires user interaction. the file is blocked and a customizable block page is presented to the user. The user can click through the page to download the file. A log is also generated in the data filtering log. Alert .When the specified file type is detected.html QUESTION 18 An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator's home and experiencing issues completing the connection. The following is th output from the command: What could be the cause of this problem? A. a customizable continuation page is presented to the user.com/documentation/61/pan-os/pan-os/policy/file-blocking- profiles. Block . A log is also generated in the data filtering log.When the specified file type is detected. B. The public IP addresses do not match for both the Palo Alto Networks Firewall and the ASA. References: https://live.Answer: BCF Explanation: You can configure a file blocking profile with the following actions: Forward .com . If the user clicks through the continue page to download the file. the file is sent to WildFire for analysis.paloaltonetworks. a log is generated in the data filtering log.When the specified file type is detected. The shared secrets do not match between the Palo Alto firewall and the ASA D. C. The deed peer detection settings do not match between the Palo Alto Networks Firewall and the ASA Answer: B Explanation: The Proxy IDs could have been checked for mismatch.When the specified file type is detected.When the specified file type is detected. it is only applicable for web traffic. 10 http://www.com/t5/Configuration-Articles/IPSec-Error-IKE-Phase-1- Negotiation-is-Failed-as-Initiator-Main/ta-p/59532 Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Continue-and-forward . a customizable response page is presented to the user. A log is also generated in the data filtering log.passleader. the file is sent to WildFire for analysis. https://www. Continue . A log is also generated in the data filtering log.

This tech brief summarizes the DNS classification. 11 http://www. and receives updates from WildFire cloud-based malware analysis environment every 30 minutes to make sure that. The data is continuously mined to discover malicious domains that are then added to the PAN-OS DNS signature set that is delivered daily. so do categorizations. Tab Mode B.com . This continuous feedback loop enables you to keep pace with the rapidly changing nature of the web. Trunk Interface Answer: B Explanation: You can only assign a single VLAN to a subinterface.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/intrface. DNS-based command-and-control signatures Answer: CD Explanation: C: PAN-DB categorizes URLs based on their content at the domain. PAN-DB URL Filtering D. when web content changes.com/products/secure-the-network/subscriptions/url-filtering-pandb https://www. 3. Brute-force signatures B. DNS-based denial of service attacks). Each subinterface must have a VLAN ID before it can pass traffic. Subinterface C. DNS responses with suspicious composition (abused query types. Our ability to prevent threats from hiding within DNS The passive DNS network feature allows you to opt-in to share anonymized DNS query and response data with our global passive DNS network. file and page level. it is a very commonly abused protocol for command-and-control and data exfiltration. 2.htm l QUESTION 20 Palo Alto Networks maintains a dynamic database of malicious domains. DNS queries for known malicious domains. http://www. Malformed DNS messages (symptomatic of vulnerability exploitation attack). enabling timely detection of compromised hosts within the network and the disruption of command-and-control channels that rely on name resolution.paloaltonetworks.passleader. Access Interface D. which includes: 1.paloaltonetworks. D: DNS is a very necessary and ubiquitous application. BrightCloud Url Filtering C.com/apps/pan/public/downloadResource?pagePath=/content/pan/e n_US/resources/techbriefs/dns-protection QUESTION 21 Which two methods can be used to mitigate resource exhaustion of an application server? (Choose two) Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. https://www. automatically. Which two Security Platform components use this database to prevent threats? (Choose two) A. as such. inspection and protection capabilities supported by our next-generation security platform. and not to the physical interface.QUESTION 19 Which interface configuration will accept specific VLAN IDs? A.

Answer: A QUESTION 23 A VPN connection is set up between Site-A and Site-B. You can enable both types of protection mechanisms in a single DoS protection profile. C. there is an event logged as like-nego-p1-fail-psk. DNS has not been properly configured on the firewall.Detects and prevent session exhaustion attacks. The widget on the dashboard shows Ethernet 1/1 and Ethernet 1/4 to be green. Enable NAT Traversal on the Site-A IKE Gateway profile. * Resource Protection . D. illegal code execution. the threshold is based on the packets per second that do not match a previously established session. Vulnerability Object B. A default route is properly configured. D. In this type of attack. The default gateway is attached to Ethernet 1/1. When defining packets per second (pps) thresholds limits for zone protection profiles. No Zone has been configured on Ethernet 1/4.passleader. Interface Ethernet 1/1 is in Virtual Wire Mode. B.1.A.7 and the IP address of Ethernet 1/4 is 10.168. The profile must be applied to the entire zone. 12 http://www. DoS Protection Profile C. C: Data Filtering helps to prevent sensitive information such as credit card or social security numbers from leaving a protected network. What can be the cause of this problem? A. D: Provides additional protection between specific network zones in order to protect the zones against attack. * Flood Protection .paloaltonetworks.1. The IP address of Ethernet 1/1 is 192.1. https://www. Change the Site-B IKE Gateway profile version to match Site-A. and other attempts to exploit system vulnerabilities. so it is important to carefully test the profiles in order to prevent issues that may arise with the normal traffic traversing the zones. What action will bring the VPN up and allow traffic to start passing between the sites? A.com/documentation/60/pan-os/pan-os/threat-prevention/about- security-profiles QUESTION 22 A host attached to Ethernet 1/4 cannot ping the default gateway. B. this feature will protect against buffer overflows. C.Detects and prevents attacks where the network is flooded with packets resulting in too many half-open sessions and/or services being unable to respond to each request. For example. DNS has not been properly configured on the host. Zone Protection Profile Answer: BD Explanation: B: There are two DoS protection mechanisms that the Palo Alto Networks firewalls support. but no traffic is passing in the system log of Site-A. a large number of hosts (bots) are used to establish as many fully established sessions as possible to consume all of a system’s resources. In this case the source address of the attack is usually spoofed. Data Filtering Profile D.7. Change the pre-shared key of Site-B to match the pre-shared key of Site-A Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.com . Incorrect Answers: A: Vulnerability protection stops attempts to exploit system flaws or gain unauthorized access to systems. Change the Site-A IKE Gateway profile exchange mode to aggressive mode.

13 http://www.Answer: D QUESTION 24 A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall. From the GUI. select show global counters under the monitor tab.com . https://live. VM-100 Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. issue the show counter global filter packet-filter yes command.220 seconds name value rate severity category aspect description -------------------------------------------------------------------------------- pkt_recv 6387398 4 info packet pktproc Packets received pkt_recv_zero 370391 0 info packet pktproc Packets received from QoS 0 Etc. C.passleader. D. These outputs will help isolate the issue between two peers.paloaltonetworks. Answer: A Explanation: Native integration with all Palo Alto Networks products allows WildFire to inform and update subscribers with new protective capabilities for the network. https://www. C. Use the following CLI command to show when traffic is passing through the Palo Alto Networks firewall from that source to destination. From the CLI. From the CLI. B. Which method shows the global counters associated with the traffic after configuring the appropriate packet filters? A. issue the show counter global filter pcap yes command. A policy is blocking WildFire Submission traffic. Though WildFire is working. We recommend that you use the global counter command with a packet filter to get specific traffic outputs. The engineer's account does not have permission to view WildFire Submissions.paloaltonetworks. What could cause this condition? A. Answer: B Explanation: You can check global counters for a specific source and destination IP addresses by setting a packet filter. From the CLI. B. > show counter global filter packet-filter yes delta yes Global counters: Elapsed time since last sampling: 20. cloud and endpoint in real time.com/t5/Management-Articles/How-to-check-global-counters-for-a- specific-source-and/ta-p/65794 QUESTION 25 A network security engineer has been asked to analyze Wildfire activity. The firewall does not have an active WildFire subscription. However. the Wildfire Submissions item is not visible form the Monitor tab. issue the show counter interface command for the ingress interface. D.com/products/secure-the-network/subscriptions/wildfire QUESTION 26 Which Palo Alto Networks VM-Series firewall is supported for VMware NSX? A. there are currently no WildFire Submissions log entries.

https://www.html QUESTION 27 A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Threat Prevention license and a premium support entitlement. GlobalProtect. The HA1 IP address from each peer must be on a different subnet D.com/documentation/70/virtualization/virtualization/about-the-vm- series-firewall/license-types-vm-series-firewalls. Which statement is true about this deployment? A. https://www. based on source and/or destination zone.paloaltonetworks. edit the Control Link (HA1 Backup) section. Another bundle includes the VM-Series capacity license (VM-1000-HV only) with the complete suite of licenses that include Threat Prevention. VM-1000-HV D. The management port may be used for a backup control connection Answer: D Explanation: Set up the backup control link connection. but the post-NAT zones.com . Then the firewall determines if the packet matches one of the NAT rules that have been defined. https://www. VM-200 C. The two devices must share a routable floating IP address B. Pre-NAT addresse and Pre-NAT zones B. PAN-DB URL Filtering. the firewall inspects the packet and does a route lookup to determine the egress interface and zone.B. 1. Select the HA1 backup interface and set the IPv4/IPv6 Address and Netmask.com/documentation/70/pan-os/pan-os/networking/nat-policy-rules Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. WildFire. Note: Use the management port for the HA1 link. and a premium support entitlement.passleader. 14 http://www. It then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses. VM-300 Answer: C Explanation: Licenses for the VM-Series NSX Edition Firewall In order to automate the provisioning and licensing of the VM-Series NSX Edition firewall in the VMware integrated NSX solution. In Device > High Availability > General. The two devices may be different models within the PA-5000 series C. Post-NAT addresse and Post-Nat zones C.paloaltonetworks. 2.com/documentation/70/pan-os/pan-os/high-availability/configure- active-passive-ha QUESTION 28 What must be used in Security Policy Rule that contain addresses where NAT policy applies? A. two license bundles are available: One bundle includes the VM-Series capacity license (VM-1000-HV only). Pre-NAT addresse and Post-Nat zones D.paloaltonetworks. Post-Nat addresses and Pre-NAT zones Answer: C Explanation: NAT Policy Rule Functionality Upon ingress.

D. and AutoFocus. Network > Interface Mgrnt D. you will want to change the service route for DNS. URL Updates. The firewall administrator created the following security policy on the company's firewall. WildFire. A report can be created that identifies unclassified traffic on the network. select IPv4 or IPv6 and click the link for the service for which you want to modify the Source Interface and select the interface you just configured. Palo Alto Updates.com/documentation/71/pan-os/pan-os/getting-started/set-up- network-access-for-external-services QUESTION 31 A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens thousands of bogus UDP connections per second to a single destination IP address and post. Which option when enabled with the correction threshold would mitigate this attack without dropping legitirnate traffic to other hosts insides the network? A. Rule 2 and 3 apply to traffic on different ports. 1. Zone Protection Policy with UDP Flood Protection Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 2. Separate Log Forwarding profiles can be applied to rules 2 and 3. Which interface configuration will accept specific VLAN IDs? Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two) A. C. Device > Setup > Services > Service Route Configuration Answer: D Explanation: Configure the service routes. Objects > CustomerObjects > DNS C.paloaltonetworks. Different security profiles can be applied to traffic matching rules 2 and 3.passleader. Click the Customize radio button. 15 http://www.QUESTION 29 A company has a policy that denies all applications it classifies as bad and permits only application it classifies as good. Network > Virtual Router > DNS Interface B. Select Device > Setup > Services > Global and click Service Route Configuration. and select one of the following: For a predefined service. Note: For the purposes of activating your licenses and getting the most recent content and software updates. https://www.com . Answer: AD QUESTION 30 How are IPV6 DNS queries configured to user interface ethernet1/3? A. B.

Antivirus Answer: BCF Explanation: Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. File Blocking C. This setting disables the antivirus and anti-spyware scanning on the server-side responses. Disable Server Response Inspection B. Select Classified as the Type.com . Url Filtering D. Add server IP Security Policy exception Answer: A Explanation: In the Other Settings section. For Flood Protection. QoS Policy to throttle traffic below maximum limit C.paloaltonetworks. 16 http://www. 1. Security Policy rule to deny trafic to the IP address and port that is under attack D. https://www. IDS/ISP E.passleader. 2. 3. select Any or enter the IP address of the device you want to protect. Threat Prevention F. Disable HIP Profile D. Apply an Application Override C. Select Objects > Security Profiles > DoS Protection and Add a profile Name. select the option to Disable Server Response Inspection. Classified DoS Protection Policy using destination IP only with a Protect action Answer: D Explanation: Step 1: Configure a DoS Protection profile for flood protection.com/documentation/61/pan-os/pan-os/policy/configure-dos- protection-against-flooding-of-new-sessions QUESTION 32 Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only? A. This step include: (Optional) For Destination Address.B.com/documentation/60/pan-os/pan-os/getting-started/set-up-basic- security-policies QUESTION 33 Which three options are available when creating a security profile? (Choose three) A. Anti-Malware B. select the check boxes for all of the following types of flood protection: SYN Flood UDP Flood ICMP Flood ICMPv6 Flood Other IP Flood Step 2: Configure a DoS Protection policy rule that specifies the criteria for matching the incoming traffic. https://www. and thus reduces the load on the firewall.paloaltonetworks.

0/30 network? A. C.6. Configuring the metric for RIP to be higher than that of OSPF Int. file-blocking.93. static routes and directly-connected routes.10 Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. The web server physically resides in the "Trust-L3" zone.1. Administrative distance (AD) is an arbitrary numerical value assigned to dynamic routes.168.passleader.168. . Web server public IP address: 23. D.24. Data Filtering.54.10 . Answer: A Explanation: The best route is then selected among them based on Administrative Distance (AD) value of routing protocols which routes came from and that route is marked with flag A. The value is used by vendor-specific routers to rank routes from most preferred to least preferred. stating that it is the Active route. the router uses the route with the lowest administrative distance and inserts the preferred route into its routing table.com .com/t5/Management-Articles/Routing-Table-has-Multiple-Prefixes- for-the-Same-Route/ta-p/54781 QUESTION 35 A company hosts a publically accessible web server behind a Palo Alto Networks next generation firewall with the following configuration information. https://live. anti-spyware.paloaltonetworks. and DoS) on a per-URL-category basis.Using the URL Category as match criteria allows you to customize security profiles (antivirus.66. Users outside the company are in the "Untrust-L3" zone . 17 http://www. QUESTION 34 Given the following table. Web server private IP address: 192.88 as the next hop for the 192. Configuring the administrative Distance for RIP to be lower than that of OSPF Int. B. vulnerability. Which configuration change on the firewall would cause it to use 10. . When multiple paths to the same destination are available. Configuring the metric for RIP to be lower than that OSPF Ext. Configuring the administrative Distance for RIP to be higher than that of OSPF Ext.

18 http://www.1. Destination IP of 23. There is a hardware problem with offloading FPGA on the management plane Answer: A QUESTION 38 A network Administrator needs to view the default action for a specific spyware signature.Spyware and select default profile. View the default actions displayed in the Action column. The missing packets are offloaded to the management plane CPU C. What should be done next? A. Destination IP of 192. Loopback C. C.54. Layer 3 D. D.10 C. https://www. Click the simple-critical rule and then click the Action drop-down list.6.passleader.paloaltonetworks. The packets are hardware offloaded to the offloaded processor on the dataplane B. Tunnel Answer: BC Explanation: GlobalProtect portal requires a Layer 3 or loopback interface for GlobalProtect clients to connect to.com/documentation/62/globalprotect/globalprotect-admin-guide/set- up-the-globalprotect-infrastructure/create-interfaces-and-zones-for-globalprotect QUESTION 37 What can missing SSL packets when performing a packet capture on dataplane interfaces? A. Click the Exceptions tab and then click show all signatures. The administrator follows the tabs and menus through Objects> Security Profiles> Anti. Untrust-L3 for both Source and Destination zone B. Click the Rules tab and then look for rules with "default" in the Action column. Answer: B Explanation: All Anti-spyware and Vulnerability Protection signatures have a default action defined by Palo Alto Networks. B. The packets are not captured because they are encrypted D. Virtual Wire B. You can view the default action by navigating to Objects > Security Profiles > Anti- Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Untrust-L3 for Source Zone and Trust-L3 for Destination Zone D.168.10 Answer: AD QUESTION 36 Which two interface types can be used when configuring GlobalProtect Portal?(Choose two) A.com .Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the web server? (Choose two) A.

paloaltonetworks. and/or add individual signature exceptions to Exceptions in the profile. Answer: D Explanation: When Panorama reaches the maximum capacity. including: * (B) All networking connectivity.Spyware or Objects > Security Profiles >Vulnerability Protection and then selecting a profile.paloaltonetworks.com/documentation/60/pan-os/pan-os/threat-prevention/set-up- antivirus-anti-spyware-and-vulnerability-protection. D. Panorama stops accepting logs until licenses for additional storage space are applied C.passleader. B. threat scanning for all types of threats and threat prevention * Logging. 19 http://www. you must create a new profile and then create rules with a non-default action.html QUESTION 39 How does Panorama handle incoming logs when it reaches the maximum storage capacity? A. it automatically deletes older logs to create space for new ones. including scanning for threats. switching. and network address translation * Application identification. and packet marking * Application decoding. To change the default action. https://www. packet forwarding. Panorama stops accepting logs until a reboot to clean storage space. dataplane zero. Management D. Panorama discards incoming logs when storage capacity full. Signature Match Answer: BDE Explanation: In these devices. functions as the master dataplane and determines which dataplane will be used as the session owner that is responsible for processing and inspection. including decryption and re-encryption * Policy lookups to determine what security policy to enforce and what actions to take. Dynamic routing C. routing. Network Processing E.com/documentation/70/panorama/panorama_adminguide/set-up- panorama/determine-panorama-log-storage-requirements QUESTION 40 Which three function are found on the dataplane of a PA-5050? (Choose three) A. Panorama automatically deletes older logs to create space for new ones. logging. with all logs sent to the control plane for processing and storage E: The following diagram depicts both the hardware and software architecture of the next- generation firewall Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. The data plane provides all data processing and security detection and enforcement. https://www. using the content of the applications.com . or dp0 for short. Protocol Decoder B. not just port or protocol * SSL forward proxy. Click the Exceptions tab and then click Show all signatures and you will see a list of the signatures with the default action in the Action column.

https://www. D.com . C.paloaltonetworks. https://live. Verify the CA to be blocked. the administrator wants to test one of the Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 20 http://www. It issues certificates encountered on the Untrust security zone when clients attempt to connect to a site that has be decrypted/ B. creating a separate certificate specifically for Untrust (which must be generated as a CA) allows for easy differentiation of a valid certificate/trust error as the Palo Alto Networks device proxies the secure session.pdf QUESTION 41 How is the Forward Untrust Certificate used? A.com/t5/Configuration-Articles/How-to-Prevent-Access-to-Encrypted- Websites-Based-on-Certificate/ta-p/57585 QUESTION 42 A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step. keeping in mind that doing so blocks access to all sites issued by this CA.Incorrect Answers: C: Management is done in the control plane. It is used when web servers request a client certificate. It is presented to clients when the server they are connecting to is signed by a certificate authority that is not trusted by firewall.passleader.niap-ccevs.org/st/st_vid10392-st. It is used for Captive Portal to identify unknown users. Answer: C Explanation: Though a single certificate can be used for both Forward Trust and Forward Untrust.

test security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number> D. A security policy with a source of any from untrust-I3 Zone to a destination of 10.match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number B.100 in dmz- I3 zone using web-browsing application B.1.1. The destination NAT rule is configured to translate both IP address and report to 10. A NAT rule with a source of any from untrust-I3 zone to a destination of 1. Which NAT and security rules must be configured on the firewall? (Choose two) A.1.1.1.paloaltonetworks.1. Which CLI command syntax will display the rule that matches the test? A.1. Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. C.100 on TCP Port 8080.security policies.1.com/t5/Management-Articles/How-to-Test-Which-Security-Policy- Applies-to-a-Traffic-Flow/ta-p/53693 QUESTION 43 The web server is configured to listen for HTTP traffic on port 8080. the test command from the CLI will search the security policies and display the best match: Example: > test security-policy-match source <source IP> destination <destination IP> protocol <protocol number> The output will show which policy rule will be applied to this traffic match based on the source and destination IP addresses.100 in untrust-I3 zone using service-http service. https://live.1. show security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number> C. show security-policy-match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number> test security-policy-match source Answer: A Explanation: If you know the source or destination IP address. test security -policy. A NAT rule with a source of any from untrust-I3 zone to a destination of 10.com .passleader.100 on TCP Port 80.100 in dmz-zone using service-http service. The clients access the web server using the IP address 1. 21 http://www.1.

passleader.100 in dmz-I3 zone using web-browsing application. Post Rules C. 22 http://www. What allows the firewall administrator to determine the last date a failover event occurred? A.paloaltonetworks.D. GlobalProtect SSL D. Answer: CD QUESTION 44 A company has a pair of Palo Alto Networks firewalls configured as an Acitve/Passive High Availability (HA) pair.Rule2 allows youtube-base The youtube-base App-ID depends on google-base to function.pdf QUESTION 46 Which client software can be used to connect remote Linux client into a Palo Alto Networks Infrastructure without sacrificing the ability to scan traffic and protect against threats? A. From the CLI issue use the show System log B.Rule1 allows google-base . Which policy type should be configured on Panorama if the administrators at the branch office sites to override these products? A. Check the status of the High Availability widget on the Dashboard of the GUI Answer: B QUESTION 45 A network administrator uses Panorama to push security polices to managed firewalls at branch offices.com/twzvq79624/attachments/twzvq79624/documentation_tkb/134/1/ Panorama-Design-Planning.com . GlobalProtect Apple IOS C. Pre Rules B. Apply the filter subtype eq ha to the System log C. A security policy with a source of any from untrust-I3 zone to a destination of 1. Explicit Rules D. Implicit Rules Answer: B Explanation: https://live. Apply the filter subtype eq ha to the configuration log D.1. The google-base App-ID implicitly Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. GlobalProtect Linux Answer: A QUESTION 47 Only two Trust to Untrust allow rules have been created in the Security policy . X-Auth IPsec VPN B.

https://www. and SSL App-ID's to it C. see Create Interfaces and Zones for GlobalProtect for instructions.paloaltonetworks. eval captive-portal policy <criteria> B. request cp-policy-eval <criteria> C. If you have not yet created the network interface for the portal. test cp-policy-match <criteria> D. add the web-browsing. Add SSL App-ID to Rule1 B.com display in the browser correctly? A. Create an additional Trust to Untrust Rule. to internet. For example.com/documentation/70/globalprotect/globalprotect-admin-guide/set- up-the-globalprotect-infrastructure/set-up-access-to-the-globalprotect-portal#47470 QUESTION 49 Which command can be used to validate a Captive Portal policy? A.com . Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. source any. Certificate Profile Answer: A Explanation: Specify the network settings to enable agents to connect to the portal. debug cp-policy <criteria> Answer: C Explanation: You can use the test security-policy-match command to determine whether the policy is configured correctly. 23 http://www. Which other value needs to be defined to complete the network settings configuration of GlobalPortect Portal? A. Add the Web-browsing App-ID to Rule2 Answer: C QUESTION 48 The GlobalProtect Portal interface and IP address have been configured. If you haven’t yet created an SSL/TLS service profile for the portal. they get an error indecating that the server cannot be found. destination-region any.com in a web browser.uses SSL and web-browsing.youtube. Authentication Profile D. Server Certificate B. see Deploy Server Certificates to the GlobalProtect Components.passleader. destination any. When user try to accesss https://www. source-region any. Client Certificate C. suppose you have a rule that blocks user duane from playing World of Warcraft. Which action will allow youtube. Add the DNS App-ID to Rule2 D. you could test the policy as follows: test security-policy-match application worldofwarcraft source-user acme\duane source any destination any destination-port any protocol 6 "deny worldofwarcraft" { from corporate.

10.4 updates from the support site to install on each firewall. D. Push the PAN-OS 7. terminal no.0.4 to a USB drive and the firewall will automatically update after the USB drive is inserted in the firewall. Download and push PAN-OS 7. Online Certificate Status Protocol Answer: C Explanation: The GlobalProtect pre-logon connect method is a feature that enables GlobalProtect to authenticate the agent and establish the VPN tunnel to the GlobalProtect gateway using a pre- installed machine certificate before the user has logged in.4 directly on each firewall.paloaltonetworks.0. Which three methods can the firewall administrator use to install PAN-OS 7.0. 24 http://www. test panoramas-connect 10.10. B.4 update from one firewall to all of the other remaining after updating one firewall.4 across the enterprise?( Choose three) A. Download PAN-OS 7. Which two commands may be used to troubleshoot this issue from the CLI of the new firewall? (Choose two) A.0. Machine certificate D. E.paloaltonetworks.1 to 7. The firewall's dedicated management port is being used to connect to the management network.0. } https://www.10.5) is not able to manage a firewall that was recently deployed.user acme\duane. Answer: AEF QUESTION 51 Which Public Key infrastructure component is used to authenticate users for GlobalProtect when the Connect Method is set to pre-logon? A.0. category any. F.com/documentation/60/globalprotect/global_protect_6- 0/globalprotect-quick-configs/remote-access-vpn-with-pre-logon QUESTION 52 The company's Panorama server (IP 10.4 files from the support site and install them on each firewall after manually uploading.0. Download PAN-OS 7. application/service worldofwarcraft.4.4 from Panorama to each firewall. action deny. Push the PAN-OS 7.10.com . https://www.passleader. C. Download and install PAN-OS 7.5 Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.0.com/documentation/70/pan-os/pan-os/user-id/verify-the-user-id- configuration QUESTION 50 A company is upgrading its existing Palo Alto Networks firewall from version 7. Certificate revocation list B.0. Trusted root certificate C.

B. show panoramas-status
C. show arp all I match 10.10.10.5
D. topdump filter "host 10.10.10.5
E. debug dataplane packet-diag set capture on

Answer: BD
Explanation:
B: The show panorama-status command shows the Panorama connection status.
Sample Output
The following command shows information about the Panorama connection.
username@hostname> show panorama-status
Panorama Server 1 : 10.1.7.90
State : Unknown
username@hostname>

D: Issue
The Managed Devices show not connected to Panorama and are not able to establish a new
connection to Panorama.
The Packet Capture on Panorama Management Interface shows SYN packets received from
devices on port 3978, but no SYN ACK is sent from Panorama.
> tcpdump filter "port 3978"
> view-pcap mgmt-pcap mgmt.pcap

https://live.paloaltonetworks.com/t5/Management-Articles/Managed-Devices-Unable-to-Establish-
Connections-to-Panorama/ta-p/53248
https://www.paloaltonetworks.jp/content/dam/paloaltonetworks-com/en_US/assets/pdf/technical-
documentation/pan-os-5x/CLI_Reference_Guide-Panorama-5.1_PAN-OS-5.0.pdf

QUESTION 53
Which three log-forwarding destinations require a server profile to be configured? (Choose three)

A. SNMP Trap
B. Email
C. RADIUS
D. Kerberos
E. Panorama
F. Syslog

Answer: ABF
Explanation:
Enable a Log Forwarding Profile (see step 4 below).
1. Select Objects > Log Forwarding Profile and Add a new security profile group.
2. Give the profile group a descriptive Name to help identify it when adding the profile to security
policies or security zones.
3. If the firewall is in Multiple Virtual System Mode, enable the profile to be Shared by all virtual
systems.
4. Add settings for the Traffic logs, Threat logs, and WildFire logs:
Select the Panorama check box for the severity of the Traffic, Threat, or WildFire logs that you
want to be forwarded to Panorama.
Specify logs that you want to forward to additional destinations: SNMP Trap destinations,
Email servers, or Syslog servers.
5. Click OK to save the log forwarding profile.

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 25
http://www.passleader.com

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/reports-and-logging/log-
forwarding-profiles.html

QUESTION 54
Which setting allow a DOS protection profile to limit the maximum concurrent sessions from a
source IP address?

A. Set the type to Aggregate, clear the session's box and set the Maximum concurrent Sessions to
4000.
B. Set the type to Classified, clear the session's box and set the Maximum concurrent Sessions to
4000.
C. Set the type Classified, check the Sessions box and set the Maximum concurrent Sessions to
4000.
D. Set the type to aggregate, check the Sessions box and set the Maximum concurrent Sessions to
4000.

Answer: C

QUESTION 55
A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to
make accessible to the public at 1.1.1.1. The company has decided to configure a destination
NAT Policy rule.
Given the following zone information:

DMZ zone: DMZ-L3
Public zone: Untrust-L3
Guest zone: Guest-L3
Web server zone: Trust-L3
Public IP address (Untrust-L3): 1.1.1.1
Private IP address (Trust-L3): 192.168.1.50

What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?

A. Untrust-L3
B. DMZ-L3
C. Guest-L3
D. Trust-L3

Answer: A
Explanation:
Create the NAT policy.
1. Select Policies > NAT and click Add.
2. Enter a descriptive Name for the policy.
3. On the Original Packet tab, select the zone you created for your internal network in the Source
Zone section (click Add and then select the zone) and the zone you created for the external
network from the Destination Zone drop down.
4. On the Translated Packet tab, select Dynamic IP And Port from the Translation Type drop-
down in the Source Address Translation section of the screen and then click Add. Select the
address object you just created.
5. Click OK to save the NAT policy.
https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/getting-started/configure-nat-
policies

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 26
http://www.passleader.com

QUESTION 56
Which two options are required on an M-100 appliance to configure it as a Log Collector?
(Choose two)

A. From the Panorama tab of the Panorama GUI select Log Collector mode and then commit
changes
B. Enter the command request system system-mode logger then enter Y to confirm the change to
Log Collector mode.
C. From the Device tab of the Panorama GUI select Log Collector mode and then commit changes.
D. Enter the command logger-mode enable the enter Y to confirm the change to Log Collector
mode.
E. Log in the Panorama CLI of the dedicated Log Collector

Answer: BE
Explanation:
Step 1 (E): Access the Command Line Interface (CLI) on the M-100 appliance.
When prompted, log in to the appliance.
Step 2 (B): Switch from Panorama Mode to Log Collector Mode.
1. To switch to Log Collector mode, enter the following command:
request system logger-mode logger
2. Enter Yes to confirm the change to Log Collector mode. The appliance will reboot. If you see a
CMS Login prompt, press Enter without typing a username or password. When the Panorama
login prompt appears, enter the default admin account and the password assigned during initial
configuration.
https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/set-up-
panorama/set-up-the-m-100-appliance#91340

QUESTION 57
Click the Exhibit button. An administrator has noticed a large increase in bittorrent activity.
The administrator wants to determine where the traffic is going on the company.

What would be the administrator's next step?

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 27
http://www.passleader.com

10.168.1 that is configured in the default VR. Which is the next hop IP address for the HTTPS traffic from Will's PC? A.10.40.20.1 C.paloaltonetworks.com . that filter will automatically update if a new application gets added to that category in the latest content package. 172.16.30. TACACS+ provides greater security than RADIUS insofar as it encrypts usernames and passwords (instead of just passwords).10 IP address. when a 'peer-to-peer' is selected as a Technology Filter. A firewall has three PBF rules and a default route with a next hop of 172.20. TACACS+ Answer: D Explanation: Devices now support Terminal Access Controller Access-Control System Plus ( TACACS+) protocol for authenticating administrative users. Create local filter for bittorrent traffic and then view Traffic logs.20. D. C. and is also more reliable (it uses TCP instead of UDP). https://live.paloaltonetworks. For example.com/documentation/70/pan-os/pan-os-release-notes/pan-os-7-0- release-information/authentication-features#91847 QUESTION 59 Click the Exhibit button below. Create a global filter for bittorrent traffic and then view Traffic logs. A user named Will has a PC with a 192.1 B. 172.passleader. 172. Click on the bittorrent application link to view network activity Answer: D Explanation: The application filter is a dynamic item that is created by selecting filter options (Category. He makes an HTTPS connection to 172.A.20.10. LDAP C.1 D. 28 http://www. Diameter D.com/t5/Learning-Articles/How-to-Block-Traffic-Based-on-Application- Filters-with-an/ta-p/59965 QUESTION 58 Support for which authentication method was added in PAN-OS 7. 172. Technology) in the application browser.10. Any new applications coming to PAN-OS in a content update that match the same filters.20. Right-Click on the bittorrent link and select Value from the context menu B. the set will automatically be added to the Application Filter created. RADIUS B. https://www.20.1 Answer: C Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.20.0? A. Subcategory.

User will get "HTTP Error 503 -Service unavailable" message Answer: A QUESTION 63 In order to route traffic between layer 3 interfaces on the PAN firewall you need: A. EXEs Answer: ACE Explanation: https://www. The URL filtering policy to Block is enforced B.html QUESTION 61 What is the name of the debug save file for IPSec VPN tunnels? A. PDFs D.) A.paloaltonetworks.com D. It will be translated successfully C. Vwire C. Which three file types are supported? (Choose three.com/documentation/70/wildfire/wf_admin/wildfire-overview/ wildfire- concepts. It will be redirected to www. VLAN B.com via Google Translator? A. JARs B. Ikemgr.QUESTION 60 A company has started utilizing WildFire in its network.passleader. PSTs C. 29 http://www. Virtual Router Answer: D QUESTION 64 Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.com . JPGs E. test vpn ike-sa C.2600. Security Profile D.pcap Answer: D QUESTION 62 What will the user experience when browsing a Blocked hacking website such as www. request vpn IPsec-sa test D.2600. set vpn all up B.

Endpoints C.passleader. http://www.MyApplipedia.com . Data Center Answer: D QUESTION 68 What are the major families of file types now supported by Wildfire in PAN-OS 7.paloaltonetworks. http://applications. All of the above E.Applipedia. Malware B. Microsft Office files and Adobe Flash applets Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. URL Content Answer: A QUESTION 65 What is the URL for the full list of applications recognized by Palo Alto Networks? A. Cloud B. http://www. TTL D. All executable files. Source Port C.Wildfire may be used for identifying which of the following types of traffic? A. All executable files and all files with a MIME type B. what other places in the network might be affected? A. Hash F. Source IP B. DNS C.com D.0? A. DHCP D. Data Payload E. Branch Offices D. PDF files. 30 http://www.com B.com C. Encryption Key Answer: D QUESTION 67 If malware is detected on the internet perimeter.paloaltonetworks.com Answer: C QUESTION 66 What does App-ID inspect to identify an application? A. http://applipedia.

C. Any PA-5000 or PA-7000 series firewall B. Processing all traffic across all ports & protocols. All executable files. False Answer: B QUESTION 73 How quickly are Wildfire updates about previously unknown files now being delivered from the Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Alarm generation of known threats traversing the device B. False Answer: A QUESTION 71 Which hardware platform should I consider if the customer needs at least 1 Gbps of Threat Prevention throughput and the ability to handle at least 250K sessions? A. PDF. Any PA-3000. 31 http://www.com . PA-5000. PE files. Only the PA-3050 firewall and higher Answer: C QUESTION 72 True or False: DSRI degrades the performance of a firewall? A. Java applets. which in turn can allow advanced features like virus/malware scanning without effecting firewall performance A. A. True B. Application Visibility and URL Categorization C. APK. or PA-7000 series firewall D. Centralized or distributed log collectors Answer: BD QUESTION 70 True or False: One of the advantages of Single Pass Parallel Processing (SP3) is that traffic can be scanned as it crosses the firewall with minimum amount of buffering. Microsoft Office.passleader. and Flash D. Endpoint and server scanning for known malware D. Only the PA-3060 firewall and higher C. PDF files and Microsft Office files Answer: C QUESTION 69 Which of the following are critical features of a Next Generation Firewall that provide Breach prevention? Choose two. True B. in both directions E.

Anti Command & Control signatures (Threat) Answer: CDG Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.com . 32 http://www. 1 day D. 15 minutes B. Mobile (Global Protect) C. URLs and APKs? A.1)? A. 30 minutes C. All PA-5000 and PA-7000 series firewall platforms B. Content/Web Filtering (Pan-DB) E. 60 minutes Answer: D QUESTION 74 Which of the following are valid Subscriptions for the Next Generation Platform? [Select All that apply] A.cloud to customers with a WildFire subscription (as of version 6. The PA-3060 firewall platform D. The PA-7000 series firewall platforms Answer: C QUESTION 76 Select all the platform components that Wildfire automatically updates after finding malicious activity in previously unknown files. Content ID E. App ID Answer: ABF QUESTION 75 Which hardware firewall platforms include both built-in front-to-back airflow and redundant power supplies? A. Threat Prevention G.passleader. Decrypt (Port-Mirroring) B. Anti-Malware signatures (WildFire) F. URL Filtering B. All Palo Alto Networks hardware firewall platforms C. SSL Decryption F. Management (Panorama) G. User ID D. 5 minutes E. Support C. Anti-Virus (Threat) D.

33 http://www. Predictable throughput D. Comprehensive security platform designed to scale functionality over time C. E. Seemless integration with the Threat Intelligence Cloud F. Showing which users are running which applications and provide a method for controlling application access on a by user Answer: ABE QUESTION 79 What are the main benefits of WildFire? (Select the three correct answers. Answer: BDE QUESTION 80 The automated Correlation Engine uses correlation objects to analyze the logs for patterns.QUESTION 77 What are five benefits of Palo Alto Networks NGFWs (Next Generation Firewalls)? (Select the five correct answers. Convenient configuration Wizard B. WildFire gathers information from possible threats detected by both NGFWs and Endpoints. C.) A. When a match occurs: A.) A. WildFire can provide comprehensive protection. The Correlation Engine blocks the connection B. By collecting and distributing malware signatures from every major anti-virus vendor. Showing how Palo Alto Networks' firewalls provide visibility into applications and control of those applications C. After setting match criteria in the Object tab showing how that data is presented in the logs E. The Correlation Engine displays a warning message to the end user Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. D. Identical security subscriptions on all models Answer: BCDEF QUESTION 78 What are the three key components of a successful Three Tab Demo? (Select the three correct answers.) A.passleader. Providing visibility into recently occurring threats and showing how to block those threats B. Presenting the information in the Network and Device tabs D. It's a sandboxing environment that can detect malware by observing the behavior of unknown files.com . By using Palo Alto Networks' proprietary cloud-based architecture. The Correlation Engine generates a correlation event C. Easy-to-use GUI which is the same on all models E. B. quarantine holds on suspicious files are typically reduced to less than 30 seconds. Signatures for identified malware are quickly distributed globally to all Palo Alto Networks' customers' firewalls.

Monitor C. Objects D. ACC B. TRUE B. Device Answer: A QUESTION 84 True or False: PAN-DB is a service that aligns URLs with category types and is fed to the WildFire threat cloud. A. Network E. Redundancy D.D.com . False Answer: A QUESTION 85 Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. True B. Number of applications E.passleader. 34 http://www. The Correlation Engine dumps the alarm log Answer: B QUESTION 81 Which one of these is not a factor impacting sizing decisions? A. Decryption B. Which of the following PanOS tabs would an administrator utilize to identify culpable users. A. Performance F. Number of rules Answer: D QUESTION 82 TRUE or FALSE: Many customers purchase Palo Alto Networks NGFWs (Next Generation Firewalls) just to gain previously unavailable levels of visibility into their traffic flows. A. FALSE Answer: A QUESTION 83 A spike in dangerous traffic is observed. Sessions C. Policies F.

dp-monitor log Answer: CD QUESTION 86 Which option is an IPv6 routing protocol? A. Authentication profile Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Which two logs on that firewall will contain authentication-related information useful in troubleshooting this issue? (Choose two.com/documentation/70/pan-os/pan-os/networking/nat-configuration- examples QUESTION 88 A network design change requires an existing firewall to start accessing Palo Alto Updates from a data plane interface address instead of the management interface. What can be done to simplify the NAT policy? A. The internal web server must also initiate connections with the external server. Management profile D. BGP NG Answer: B QUESTION 87 A network security engineer has a requirement to allow an external server to access an internal web server. authd log C. OSPv3 D.passleader. Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bi- directional option Answer: C Explanation: https://www. Default route C. Which configuration setting needs to be modified? A. System log D. Configure a NAT Policy rule with Dynamic IP and Port C. Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi- directional option D. Configure ECMP to handle matching NAT traffic B. RIPv3 B.Firewall administrators cannot authenticate to a firewall GUI.paloaltonetworks. 35 http://www. Traffic log E.com . ms log B. OSPFv3 C. Service route B.) A.

> show system info B. 36 http://www. The management interfaces must to be on the same network.com/t5/Management-Articles/Show-System-Resource-Command- Displays-CPU-Utilization-of-9999/ta-p/58149 QUESTION 91 Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log? A.paloaltonetworks.Answer: A QUESTION 89 A Network Administrator wants to deploy a Large Scale VPN solution. B. The Network Administrator has chosen a GlobalProtect Satellite solution. Allow D.paloaltonetworks. Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. This configuration needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations. Create a Template with the appropriate IPSec tunnel settings C.passleader. > debug management-server show D. Log B. The firewalls must have the same set of licenses. Alert C.) A.com/documentation/70/pan-os/pan-os/url-filtering/url-filtering- profile-actions QUESTION 92 What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an active/passive High Availability (HA) pair? (Choose two. > show running resource-monitor Answer: B Explanation: https://live. How should this be accomplished? A. Create a Device Group with the appropriate IKE Gateway settings D. Create a Template with the appropriate IKE Gateway settings B. Default Answer: B Explanation: https://www. > show system resources C. Create a Device Group with the appropriate IPSec tunnel settings Answer: B QUESTION 90 Which CLI command displays the current management plan memory utilization? A.com .

com/documentation/61/panorama/panorama_adminguide/manage- log-collection/enable-log-forwarding-from-panorama-to-external-destinations QUESTION 96 Which URL Filtering Security Profile action togs the URL Filtering category to the URL Filtering log? Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Panorama Log Templates C.paloaltonetworks. Stealth Rules E. Answer: AC QUESTION 93 Which three rule types are available when defining policies in Panorama? (Choose three. Trunk interface type with specified tag B. 37 http://www. Layer 3 subinterface type with specified tag Answer: D QUESTION 95 Which Panorama feature allows for logs generated by Panorama to be forwarded to an external Security Information and Event Management(SIEM) system? A.passleader. The peer HA1 IP address must be the same on both firewalls. Collector Log Forwarding for Collector Groups Answer: A Explanation: https://www.com/documentation/71/pan-os/web-interface-help/panorama-web- interface/defining-policies-on-panorama QUESTION 94 A network design calls for a "router on a stick" implementation with a PA-5060 performing inter- VLAN routing All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk interface Which interface type and configuration setting will support this design? A. Panorama Device Group Log Forwarding D. D. Layer 2 interface type with a VLAN assigned D. Pre Rules B. Either directly or with an intermediate Layer 2 device. Default Rules D.C. Clean Up Rules Answer: ABC Explanation: https://www. Layer 3 interface type with specified tag C.paloaltonetworks.com .) A. Panorama Log Settings B. HA1 should be connected to HA1. Post Rules C.

Create new VPN zones at each site to terminate each VPN connection Answer: C QUESTION 98 Which authentication source requires the installation of Palo Alto Networks software.A.0 C. Default Answer: B QUESTION 97 Several offices are connected with VPNs using static IPV4 routes. Enable OSPFv3 on each tunnel interface and use Area ID 0.0. 38 http://www. Microsoft Active Directory B.0. Enable OSPFv3 on each tunnel interface and use Area ID 0.0. Allow D. other than PAN-OS 7x.0. Assign OSPF Area ID 0. to obtain a username-to-IP-address mapping? A. Log B.0. Microsoft Terminal Services C. Assign OSPF Area ID 0. Assign an IP address on each tunnel interface at each site B. Which step is required to accomplish this goal? A. Assign an IP address on each tunnel interface at each site B. An administrator has been tasked with implementing OSPF to replace static routing. Alert C.0.com .passleader. Create new VPN zones at each site to terminate each VPN connection Answer: C QUESTION 100 People are having intermittent quality issues during a live meeting via web application. A. Use QoS profile to define QoS Classes B.0 to all Ethernet and tunnel interfaces D. An administrator has been tasked with implementing OSPF to replace static routing.0. Which step is required to accoumplish this goal? A.0 C.0.0 to all Ethernet and tunnel interfaces D. Use QoS Profile to define QoS Classes and a QoS Policy Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Aerohive Wireless Access Point D. Use QoS Classes to define QoS Profile C. Palo Alto Networks Captive Portal Answer: B QUESTION 99 Several offices are connected with VPNs using static IPv4 routes.

Management profile Answer: C Explanation: The firewall uses the management (MGT) interface by default to access external services. OSPFv3 D.D. Which two routing options support these addresses? (Choose two. Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Service route D. external authentication servers. An alternative to using the MGT interface is to configure a data port (a regular interface) to access these services.passleader. Which configuration setting needs to be modified? A. The service packets exit the firewall on the port assigned for the external service and the server sends its response to the configured source interface and source IP address.) A. it provides support for IPv6 addresses and prefixes. You can configure service routes globally for the firewall or Customize Service Routes for a Virtual System on a firewall enabled for multiple virtual systems so that you have the flexibility to use interfaces associated with a virtual system. Palo Alto Networks services such as software. 39 http://www. licenses and AutoFocus. Authentication profile B. URL updates.com/documentation/80/pan-os/pan-os/networking/service-routes QUESTION 103 A network security engineer needs to configure a virtual router using IPv6 addresses. Default route C. such as DNS servers.com . The path from the interface to the service on a server is known as a service route. When configuring Certificate Profiles B. When configuring User Activity Reports D.paloaltonetworks. RIP Answer: AC Explanation: C: OSPFv3 provides support for the OSPF routing protocol within an IPv6 network. When configuring Antivirus Dynamic Updates Answer: D QUESTION 102 A network design change requires an existing firewall to start accessing Palo Alto Updates from a dataplane interface address instead of the management interface. Static Route B. As such. https://www. BGP C. Use QoS Classes to define QoS Profile and a QoS Policy Answer: C QUESTION 101 When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall? A. When configuring GlobalProtect portal C.

3. The Network Administrator has chosen a GlobalProtect Satellite solution. Create a Template with the appropriate lPSec tunnel settings. Use QoS Classes to define QoS Profile C. Create a Device Group with the appropriate IKE Gateway settings. Add a Static Route: E. When configuring User Activity Reports C.0/0) as ::0/ F. D. Set destination (example. Create a Device Group with the appropriate lPSec tunnel settings. B. When configuring Certificate Profiles D.paloaltonetworks. How can the performance of this application be improved? A. Select the Interface G. Create a Template with the appropriate lKE Gateway settings.0. When configuring Antivirus Dynamic Updates Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Use QoS Profile to define QoS Classes Answer: A QUESTION 106 When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall? A. Add a Virtual Router and go to Static Routes > IPv6. Answer: D Explanation: Note: The administrator of the satellite must enter the credentials when the satellite connects to the portal. Use QoS Profile to define QoS Classes and a QoS Policy B. Go to Network > Virtual Router 2. This configuration needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations. This is done on the satellite by navigating to Network > IPSec Tunnels and choosing "gateway info" and then clicking on "Enter Credentials". When configuring GlobalProtect portal B. QUESTION 105 People are having intermittent quality issues during a live meeting via a web application.passleader.A: How to Set Default Route for IPv6 Traffic Steps 1. C.paloaltonetworks. Use QoS Classes to define QoS Profile and QoS Policy D.com/t5/Configuration-Articles/How-to-Set-Default-Route-for-IPv6- Traffic/ta-p/52731 QUESTION 104 A Network Administrator wants to deploy a Large Scale VPN solution. IPV4 0. Set the Next Hop IP address https://www.com/documentation/60/pan-os/newfeaturesguide/networking- features/ospf-v3-support https://live. How should this be accomplished? A. 40 http://www.0.com .

If you are shaping outgoing traffic. 41 http://www. This allows the user to take a moment to consider whether or not they want to download a file. causing delays in mission- critical traffic. file type. Interface Ethernet 1/1 has a QoS profile called Outbound. D.paloaltonetworks. and interface Ethernet 1/21 has a QoS profile called Inbound. Block all unauthorized applications using a security policy. Create a File Blocking Profile that blocks Layer 4 and Layer 7 attacks. Outbound profile with Guaranteed Ingress B.paloaltonetworks. and QoS has been enabled on both interfaces. B. Outbound profile with Maximum Ingress Answer: B Explanation: Identify the egress interface for applications that you identified as needing QoS treatment. Inbound profile with Maximum Egress C. and transmission direction (upload or download). the egress interface is the internal-facing interface.passleader.com .ethernet 1/2. Block all known internal custom applications. A QoS rule exists to put the YouTube application into QoS class 6.Answer: D QUESTION 107 A file sharing application is being permitted and no one knows what this application is used for.com/documentation/61/pan-os/pan-os/quality-of-service/configure- qos Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Create a WildFire Analysis Profile that blocks Layer4 and Layer 7 attacks. C. If you are shaping incoming traffic. Zone: Untrust (Internet-facing) . Which setting for Class 6 will throttle YouTube traffic? A. Specify files to be forwarded for analysis based on application. You can set the profile to alert or block on upload and/or download and you can specify which applications will be subject to the file blocking profile. Answer: C Explanation: The firewall uses file blocking profiles two ways: to forward files to WildFire for analysis or to block specified file types over specified applications and in the specified session flow direction (inbound/outbound/both).com/documentation/61/pan-os/pan-os/policy/file-blocking-profiles QUESTION 108 YouTube videos are consuming too much bandwidth on the network. The egress interface for traffic depends on the traffic flow. the egress interface is the external-facing interface. Incorrect Answers: D: Use a WildFire analysis profile to enable the firewall to forward unknown files or email links for WildFire analysis. https://www. The administrator wants to throttle YouTube traffic. Inbound profile with Guaranteed Egress D. You can also configure custom block pages that will appear when a user attempts to download the specified file type. Zone: Trust (client-facing) A QoS profile has been created.ethernet 1/1. The following interfaces and zones are in use on the firewall: . https://www. How should this application be blocked? A.

and POP3 protocols while blocking for FTP.Alert F.QUESTION 109 Which field is optional when creating a new Security Police rule? A. 42 http://www. https://www. The IP address specified in the sinkhole configuration. IMAP . Description B. The example here shows using 1. The IP address of the command-and-control server. Click in the Sinkhole IPv4 field and type in the fake IP.Alert H. C. Source Zone Answer: A Explanation: The optional fields are: Description. Action D. SMB .paloaltonetworks. Name E. Match each decoder with its default action. Answer: A Explanation: Change the "Action on DNS queries" to 'sinkhole'.Reset-both G. the policy will inspect for viruses on the decoders.com D. and SMB protocols. IMAP. What will be the destination IP address in that log entry? A. SMB . https://www. POP3. FTP. SMTP . IMAP . Destination Zone C. Source IP Address and Destionation IP Address.com/documentation/61/pan-os/pan-os/policy/components-of-a- security-policy-rule#_43864 QUESTION 110 When using the predefined default antivirus profile.Alert D.com .1.passleader. POP3.paloaltonetworks.Reset-both Answer: ADFG Explanation: The default profile inspects all of the listed protocol decoders for viruses.1.Alert B. and generates alerts for SMTP.com/documentation/70/pan-os/pan-os/policy/antivirus-profiles QUESTION 111 When a malware-infected host attempts to resolve a known command-and-control server. HTTP. HTTP . The IP address of sinkhole. FTP. Answer options may be used more than once or not at all. Tag.Reset-both C.paloaltonetworks. SMTP .Reset-both E. generating a traffic log.1 for Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. (select four) A. The IP address of one of the external DNS servers identified in the anti-spyware database. HTTP . B. the traffic matches a security policy with DNS sinkhole enabled.

you can also use either a Loopback IP (127. Alternatively. https://live.112). Answer: D Explanation: To customize the format of the syslog messages that the firewall sends. D.html QUESTION 113 Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.0.simplicity. For details on how to create custom formats for the various log types. Enable support for non-standard syslog messages under device management.com/t5/Configuration-Articles/How-to-Configure-DNS-Sinkhole/ta- p/58891 QUESTION 112 How can a Palo Alto Networks firewall be configured to send syslog messages in a format compatible with non-standard syslog servers? A. Select a non-standard syslog server profile B.passleader.paloaltonetworks.paloaltonetworks.1) or Palo Alto Networks Sinkhole IP (71.com . refer to the Common Event Format Configuration Guide. then it should be Ok.com/documentation/70/pan-os/pan-os/monitoring/configure-syslog- monitoring. https://www.152. 43 http://www. C. but as long as this fake IP is not used inside of the network. select the Custom Log Format tab. Create a custom log format under the syslog server profile. Check the custom-format check box in the syslog server profile.0.19.

What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an
active/passive High Availability (HA) pair? (Choose two.)

A. The management interfaces must be on the same network.
B. The firewalls must have the same set of licenses.
C. The peer HA1 IP address must be the same on both firewalls.
D. HA1 should be connected to HA1, either directly or with an intermediate Layer 2 device.

Answer: BC
Explanation:
To set up high availability on your Palo Alto Networks firewalls, you need a pair of firewalls that
meet the following requirements:
The same set of licenses --Licenses are unique to each firewall and cannot be shared between
the firewalls. Therefore, you must license both firewalls identically. If both firewalls do not have an
identical set of licenses, they cannot synchronize configuration information and maintain parity for
a seamless failover.
The same type of interfaces --Dedicated HA links, or a combination of the management port and
in-band ports that are set to interface type HA.
Determine the IP address for the HA1 (control) connection between the HA peers. The HA1 IP
address for both peers must be on the same subnet if they are directly connected or are
connected to the same switch.
Etc.
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/high-
availability/prerequisites-for-active-passive-ha#_74574

QUESTION 114
Which device Group option is assigned by default in Panorama whenever a new device group is
created to manage a Firewall?

A. Universal
B. Master
C. Global
D. Shared

Answer: D
Explanation:
Select the Parent Device Group (default is Shared) that will be just above the device group you
are creating in the device group hierarchy.
https://www.paloaltonetworks.com/documentation/70/panorama/panorama_adminguide/manage-
firewalls/add-a-device-group#_26700

QUESTION 115
When performing the "ping" test shown in this CLI output:

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 44
http://www.passleader.com

What will be the source address in the ICMP packet?

A. 10.46.64.94
B. 10.30.0.93
C. 192.168.93.1
D. 10.46.72.93

Answer: A

QUESTION 116
Site-A and Site- have a site-to-site VPN set up between them. OSPF is configured to dynamically
create the routes between the sites. The OSPF configuration in Site- is configured properly, but
the route for the tunnel is not being established. The Site- interfaces in the graphic are using a
broadcast Link Type. The administrator has determined that the OSPF configuration in Site- is
using the wrong Link Type for one of its interfaces.

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 45
http://www.passleader.com

Which Link Type setting will correct the error?

A. Set ethernet1/21 to p2p
B. Set tunnel.10 to p2p
C. Set tunnel.10 to p2mp
D. Set ethernet1/21 to p2mp

Answer: A
Explanation:
We should set p2p on the Ethernet interface to enable automatic discovery of neighbors.
Note: OSPF Link type -- Choose Broadcast if you want all neighbors that are accessible through
the interface to be discovered automatically by multicasting OSPF hello messages, such as an
Ethernet interface. Choose p2p (point-to-point) to automatically discover the neighbor. Choose
p2mp (point-to- multipoint) when neighbors must be defined manually. Defining neighbors
manually is allowed only for p2mp mode.
https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/networking/ospf

QUESTION 117
A network design calls for a "router on a stick" implementation with a PA-5060 performing inter-
VLAN routing. All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q
trunk interface.
Which interface type and configuration setting will support this design?

A. Layer 3 subinterface type with specified tag
B. Layer 3 interface type with specified tag
C. Trunk interface type with specified lag
D. Layer 2 interface type with a VLAN assigned

Answer: A
Explanation:
The interface ethernet1/15 is configured as a layer 3 interface. Subinterfaces corresponding to
each one of the VLAN are created off of the parent interface Ethernet 1/15. Each subinterface is
assigned a VLAN tag and an IP address corresponding to the VLAN provides connectivity.

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 46
http://www.passleader.com

Collector Log Forwarding for Collector Groups D.com/documentation/61/panorama/panorama_adminguide/manage- log-collection/enable-log-forwarding-from-panorama-to-external-destinations#_91682 Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. a router must be used to route traffic between the VLANs. QUESTION 118 Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS 7.com . AWS C. In this configuration a Palo Alto networks firewall can used to securely route traffic within the VLAN.paloaltonetworks.) A. if a device in one VLAN needs to communicate with a device in another VLAN. one or more routers must be used for inter VLAN communication. Panorama Device Group Log Forwarding B. Panorama Log Templates Answer: B Explanation: To forward Panorama logs: Panorama > Log Settings > System Panorama > Log Settings > Config https://www.Note: Inter VLAN routing with each VLAN in a unique IP subnet In order for network devices in different VLANs to communicate. VMware NSX D.0? (Choose two. This is also commonly called "one arm routing" or "router on a stick". VMware ESX B.passleader. 47 http://www. Panorama Log Settings C. While VLANs help to control local traffic. KVM Answer: AD Explanation: QUESTION 119 Which Panorama feature allows for logs generated by Panorama to be forwarded to an external Security Information and Event Management (SIEM) system? A.

paloaltonetworks. OSPFv3 B. RIPv3 Answer: A Explanation: OSPFv3 provides support for the OSPF routing protocol within an IPv6 network. RADlUS with Vendor-Specific Attributes C.com/documentation/70/pan-os/pan-os/url-filtering/url-filtering- Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.passleader.paloaltonetworks. https://www. Kerberos B. Incorrect Answers: A: Allow: The website is allowed and no log entry is generated.QUESTION 120 In an enterprise deployment. As such. https://www. LDAP Answer: C Explanation: As a more secure alternative to password-based authentication to the Panorama web interface. 48 http://www.com/documentation/80/panorama/panorama_adminguide/set-up- panorama/configure-a-panorama-administrator-with-certificate-based-authentication-for-the-web- interface QUESTION 121 Which option is an IPv6 routing protocol? A. https://www. Which authentication method must be used? A.based authentication involves the exchange and verification of a digital signature instead of a password. Default D. OSPFv2 D. Certificate-based authentication D. it provides support for IPv6 addresses and prefixes. BGP NG C. a network security engineer wants to assign rights to a group of administrators without creating local administrator accounts on the firewall. Alert Answer: D Explanation: The website is allowed and a log entry is generated in the URL filtering log. C: There is no URL Filtering Security Profile action named default. Certificate.com .v3-support QUESTION 122 Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log? A.paloaltonetworks. B: There is no URL Filtering Security Profile action named log. Allow B. you can configure certificate-based authentication for administrator accounts that are local to Panorama.com/documentation/60/pan-os/newfeaturesguide/networking- features/ospf. Log C.

Traffic log C. to obtain username-to-IP-address mapping? A. Run the User-ID Agent using an Active Directory account that has "domain administrator" permissions Answer: AC QUESTION 125 Firewall administrators cannot authenticate to a firewall GUI. Run the User-ID Agent using an Active Directory account that has "event log viewer" permissions B.) A. Enable User-ID on the zone object for the destination zone E. other than PAN-OS 7x.log B. Incorrect Answers: A: If you want to integrate Aerohive with Palo Alto the suggested route is to run a script on a Kiwi Syslog Server which parses the Aerohive log and then updates the Palo Alto with Username/IP address mapping.and group-based security policy enforcement.log D.com/documentation/60/pan-os/pan-os/user-id/configure-user- mapping-for-terminal-server-users QUESTION 124 Which two actions are required to make Microsoft Active Directory users appear in a firewall traffic log? (Choose two.log Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.paloaltonetworks. Which two logs on that firewall will contain authentication-related information useful in troubleshooting this issue? (Choose two. A working VB script for Kiwi is provided below. dp-monitor. which allows the firewall to create an IP address-port-user mapping table and enable user. Palo Alto Networks Captive Portal D. Microsoft Terminal Services C. Enable User-ID on the zone object for the source zone D. authd.com . Microsoft Active Directory Answer: B Explanation: Configure User Mapping for Terminal Server Users Individual terminal server users appear to have the same IP address and therefore an IP address to username mapping is not sufficient to identify a specific user. ms. To enable identification of specific users on Windows-based terminal servers.profile-actions QUESTION 123 Which authentication source requires the installation of Palo Alto Networks software. Aerohive Wireless Access Point B.) A. Etc. the Palo Alto Networks Terminal Services agent (TS agent) allocates a port range to each user. Configure a RADIUS server profile to point to a domain controller C. It then notifies every connected firewall about the allocated port range.passleader. 49 http://www. https://www.

> show running resource-monitor D.0.) A. C.com . is the core of an OSPF network. Area 0. Create new VPN zones at each site to terminate each VPN connection. D.0. > show system info B.0.0. Answer: D Explanation: OSPF Area Types include the Backbone Area.0 to all Ethernet and tunnel interfaces. the top process in the output shows 9999% CPU utilization. Which step is required to accomplish this goal? A.0. All routing between areas is distributed through the backbone area.0 B. Assign an IP address on each tunnel interface at each site.paloaltonetworks.0.paloaltonetworks. > show system resources C. this connection doesn't need to be direct and can be made through a virtual link. Pre Rules E. Default Rules Answer: CDE Explanation: https://www.0.E. 50 http://www. https://www. Enable OSPFv3 on each tunnel interface and use Area ID 0.passleader. > debug management-server show Answer: B Explanation: When running show system resources from the PAN-OS CLI.com/documentation/61/panorama/panorama_adminguide/manage- firewalls/manage-the-rule-hierarchy QUESTION 127 Several offices are connected with VPNs using static IPv4 routes. The backbone has the reserved area ID of 0. System log Answer: BE QUESTION 126 Which three rule types are available when defining polices in Panorama? (Choose three. All other areas are connected to it and all traffic between areas must traverse it. Clean Up Rules B.com/documentation/60/pan-os/pan-os/networking/configure-ospf QUESTION 128 Which CLI command displays the current management plane memory utilization? A. Assign OSPF Area 0. The following is an example output: > show system resources Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Stealth Rules C. An administrator has been tasked with implementing OSPF to replace static routing. While all other OSPF areas must connect to the backbone area. Post Rules D.

How should NAT Traversal be implemented for the VPN connection to be established between Site-A and Site-B? A. Site-B uses a private IP address behind an ISP router to connect to the internet. https://www.com/documentation/61/panorama/panorama_adminguide/manage- log-collection/remove-a-firewall-from-a-collector-group#_24966 QUESTION 130 Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site-A connects directly to the internet using a public IP address.com/t5/Management-Articles/Show-System-Resource- CommandDisplays-CPU-Utilization-of-9999/ta-p/58149 QUESTION 129 A distributed log collection deployment has dedicated Log Collectors. Remove the device from the Collector Group D.paloaltonetworks. 51 http://www.com . A developer needs a device to send logs to Panorama instead of sending logs to the Collector Group. Remove the cable from the management interface.paloaltonetworks. Revert to a previous configuration C. if you need a device to send logs to Panorama instead of sending logs to the Collector Group. Contact Palo Alto Networks Support team to enter kernel mode commands to allow adjustments B. Enable on Site-A only B. reload the Log Collector and then re-connect that cable Answer: C Explanation: In a distributed log collection deployment.passleader. Enable on Site-B only with Passive Mode C. where you have dedicated Log Collectors. What should be done first? A.https://live. Enable on Site-B only Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Enable on Site-A and Site-B D. you must remove the device from the Collector group.

URL Filtering Answer: A Explanation: https://www. The internal web server must also initiate connections with the external server. Threat Prevention B.paloaltonetworks. Create a new Destination NAT Policy rule that marches the existing traffic and enable the Bi- directional option Answer: C Explanation: https://live. The internal host attempted to use DNS to resolve a known malicious domain into an IP address. GlobalProtect D.paloaltonetworks.com/t5/Learning-Articles/What-does-the-Bi-directional-NAT-Feature- Provide/ta-p/60593 QUESTION 132 What happens when the traffic log shows an internal host attempting to open a session to a properly configured sinkhole address? A. Application Center C. 52 http://www.0 introduced an automated correlation engine that analyzes log patterns and generates correlation events visible in the new Application Command Center (ACC).passleader.paloaltonetworks. D. Answer: D QUESTION 133 PAS-OS 7. Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi- directional option D.Answer: C Explanation: NAT traversal (NAT-T) must be enabled on both gateways if you have NAT occurring on a device that sits between the two gateways. What can be done to simplify the NAT policy? A. B.com/documentation/70/pan-os/pan-os/vpns/site-to-site-vpn- concepts QUESTION 131 A network security engineer has a requirement to allow an external server to access an internal web server. C. A rogue DNS server used the sinkhole address to direct traffic to a known malicious domain.com . A gateway can see only the public (globally routable) IP address of the NAT device.com/documentation/70/pan-os/pan-os/monitoring/automated- correlation-engine-concepts Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. https://www. Configure a NAT Policy rule with Dynamic IP and Port C. The internal host tried to resolve a DNS query by connecting to a rogue DNS server. A malicious domain tried to contact an internal DNS server. Which license must the firewall have to obtain new correlation objectives? A. Configure ECMP to handle matching NAT traffic B.

The OSPF configuration in Site-is configured properly. 53 http://www.10 to p2p B. Which two commands should be used to troubleshoot the issue? (Choose two. Which Link Type setting will correct the error? A. The administrator has determined that the OSPF configuration in Site-is using the wrong Link Type for one of its interfaces. however. The company's network engineers made configuration changes to the switches on both network segments. show interface management B. You suspect that there is an interface misconfiguration on ethernet1/1. Set tunnel. Set ethernet1/21 to p2mp D. Soon after the cutover. and connected them to the new firewall.10 to p2mp C. users began to complain about latency and some servers stopped communicating.passleader.com/documentation/61/pan-os/pan-os/vpns/site-to-site-vpn-with- ospf QUESTION 135 A network security engineer for a large company has just installed a PA-5060 Firewall to isolate the company's PCI environment from its production network. show interface ethernet1/1 C. show interface hardware Answer: BC Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.paloaltonetworks.QUESTION 134 Site-A and Site-have a site-to-site VPN set up between them. Set tunnel.) A. OSPF is configured to dynamically create the routes between the sites. The Site-interfaces in the graphic are using a broadcast Link Type. There are no security policies that deny traffic between the two network segments.com . show interface logical D. Set ethernet1/21 to p2p Answer: D Explanation: https://www. but the route for the tunnel is not being established.

Reset All B.com . The Network Security Administrator created an application override policy. Layer 7 processing has been disabled for SMB traffic.1 failed. Deny G. 2016. ( time_generated geq `2016/03/10 11:00:00') and ( time_generated leq `2016/03/10 11:30:00') and ( addr.1. a common file-sharing application. ( time_generated leq `2016/03/10 11:00:00') and ( time_generated geq `2016/03/10 11:30:00') and ( app eq web-browsing ) D.1.) A. Alert F.1. Which filter can be applied to the traffic logs to show how many users were affected during this time frame? A. between 11:00 am and 11:30 am.1. assigning all SMB traffic to a custom application. Deny All E. Layer 4 processing has been disabled for the SMB traffic.dst in 1. ( time_generated geq `2016/03/10 11:00:00') and ( time_generated leq `2016/03/10 11:30:00') and ( app neq web-browsing ) Answer: B QUESTION 137 Server Message Block (SMB).QUESTION 136 On March 10. Reset client C. to resolve the slowness issue.passleader. Allow Answer: BFG Explanation: Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Why does this configuration resolve the issue? A. Block D. 54 http://www. ( time_generated leq `2016/03/10 11:30:00') and ( app is web-browsing ) B. Answer: C QUESTION 138 What are three valid options when creating a new security policy? (Choose three. Security policy assignment is being done more efficiently.1) C. Zone Protection is no longer being applied. B. users reported that web-browsing traffic to the IP address 1. D. is slow when passing through a Palo Alto Networks firewall. C.

com . even though SIP traffic is being allowed by policy. Disable ALG within the security policy that permits SIP traffic B. Disable ALG within the SIP application Answer: D Explanation: Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Which configuration change can resolve this issue? A. Create a security policy that allows any traffic to and from SIP phones. Create an application override policy to assign all traffic to and from SIP phones to the sip application C. D.passleader. 55 http://www.QUESTION 139 The Network Security Administrator discovers that the company's NAT-aware SIP phone system is not working properly through the Palo Alto Networks firewall.

reject tcp-non-syn.1. and other vulnerabilities. overlapping segments. D. C. NAT2 B. NAT4 C. The FQDN of www.) A. They mitigate against attacks by utilizing "random early drop". fragments.passleader.com . Users in the Trust-L3 zone use the external FQDN to access SVR1. QUESTION 141 Given these tables: SVR1 is a webserver hosted in the DMZ zone. NAT1 D. This type of protection enforces a quota for your hosts. A few examples are IP spoofing. It restricts the maximum number of sessions allowed for a particular source IP address.200. destination IP address or IP source-destination pair. we also offer resources protection. NAT3 Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.com is registered to an external DNS provider and resolves to 203.myserver.QUESTION 140 Which two statements accurately describe how DoS Protection Profiles and Policies mitigate attacks? (Choose two. They mitigate against attacks by providing resource protection by limiting the number of sessions that can be used. spoofing. Answer: CD Explanation: DOS In addition to flood protection. amplification. Which NAT rule will process traffic sourced from the Trust-L3 zone destined for SVR1? A. B. 56 http://www. ZONE PROTECTION Zone protection policies allow the use of flood protection and have the ability to protect against port scanning\sweeps and packet based attacks. brute force methods.123 in the Untrust-L3 zone. They mitigate against attacks on a zone basis by providing reconnaissance protection against TCP/ UDP port scans and host sweeps. They mitigate against volumetric attacks by leveraging known vulnerabilities.

57 http://www.paloaltonetworks.) A. Universal F.com/documentation/70/pan-os/pan-os/certificate- management/configure-a-certificate-profile QUESTION 144 Ethernet1/1 has been configured with the following subinterfaces: The following security policy rule is applied: Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. CRL will be preferred B.com/t5/Management-Articles/What-are-Universal-Intrazone-and- Interzone-Rules/ta-p/57491 QUESTION 143 What is the default behavior when a Certificate Profile is configured to use both CRL and OCSP? A.Answer: C Explanation: NAT 2 doesn’t make sense if the users on the trust zone are using the external fqdn to reach the SRV1 that means they are going out to internet and they must hit the untrust interface on the fw.com . Answer: D Explanation: https://www. OCSP will be preferred. QUESTION 142 What are the three Security Policy Rule Type classifications supported in PAN-OS 7. Default B.passleader. The option will the lower timeout value will be preferred. The firewall will use the first profile to respond. Intrazone E. if this is destination nat. C.paloaltonetworks. D. the correct answer must be NAT1. Global C.0? (Choose three. ExternalZone Answer: CDE Explanation: https://live. Interzone D.

10. B.2/24.10.10.passleader.10. Answer: C QUESTION 145 Given the following diagram: Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. C. D. The ping will not successful because the security policy permits this traffic.The Interface Management Profile permits the following: A customer is trying to ping 10. What will be the result of this ping? A.1 from VLAN 799 IP 10. The ping will not be successful because there is no management profile attached to ethernet1/1.com . The ping will not be successful because the virtual router is different from the other subinterfaces. The ping will not successful because the management profile applied to ethernet1/1 allows ping.799. 58 http://www. E. The ping will not be successful because the security policy does not apply to VLAN 799.

) A.0/24 Interface: none Next Hop: 192.16. 59 http://www. Name: Route-to-Site-B Destination: 172.0/24 Interface: ethernet1/1 Next Hop: 192.0. Forwarding logs D. Reassembling packets C.0. Name: Route-to-Site-B Destination: 172. A static route needs to be added to the default virtual router in the Site A firewall to enable traffic from Site A to reach all workstations in Site B.2 C.1 Next Hop: None B.16.16. Which static route configuration will satisfy the requirement? A.1 Next Hop: None D. Each site is using tunnel. Name: Route-to-Site-B Destination: 172.passleader. Protocol decoding B.com/documentation/70/pan-os/pan-os/vpns/site-to-site-vpn-with- static-routing QUESTION 146 For which two functions is the management plane responsible? (Choose two.A VPN connection has been created to allow traffic from the Trust-L3 zone of Site A to reach the Trust-L3 zone of Site B. An organization has Palo Alto Networks NGFWs that send logs to remote Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.0.20.0.1 Answer: A Explanation: https://www.20.paloaltonetworks.0/24 Interface: tunnel.20. Answering HTTP requests Answer: CD QUESTION 147 Refer to exhibit.com .20. Name: Route-to-Site-B Destination: 172.1/24 Interface: tunnel.1 in the Untrust-L3 zone for the VPN connection.16.

Transparent Answer: B QUESTION 149 Which protection feature is available only in a Zone Protection Profile? A. NTLM B. Forward logs from external sources to Panorama for correlation.com . Any configuration on an M-500 would address the insufficient bandwidth concerns. D. C.monitoring and security management platforms. Redirect C. Configure log compression and optimization features on all remote firewalls.passleader. B. Single Sign-On D. UDP Flood Protections Answer: A QUESTION 150 Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services. 60 http://www. The network team has reported excessive traffic on the corporate WAN. ICMP Flood Protection C. Answer: C QUESTION 148 Which Captive Portal mode must be configured to support MFA authentication? A. Port Scan Protection D. and from Panorama send them to the NGFW. SYN Flood Protection using SYN Flood Cookies B. How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring platforms? A.

XML API B. C. For example. Client Probing D.1x-enabled wireless network device that has no native integration with PAN-OS?software? A. D. Automatically "download and install" but with the "disable new applications" option used. Configure the option for "Threshold". you can use the PAN-OS XML API to capture login events and send them to the PAN-OS integrated User-ID agent QUESTION 151 How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time? A. Automatically "download only" and then install Applications and Threats later. Which configuration change should the administrator make? Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Disable automatic updates during weekdays. The only information available is shown on the following image.1x-enabled wireless network.passleader. Port Mapping C. 61 http://www.com . the standard methods cannot add mappings of users connecting from a third-party VPN solution or users connecting to a 802.Which User-ID method maps IP addresses to usernames for users connecting through an 802. Answer: C QUESTION 152 An administrator needs to determine why users on the trust zone cannot reach certain websites. after the administrator approves the update. B. For such cases. Server Monitoring Answer: A Explanation: Captive Portal and the other standard user mapping methods might not work for certain types of user access.

62 http://www.A. B.com . D. C. Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.passleader.

Export a named configuration snapshot. 63 http://www. D. Answer: B QUESTION 153 An administrator has users accessing network resources through Citrix XenApp 7 x. Answer: D QUESTION 156 A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Save a candidate configuration. Which application should be used to identify traffic traversing the NGFW? A. Downloaded application D. Terminal Services agent C. B. Client Probing B. Commit a running configuration. Once deployed. System logs show an application error and neither signature is used.E.com . Save a configuration snapshot. Custom application B.passleader. GlobalProtect D. C. Which User- ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources? A. Syslog Monitoring Answer: C QUESTION 154 An administrator creates a custom application containing Layer 7 signatures. The update contains an application that matches the same traffic signatures as the custom application. Custom and downloaded application signature files are merged and both are used Answer: A QUESTION 155 How can a candidate or running configuration be copied to a host external from Panorama? A. each firewall must establish secure tunnels back to multiple Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. The latest application and threat dynamic update is downloaded to the same NGFW. C.

64 http://www. Preconfigured GlobalProtect client C. Application override B. Content inspection Answer: B QUESTION 158 Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule. Preconfigured GlobalProtect satellite B. Redistribution of user mappings C. static route.regional data centers to include the future regional data centers. Which solution in PAN-OS?software would help in this case? A. First four letters of the username matching any valid corporate username. Which VPN configuration would adapt to changes when deployed to the future site? A.passleader. B. Using the same user's corporate username and password. check B. or PBF rule will be triggered by the traffic? A. Virtual Wire mode D. find C. which creates a bottleneck near the User-ID agent server. D. C. Answer: A QUESTION 160 Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general? Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. test D. which login will be detected as credential theft? A. Marching any valid corporate username. Preconfigured PIsec tunnels D. sim Answer: C QUESTION 159 If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method. NAT translation. Mapping to the IP address of the logged-in user. Preconfigured PPTP Tunnels Answer: A QUESTION 157 A global corporate office has a large-scale network with only one User-ID agent.com .

Reduce the traffic being decrypted by the firewall. Device>Setup> Management> Logging and Reporting Settings Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Data filtering B. Allow application facebook on top D.) A. 65 http://www. D.com . Microsoft Hyper-V Answer: BD QUESTION 164 To connect the Palo Alto Networks firewall to AutoFocus. Answer: CDE QUESTION 163 Which two virtualization platforms officially support the deployment of Palo Alto Networks VM- Series firewalls? (Choose two. E. Boot Strap Virtualization Module (BSVM) D. AutoFocus is enabled by default on the Palo Alto Networks NGFW D. Disable SNMP on the management interface. B. File blocking D.A. Disable predefined reports.) A. which setting must be enabled? A. Credential phishing prevention Answer: D QUESTION 162 Which three steps will reduce the CPU utilization on the management plane? (Choose three. Deny application facebook-chat before allowing application facebook B. Device>Setup>WildFire>AutoFocus E. User-ID C. C. Allow application facebook before denying application facebook-chat Answer: A QUESTION 161 Which feature prevents the submission of corporate login information into website forms? A. Kernel Virtualization Module (KVM) C. Red Hat Enterprise Virtualization (RHEV) B. Application override of SSL application. Disable logging at session start in Security policies. Device>Setup>Services>AutoFocus B. Device> Setup>Management >AutoFocus C. Deny application facebook on top C.passleader.

Option D Answer: C QUESTION 167 Which three options are supported in HA Lite? (Choose three. Option A B.1.22. Option C D.1. The application name assigned to the traffic by the security rule is written to the Traffic log.com .passleader. Option B C. B.22. Answer: B QUESTION 166 An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet. Threat-ID processing time is decreased. 66 http://www.9 port 80/TCP needs to be forwarded to the server at 10.15. Virtual link Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. The Palo Alto Networks NGFW stops App-ID processing at Layer 4. App-ID processing time is increased.) A. Based on the information shown in the image.Answer: B QUESTION 165 Which event will happen if an administrator uses an Application Override Policy? A. Traffic destined for 206. D. C. which NAT rule will forward web- browsing traffic correctly? A.

Pre-existing logs from the firewalls are not appearing in Panorama. which then synchronize with each other D. The log database will need to exported form the firewalls and manually imported into Panorama. B. C. A CLI command will forward the pre-existing logs to Panorama. but the application could not be identified. the administrator enables log forwarding from the firewalls to Panorama. The three-way TCP handshake was observed. Data was received but was instantly discarded because of a Deny policy was applied before App- ID could be applied. The three-way TCP handshake did not complete. Synchronization of IPsec security associations D." What does "incomplete" mean? A. 67 http://www. Answer: C QUESTION 169 An administrator is using Panorama and multiple Palo Alto Networks NGFWs. Use the ACC to consolidate pre-existing logs. D. which then synchronizes to the active firewall B. The traffic is coming across USP. Session synchronization Answer: BCD QUESTION 168 A session in the Traffic log is reporting the application as "incomplete. After upgrading all devices to the latest PAN-OS?software. with no synchronization afterward Answer: C QUESTION 171 Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three. D.passleader. C. The active firewall.com . B. Both the active and passive firewalls independently. which then synchronizes to the passive firewall C. Which NGFW receives the configuration from Panorama? A. Both the active and passive firewalls.B. Configuration synchronization E. Which action would enable the firewalls to send their pre-existing logs to Panorama? A. and the application could not be identified.) Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Use the import option to pull logs into Panorama. Active/passive deployment C. The Passive firewall. Answer: B QUESTION 170 An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair.

.dll B. VM-800 C. . Security policy rule allowing SSL to the target server B. Importation of a certificate from an HSM Answer: A QUESTION 174 Which Palo Alto Networks VM-Series firewall is valid? A. . Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ B.) A. Root certificate imported into the firewall with "Trust" enabled D.com . but configuring EIGRP on subinterfaces only Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.exe C.passleader. EIGRP Routing between the two environments is required. .apk E. .src D. Active B. . 68 http://www. Which interface type would support this business requirement? A. VM-25 B. Pending D. Passive E. Functional C. Layer 3 or Aggregate Ethernet interfaces.pdf F.A. VM-400 Answer: C QUESTION 175 An administrator needs to implement an NGFW between their DMZ and Core network. VM-50 D. Suspended Answer: ADE QUESTION 173 An administrator encountered problems with inbound decryption.jar Answer: DEF QUESTION 172 Which three firewall states are valid? (Choose three. Which option should the administrator investigate as part of triage? A. Firewall connectivity to a CRL C.

C. Update the IPSec Crypto profile for the Vendor IPSec Tunnel from no-pfs to group2. Soon after the cutover. SSL and 80 C. Layer 3 interfaces. show interface hardware B.com will appear as which application and service within the Traffic log? A. web-browsing and 443 B. but configuring EIGRP on the attached virtual router Answer: B QUESTION 176 A network security engineer for a large company has just installed a PA-5060 Firewall to isolate the company's PCI environment from its production network. Update the IKE Crypto profile for the Vendor IKE gateway from group2 to no pfs D.passleader.microsoft.C. The following entry is appearing in the logs: Pfs group mismatched: my:0 peer:2 Which setting should be changed on the Palo Alto Networks Firewall to resolve this error message? A. and connected them to the new firewall. show interface management C. show interface logical Answer: CD QUESTION 177 After Migrating from an ASA firewall to a Palo Alto Networks Firewall. Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel (with the GlobalProtect License to support LSVPN and EIGRP protocols) D.com . You suspect that there is an interface misconfiguration on Ethernet 1/1. Update. SSL and 443 D. There are no security policies that deny traffic between the two networks segments. web-browsing and 80 Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Answer: D QUESTION 178 Decrypted packets from the website https://www. Update the IKE Crypto profile for the Vendor IKE gateway from no pfs to group2. 69 http://www. however. the VPN connection between a remote network and the Palo Alto Networks Firewall is not establishing correctly. The company's engineers made configuration changes to the switches on both network segments.the IPSec Crypto profile for the Vendor IPSec Tunnel from group2 to no-pfs. show interface ethernet1/1 D. B. users began to complain about latency and some servicers stopped communicating. Which two commands should be used to troubleshoot the issue? (Choose two) A.

Answer: B QUESTION 180 A web server is hosted in the DMZ.) A. Depending on the firewall location. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats. which two processes are performed in application identification? (Choose two. Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080. Create an Application Override policy and custom threat signature for the application. application: web-browsing.passleader. application: ssl. D. Panorama decides with settings to send. and the server is configured to listen for incoming connections only on TCP port 8080. A. application: web-browsing. The administrator will be promoted to choose the settings for that chosen firewall. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server. Pattern based application identification B. Create a custom App-ID and use the "ordered conditions" check box. All the settings configured in all templates. service: service-https C. Create an Application Override policy. The settings assigned to the template that is on top of the stack. The administrator determines that these sessions are form external users accessing the company's proprietary accounting application. C. service: application-default B. which settings are published to the device when the template stack is pushed? A.com . Answer: A QUESTION 182 During the packet flow process. Create a custom App-ID and enable scanning on the advanced tab. D. service: (custom with destination TCP port 8080) Answer: A QUESTION 181 An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. C. service: any D. Application override policy match Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.Answer: B QUESTION 179 If a template stack is assigned to a device and the stack includes three templates with overlapping settings. 70 http://www. application: web-browsing. Which option would achieve this result? A. B. B.

71 http://www. Authentication D.com/documentation/71/pan-os/web-interface- help/globalprotect/network-globalprotect-portals QUESTION 185 The certificate information displayed in the following image is for which type of certificate? Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. To enable user authentication to the Portal D. https://www. Application changed from content inspection D.C. Select Satellite to specify the authentication profile to use to authenticate the satellite.com . To enable client machine authentication to the Portal Answer: C Explanation: The additional options of Browser and Satellite enable you to specify the authentication profile to use for specific scenarios. Authorization Answer: A QUESTION 184 When configuring a GlobalProtect Portal. what is the purpose of specifying an Authentication Profile? A. WebUI C. Answer: BD QUESTION 183 An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the Policies tab. To enable Portal authentication to the Gateway C. Admin Role B. To enable Gateway authentication to the Portal B. Which profile is the cause of the missing Policies tab? A. Select Browser to specify the authentication profile to use to authenticate a user accessing the portal from a web browser with the intent of downloading the GlobalProtect agent (Windows and Mac). Session application identified.passleader.paloaltonetworks.

Public CA signed certificate Answer: D QUESTION 186 An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. 99 C.passleader. The administrator assigns priority 100 to the active firewall. Self-Signed Root CA certificate C. Which priority is correct for the passive firewall? A. Packet forwarding process B.A. 0 B.com . Forward Trust certificate B. SSL Proxy re-encrypt C. IPsec tunnel encryption D. 1 D. Packet egress process Answer: A Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 72 http://www. Web Server certificate D. 255 Answer: D QUESTION 187 Which option is part of the content inspection process? A.

QUESTION 188 Which three types of software will receive a Grayware verdict from WildFire? (Choose Three) A.passleader. set deviceconfig interface speed-duplex 1Gbps-full-duplex B. An administrator is using DNAT to map two servers to a single public IP address. 73 http://www.com/documentation/translated/70/newfeaturesguide/wildfire- features/wildfire-grayware-verdict QUESTION 189 A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects. Ransomeware D. RIB C. Traffic will be steered to the specific server based on the application. FIB Answer: B QUESTION 191 Refer to the exhibit.1.1. set deviceconfig Interface speed-duplex 1Gbps-half-duplex Answer: B QUESTION 190 In a virtual router. Potentially unwanted programs E.paloaltonetworks. SIP D. set deviceconfig system speed-duplex 1Gbps-full-duplex D. Answer: ADE Explanation: https://www. How would an administrator configure the interface to 1Gbps? A.1.100) receives HTTP traffic and HOST B (10. which object contains all potential routes? A. Trojans C.101) receives SSH traffic. set deviceconfig system speed-duplex 1Gbps-duplex C. Adware. MIB B. where Host A (10.com . Browser Toolbar B.1.) Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.

1). ssh 瑼llow E. Zone protection is no longer being applied. web-browsing -Allow B.100.1. Why does this configuration resolve the issue? A.10. D.1).1. Which two configuration options can be used to correctly categorize their custom database application? (Choose two. Security policy to identify the custom application. Untrust (Any) to DMZ (10. C. Untrust (Any) to DMZ (10. Layer 4 processing has been disabled for the SMB traffic.com . assigning all SMB traffic to a custom application. Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 74 http://www. Custom Service object. Answer: BC QUESTION 193 Server Message Block (SMB).1. B.1.passleader. The Network Security Administrator created an application override policy. D. Application Override policy. Untrust (Any) to Untrust (10.1.1. is slow when passing through a Palo Alto Networks firewall. Untrust (Any) to Untrust (10. Layer 7 processing has been disabled for SMB traffic. ssh -Allow C.1.1). ssh. to resolve the slowness issue.1. B. Untrust (Any) to DMZ (10.1.) A. web-browsing -Allow Answer: CD QUESTION 192 A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections.1. Security policy assignment is being done more efficiently.1). C.1.Which two security policy rules will accomplish this configuration? (Choose two. web-browsing -Allow D.) A. Custom application.101). a common file-sharing application.1.

Create and add a Monitor Profile with an action of Wait Recover in the PBF rule in question. B.) A. Create and add a Monitor Profile with an action of Fail Over in the PBF rule in question. How can the firewall be configured automatically disable the PBF rule if the next hop goes down? A.) A. At other times the session times out. View the ACC tab to isolate routing issues. C. B. D. View System logs. Answer: CD QUESTION 197 A user's traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.com.company. View the System logs and look for the error messages about BGP. C. Which two options enable the administrator to troubleshoot this issue? (Choose two. D. such as threats detected in the last 30 days? A. Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Session Browser B. Enable and configure a Link Monitoring Profile for the external interface of the firewall. View the Runtime Stats and look for problems with BGP configuration. Add a redistribution profile to forward as BGP updates. 75 http://www. TCP Dump D.Answer: A QUESTION 194 An administrator has enabled OSPF on a virtual router on the NGFW. Perform a traffic pcap on the NGFW to see any BGP problems. B.company. Which two options would help the administrator troubleshoot this issue? (Choose two. OSPF is not adding new routes to the virtual router. The NGFW has been configured with a PBF rule that the user's traffic matches when it goes to http://www.com. Application Command Center C.passleader. View Runtime Stats in the virtual router. Packet Capture Answer: B QUESTION 196 The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW. but new routes do not seem to be populating the virtual router. C. Answer: AC QUESTION 195 Which tool provides an administrator the ability to see trends in traffic over periods of time. Perform a traffic pcap at the routing stage.com .

How quickly will the firewall receive back a verdict? A.D. Application Center B.) A. 76 http://www. Configure path monitoring for the next hop gateway on the default route in the virtual router.com . Assume a 5. 10 to 15 minutes D. URL Filtering C. GlobalProtect D.0 introduced an automated correlation engine that analyzes log patterns and generates correlation events visible in the new Application Command Center (ACC). 5 minutes C. All device groups inherit settings form the Shared group D. The firewall is configured to check for verdicts every 5 minutes. Zone Protection profile C. Which license must the firewall have to obtain new correlation objectives? A. 5 to 10 minutes Answer: D QUESTION 200 What are two benefits of nested device groups in Panorama? (Choose two. Vulnerability Protection profile Answer: A QUESTION 199 A Palo Alto Networks NGFW just submitted a file to WildFire for analysis.passleader. More than 15 minutes B.minute window for analysis. Requires configuring both function and location for every device C. Overwrites local firewall configuration Answer: BC QUESTION 201 PAN-OS 7. Anti-Spyware profile D. Reuse of the existing Security policy rules and objects B. Threat Prevention Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Answer: D QUESTION 198 Which feature must you configure to prevent users form accidentally submitting their corporate credentials to a phishing website? A. URL Filtering profile B.

Answer: D QUESTION 202 An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OS?software. The Security policy has the default security rules and a rule that allows all web-browsing traffic from any to any zone. but no internet connectivity from the management interface. Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. CRL C. The configuration is invalid. Which three functions are performed by the dataplane? (Choose three.passleader. antivirus E. 77 http://www. WildFire updates B. The "Deny" action will supersede the per-severity defined actions defined in the associated Vulnerability Protection Profile. Scheduler Answer: A QUESTION 203 Which three settings are defined within the Templates object of Panorama? (Choose three. The firewall has internet connectivity through an Ethernet interface. Interfaces D. The Profile Settings section will be grayed out when the Action is set to "Deny".) A. Virtual Routers C. Which action will this cause configuration on the matched traffic? A. Security E.com . Setup B. Service route D. What must the administrator configure so that the PAN-OS?software can be upgraded? A. NTP D. NAT C. B. Security policy rule B. Application Override Answer: ADE QUESTION 204 An administrator has left a firewall to use the default port for all management services. The configuration will allow the matched session unless a vulnerability is detected.) A. File blocking Answer: ABC QUESTION 205 A Security policy rule is configured with a Vulnerability Protection Profile and an action of `Deny".

A warning will be displayed during a commit. Anti-Spyware B.C. ethernet1/3 going down C. D. Instruction Prevention C. ethernet1/3 and ethernet1/6 going down B. The configuration is valid.com . ethernet1/6 going down Answer: A QUESTION 207 An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. It will cause the firewall to deny the matched sessions. Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.passleader. Antivirus Answer: D QUESTION 208 Refer to the exhibit. It will cause the firewall to skip this Security policy rule." Answer: B QUESTION 206 If the firewall has the link monitoring configuration. The configuration is invalid. what will cause a failover? A. ethernet1/3 or Ethernet1/6 going down D. Which Security Profile type will protect against worms and trojans? A. File Blocking D. Any configured Security Profiles have no effect if the Security policy rule action is set to "Deny. 78 http://www.

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.passleader. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct? A.com . 79 http://www. The configuration problem seems to be on the firewall side.An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama.

C.B. 80 http://www.com .passleader. Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.

Use the DNS App-ID with application-default. Answer: D QUESTION 209 A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers. D. Which option will protect the individual servers? A. Answer: A QUESTION 210 Refer to the exhibit.D. Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Enable packet buffer protection on the Zone Protection Profile. Apply an Anti-Spyware Profile with DNS sinkholing.com . 81 http://www. B. Apply a classified DoS Protection Profile.passleader. C.

com . ethernet1/7 D. ethernet1/6 B. ethernet1/5 Answer: D QUESTION 211 Which PAN-OS?policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data? A.113? A.passleader.46.111. ethernet1/3 C.41. 82 http://www.168. Security policy B. Decryption policy Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.Which will be the egress interface if the traffic's ingress interface is ethernet 1/7 sourcing from 192.3 and to the destination 10.

SSL Forward Proxy B. debug system details B. 83 http://www. Enable all four stages of traffic capture (TX. show session info C. PAN-OS?version. B. Answer: A QUESTION 213 If an administrator does not possess a website's certificate. Application Override policy Answer: C QUESTION 212 How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW? A. Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers. B. Use the topdump command.passleader.com . Use the debug dataplane packet-diag set capture stage firewall file command. Which configuration setting or step will allow the firewall to get automatic application signature updates? A. SSL Inbound Inspection C. Firewall). SSL Outbound Inspection Answer: B QUESTION 214 Which CLI command enables an administrator to view details about the firewall including uptime. show system info D. Use the debug dataplane packet-diag set capture stage management file command. show system details Answer: C QUESTION 215 An administrator has configured the Palo Alto Networks NGFW's management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself. RX. A scheduler will need to be configured for application signatures. TLS Bidirectional proxy D. and serial number? A. C.C. which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites? A. Authentication policy D. D. DROP.

QUESTION 216 A customer wants to set up a VLAN interface for a Layer 2 Ethernet port. System Logs Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. ACC B. displays them at the top of the list.) A. Netflow Profile Answer: BD QUESTION 217 Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services? A. if there are updates available. Replay Answer: A QUESTION 219 Which item enables a firewall administrator to see details about traffic that is currently active through the NGFW? A.com . A Threat Prevention license will need to be installed. which protection profile can be enabled to prevent this malicious behavior? A. Configure an SSL/TLS Profile. Which two mandatory options are used to configure a VLAN interface? (Choose two. 84 http://www. Web Application D. D. Set up SSL/TLS under Polices > Service/URL Category>Service. Virtual router B. DoS Protection C. Zone Protection B. Set up Security policy rule to allow SSL communication. ARP entries D. A service route will need to be configured. Security zone C.passleader. D. Answer: D QUESTION 218 VPN traffic intended for an administrator's Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor.C. Answer: D Explanation: The firewall uses the service route to connect to the Update Server and checks for new content release versions and. When creating a VPN tunnel. Configure a Decryption Profile and select SSL/TLS services. B. C.

Disable the exclude cache option for the firewall. There are three entries." and place the rule at the top of the Decryption policy. App-ID Answer: D QUESTION 221 An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. B. Port Inspection B. Answer: D QUESTION 222 Refer to the exhibit. App Scope D.critical applications. Create a Decryption Profile to block traffic using unsupported cyphers.Decrypt. The next two entries show traffic allowed as application SSL. 85 http://www. SSL. Create a Security policy rule that matches application "encrypted BitTorrent" and place the rule at the top of the Security policy. The administrator also creates a Security policy rule allowing only the applications DNS. Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL? A. D. Content-ID D.C. Session Browser Answer: D QUESTION 220 An administrator needs to optimize traffic to prefer business-critical applications over non. C.com .passleader. Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. QoS natively integrates with which feature to provide service quality? A. and attach the profile to the decryption rule. and web-browsing. Create a decryption rule matching the encrypted BitTorrent traffic with action "No. Certificate revocation C. The first entry shows traffic dropped as application Unknown.

Which certificates can be used as a Forwarded Trust certificate? A. Domain Sub-CA C. scp export mgmt-pcap from mgmt. scp extract mgmt-pcap from mgmt. RADIUS D. scp export tcpdump from mgmt.com .pcap to <username@host:path> B.pcap to <username@host:path> C.) A. download mgmt. Forward_Trust D. PAP Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Domain-Root-Cert Answer: A QUESTION 223 Which method does an administrator use to integrate all non-native MFA platforms in PAN- OS?software? A. Okta B.passleader. DUO C. Certificate from Default Trust Certificate Authorities B. PingID Answer: C QUESTION 224 Which CLI command can be used to export the tcpdump capture? A.-pcap Answer: C QUESTION 225 Which three authentication services can administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.pcap to <username@host:path> D. 86 http://www. Kerberos B.

B. XML-API or the VMware API on the firewall or on the User-ID agent or the CLI D. Restful API or the VMware API on the firewall or on the User-ID agent C. GlobalProtect Answer: D QUESTION 228 Which two options prevent the firewall from capturing traffic passing through it? (Choose two. The traffic is offloaded.) A. HA state information Answer: C Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. TACACS+ E. XML API or the VM Monitoring agent on the NGFW or on the User-ID agent Answer: D QUESTION 227 Which feature can be configured on VM-Series firewalls? A. The traffic does not match the packet capture filter. 87 http://www. Answer: BC QUESTION 229 What is exchanged through the HA2 link? A. SAML D. hello heartbeats B. RADIUS F. Restful API or the VMWare API on the firewall or on the User-ID agent or the read-only domain controller (RODC) B.C. aggregate interfaces B. multiple virtual systems D.com .passleader. C. The firewall is in multi-vsys mode. session synchronization D. D. The firewall's DP CPU is higher than 50%. LDAP Answer: ACF QUESTION 226 Which method will dynamically register tags on the Palo Alto Networks NGFW? A. machine learning C. User-ID information C.

Answer: D QUESTION 232 Which two subscriptions are available when configuring panorama to push dynamic updates to connected devices? (Choose two.168.168. It enables a client to perform a reverse DNS lookup on 192.10. which adds the internal gateway's hostname and IP address to the DNS server. It configures the tunnel address of all internal clients to an IP address range starting at 192.1 to detect that it is an internal client. User-ID C.) Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. What is the purpose of this configuration? A. Which option describes deployment of a bootstrap package in an on-premise virtual environment? A. Bootstrapping is the most expedient way to perform this task. B.com .168. Antivirus Answer: CD QUESTION 233 Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a "No Decrypt" action? (Choose two.10. It forces the firewall to perform a dynamic DNS update. on-premise lab environment (not in "the cloud").10.1. Create and attach a virtual hard disk (VHD). Answer: C QUESTION 231 An administrator has been asked to create 100 virtual firewalls in a local. Applications and Threats D. D. 88 http://www. Use config-drive on a USB stick. C. C. Content-ID B. It forces an internal client to connect to an internal gateway at IP address 192. B. Use a virtual CD-ROM with an ISO.passleader. Use an S3 bucket with an ISO.1.QUESTION 230 View the GlobalProtect configuration screen capture. D.) A.

Antivirus Answer: A QUESTION 237 Which three are valid configuration options in a WildFire Analysis Profile? (Choose three.A. Which Security Profile type will prevent this attack? A. Vulnerability Protection B.passleader. Anti-Spyware C. SSH Forward Proxy D. Block sessions with untrusted issuers E. SSL Inbound Inspection C. file types C. application Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Block sessions with client authentication C. Block sessions with expired certificates B.com . which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server? A. debug running resources Answer: A QUESTION 235 If an administrator wants to decrypt SMTP traffic and possesses the server's certificate.) A. SMTP Inbound Decryption Answer: B QUESTION 236 An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system. debug data-plane dp-cpu C. TLS Bidirectional Inspection B. URL Filtering D. show system resources D. Block credential phishing Answer: ABC QUESTION 234 Which CLI command enables an administrator to check the CPU utilization of the dataplane? A. 89 http://www. Block sessions with unsupported cipher suites D. maximum file size B. show running resource-monitor B.

Flood Protection C. Enable LDAP or RADIUS integration C. Set up multi-factor authentication D. Decryption Mirror interface with the associated Decryption Port Mirror license Answer: D QUESTION 241 An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors. Descendant objects will take precedence over ancestor objects. Use custom certificates B.D. Decryption Mirror interface with the Threat Analysis license B. D. TCP Port Scan Protection Answer: C QUESTION 239 Which processing order will be enabled when a Panorama administrator selects the setting "Objects defined in ancestors will take higher precedence?" A. deep-level packet inspection appliance. How would the administrator establish the chain of trust? A. Which interface type and license feature are necessary to meet the requirement? A. C. Descendant objects will take precedence over other descendant objects. Resource Protection D. Virtual Wire interface with the Decryption Port Export license C. Ancestor objects will have precedence over descendant objects. Answer: C QUESTION 240 An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third-party. Configure strong password authentication Get Latest & Actual PCNSE Exam's Question and Answers from Passleader.passleader. 90 http://www. Packet Based Attack Protection B.com . B. Tap interface with the Decryption Port Mirror license D. Ancestor objects will have precedence over other ancestor objects. direction Answer: BCD QUESTION 238 Which DoS protection mechanism detects and prevents session exhaustion attacks? A.

Which two options are available to identify the application? (Choose two. Create a custom object for the custom application server to identify the custom application. Data Filtering log D. Check for WildFire forwarding logs. Answer: A QUESTION 243 An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port.) A. Decryption log C.) A. In the details of the Threat log entries Answer: A QUESTION 244 Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two. Answer: DE QUESTION 245 When is the content inspection performed in the packet flow process? A. Verify AutoFocus status using CLI.Answer: A QUESTION 242 The firewall identifies a popular application as an unknown-tcp. Check the license E.passleader. 91 http://www. D. before the packet forwarding process D. D. C. before session lookup C.com . B. Check the WebUI Dashboard AutoFocus widget. Verify AutoFocus is enabled below Device Management tab. Submit an Apple-ID request to Palo Alto Networks. B. after the SSL Proxy re-encrypts the packet Answer: A Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. In the details of the Traffic log entries B. after the application has been identified B. Which log entry can the administrator use to verify that sessions are being decrypted? A. Create a Security policy to identify the custom application. C. Create a custom application.

client probing D. port mapping B. Untrust (any) to Untrust (1. web browsing ?Allow D. Untrust (any) to DMZ (10. 100).1. web browsing ?Allow C. which information is transferred via the HA data link? A. 1. 100). 1. User-ID information Answer: A QUESTION 249 Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. Untrust (any) to DMZ (1.QUESTION 246 Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server? A. 1. server monitoring C. 92 http://www. 1. 1. 100). web browsing ?Allow B. heartbeats C.passleader. 1. Which Security policy rule will allow traffic to flow to the web server? A. 1.com . web browsing ?Allow Answer: B QUESTION 248 In High Availability. XFF headers Answer: A QUESTION 247 Refer to the exhibit. HA state information D. Untrust (any) to Untrust (10. session information B. A web server in the DMZ is being mapped to a public address through DNAT. 100).

) A. ae. SMS Answer: ADE QUESTION 250 A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks.com . D. WildFire Submissions C. Data Filtering B. How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)? A.8 B. Traffic Answer: C QUESTION 253 Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. aggregate.) A. aggregate.1 D. B. 93 http://www. Pull C. Which two formats are correct for naming aggregate interfaces? (Choose two. Add a DoS Protection Profile with defined session count. Add a Vulnerability Protection Profile to block the attack. Okta Adaptive D. Voice E. Define a custom App-ID to ensure that only legitimate application traffic reaches the server.8 Answer: AC QUESTION 252 If a DNS sinkhole is configured. Threat D.1 C. Answer: D QUESTION 251 A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link aggregation. Push B.passleader. any sinkhole actions indicating a potentially infected host are recorded in which log type? A. C. ae. Add QoS Profiles to throttle incoming requests.Which three authentication factors does PAN-OS?software support for MFA (Choose three.

passleader. Failover C. service: application-default. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. service: application-default. LDAP E.) A. C. action: allow B. Answer: B QUESTION 256 Which virtual router feature determines if a specific destination IP address is reachable? A. action: allowRule #2: application: web-browsing. RADIUS Answer: ADF QUESTION 255 Which prerequisite must be satisfied before creating an SSH proxy Decryption policy? A. Rule # 1: application: ssl. needs to be configured to allow cleartext web-browsing traffic to this server on tcp/443. SSH keys must be manually generated. SSL certificates must be generated.com . service: application-default. service: service-http. action: allow D.A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. service: application-default. action: allow C. No prerequisites are required. Rule #1: application: web-browsing. action: allowRule #2: application: ssl. Rule #1: application: web-browsing. action: allowRule #2: application: ssl. service: service-https. Both SSH keys and SSL certificates must be generated. Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule. action: allowRule #2: application: ssl. Rule #1: application: web-browsing. SAML F. Which combination of service and application. 94 http://www. Ping-Path Answer: C Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. The web server hosts its contents over HTTP(S). D. Kerberos C. A. and order of Security policy rules. service: application-default. TACACS+ B. Path Monitoring D. action: allow Answer: A QUESTION 254 Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three. Heartbeat Monitoring B. PAP D. service: application-default. B.