Good PCNSE Study Guide - Try To Test Free PCNSE Dumps Questions Online

Good PCNSE Study Guide – Try To Test Free PCNSE Dumps Questions Online

Eleanor2022-03-05T02:24:21+00:00

By Eleanor Palo Alto Networks PCNSE, PCNSE study guide 0 Comments

Palo Alto Networks provides candidates with 6 role-based certification for their cybersecurity career, including:

PCCET Palo Alto Networks Certified Cybersecurity Entry-level Technician
PCNSA Palo Alto Networks Certified Network Security Administrator
PCDRA Palo Alto Networks Certified Detection and Remediation Analyst
PCCSE Prisma Certified Cloud Security Engineer
PCNSE Palo Alto Networks Certified Network Security Engineer
PCSAE Palo Alto Networks Certified Security Automation Engineer

PCNSE, as one of the Palo Alto Networks role-based certification exams, is for who uses Palo Alto Networks products, including customers, partners, systemengineers, systems integrators, and support engineers to recognize them with in-depth knowledge and abilities to design, deploy, operate, manage, and troubleshoot Palo AltoNetworks Next-Generation Firewalls. While preparing for PCNSE exam and making a clear decision to practice PCNSE exam well, good PCNSE study guide could be the best preparation materials for learning.

Try to Test free PCNSE dumps questions online

Page 1 of 8

1. PBF can address which two scenarios? (Select Two)

forwarding all traffic by using source port 78249 to a specific egress interface

providing application connectivity the primary circuit fails

enabling the firewall to bypass Layer 7 inspection

routing FTP to a backup ISP link to save bandwidth on the primary ISP link

2. Which two statements are true about DoS Protection and Zone Protection Profiles? (Choose two).

Zone Protection Profiles protect ingress zones

Zone Protection Profiles protect egress zones

DoS Protection Profiles are packet-based, not signature-based

DoS Protection Profiles are linked to Security policy rules

3. Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

Yes. because the action is set to "allow ''

No because WildFire categorized a file with the verdict "malicious"

Yes because the action is set to "alert"

No because WildFire classified the seventy as "high."

4. During SSL decryption which three factors affect resource consumption1? (Choose three)

TLS protocol version

transaction size

key exchange algorithm

applications that use non-standard ports

certificate issuer

5. 1.A company wants to use their Active Directory groups to simplify their Security policy creation from Panorama.

Which configuration is necessary to retrieve groups from Panorama?

Configure an LDAP Server profile and enable the User-ID service on the management interface.

Configure a group mapping profile to retrieve the groups in the target template.

Configure a Data Redistribution Agent to receive IP User Mappings from User-ID agents.

Configure a master device within the device groups.

6. A variable name must start with which symbol?

7. What is a key step in implementing WildFire best practices?

In a mission-critical network, increase the WildFire size limits to the maximum value

In a security-first network set the WildFire size limits to the minimum value

Configure the firewall to retrieve content updates every minute

Ensure that a Threat Prevention subscription is active

8. Which statement is true regarding a Best Practice Assessment?

It shows how your current configuration compares to Palo Alto Networks recommendations

It runs only on firewalls

When guided by an authorized sales engineer, it helps determine the areas of greatest risk where you should focus prevention activities.

It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture

9. An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group.

How should the administrator identify the configuration changes?

review the configuration logs on the Monitor tab

click Preview Changes under Push Scope

use Test Policy Match to review the policies in Panorama

context-switch to the affected firewall and use the configuration audit tool

10. An administrator wants to enable zone protection

Before doing so, what must the administrator consider?

Activate a zone protection subscription.

To increase bandwidth no more than one firewall interface should be connected to a zone

Security policy rules do not prevent lateral movement of traffic between zones

The zone protection profile will apply to all interfaces within that zone

Page 2 of 8

11. DRAG DROP

Match each SD-WAN configuration element to the description of that element.

12. What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

the website matches a category that is not allowed for most users

the website matches a high-risk category

the web server requires mutual authentication

the website matches a sensitive category

13. DRAG DROP

Place the steps in the WildFire process workflow in their correct order.

14. When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

Disable HA

Disable the HA2 link

Disable config sync

Set the passive link state to 'shutdown.-

15. When setting up a security profile which three items can you use? (Choose three)

Wildfire analysis

anti-ransom ware

antivirus

URL filtering

decryption profile

16. DRAG DROP

Please match the terms to their corresponding definitions.

17. Users within an enterprise have been given laptops that are joined to the corporate domain. In some cases, IT has also deployed Linux-based OS systems with a graphical desktop. Information Security needs IP-to-user mapping, which it will use in group-based policies that will limit internet access for the Linux desktop users.

Which method can capture IP-to-user mapping information for users on the Linux machines?

You can configure Captive Portal with an authentication policy.

IP-to-user mapping for Linux users can only be learned if the machine is joined to the domain.

You can set up a group-based security policy to restrict internet access based on group membership

You can deploy the User-ID agent on the Linux desktop machines

18. An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama.

All 84 firewalls have an active WildFire subscription On each firewall WildFire logs are available.

This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?

System logs

Traffic logs

WildFire logs

Threat logs

19. An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama. The enterprise already uses GlobalProtect with SAML authentication to obtain iP-to-user mapping information

However information Security wants to use this information in Prisma Access for policy enforcement based on group mapping Information Security uses on-prermses Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD

How can portaes based on group mapping be learned and enforced in Prisma Access?

Configure Prisma Access to learn group mapping via SAML assertion

Assign a master device in Panorama through which Prisma Access learns groups

Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access

Create a group mapping configuration that references an LDAP profile that points to on-premises domain controllers

20. The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice. As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall.

Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice'?

action 'reset-both' and packet capture 'extended-capture'

action 'default' and packet capture 'single-packet'

action 'reset-both' and packet capture 'single-packet'

action 'reset-server' and packet capture 'disable'

Page 3 of 8

21. Refer to the diagram.

An administrator needs to create an address object that will be useable by the NYC. MA, CA and WA device groups

Where will the object need to be created within the device-group hierarchy?

Americas

East

West

22. An engineer is creating a security policy based on Dynamic User Groups (DUG) What benefit does this provide?

Automatically include users as members without having to manually create and commit policy or group changes

DUGs are used to only allow administrators access to the management interface on the Palo Alto Networks firewall

It enables the functionality to decrypt traffic and scan for malicious behaviour for User-ID based policies

Schedule commits at a regular intervals to update the DUG with new users matching the tags specified

23. How can packet butter protection be configured?

at me device level (globally to protect firewall resources and ingress zones, but not at the zone level

at the device level (globally) and it enabled globally, at the zone level

at the interlace level to protect firewall resources

at zone level to protect firewall resources and ingress zones but not at the device level

24. Use the image below.

If the firewall has the displayed link monitoring configuration what will cause a failover?

ethernet1/3 and ethernet1/6 going down

ethernet1/3 going down

ethernet1/6 going down

ethernet1/3 or ethernet1/6 going down

25. An administrator needs to gather information about the CPU utilization on both the management plane and the data plane

Where does the administrator view the desired data?

Monitor > Utilization

Resources Widget on the Dashboard

Support > Resources

Application Command and Control Center

26. To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?

Add the policy in the shared device group as a pre-rule

Reference the targeted device's templates in the target device group

Add the policy to the target device group and apply a master device to the device group

Clone the security policy and add it to the other device groups

27. Which two firewall components enable you to configure SYN flood protection thresholds? (Choose two)

Dos Protection policy

QoS Profile

Zone Protection Profile

DoS Protection Profile

28. What are three reasons for excluding a site from SSL decryption? (Choose three.)

the website is not present in English

unsupported ciphers

certificate pinning

unsupported browser version

mutual authentication

29. Before you upgrade a Palo Alto Networks NGFW, what must you do?

Make sure that the PAN-OS support contract is valid for at least another year

Export a device state of the firewall

Make sure that the firewall is running a version of antivirus software and a version of WildFire that support the licensed subscriptions.

Make sure that the firewall is running a supported version of the app + threat update

30. What happens to traffic traversing SD-WAN fabric that doesn't match any SD-WAN policies?

Traffic is dropped because there is no matching SD-WAN policy to direct traffic.

Traffic matches a catch-all policy that is created through the SD-WAN plugin.

Traffic matches implied policy rules and is redistributed round robin across SD-WAN links.

Traffic is forwarded to the first physical interface participating in SD-WAN based on lowest interface number (i.e., Eth1/1 over Eth1/3).

Page 4 of 8

31. What are three types of Decryption Policy rules? (Choose three.)

SSL Inbound Inspection

SSH Proxy

SSL Forward Proxy

Decryption Broker

Decryption Mirror

32. A standalone firewall with local objects and policies needs to be migrated into Panorama .

What procedure should you use so Panorama is fully managing the firewall?

Use the "import Panorama configuration snapshot" operation, then perform a device-group commit push with "include device and network templates"

Use the "import device configuration to Panorama" operation, then "export or push device config bundle" to push the configuration

Use the "import Panorama configuration snapshot" operation, then "export or push device config bundle" to push the configuration

Use the "import device configuration to Panorama" operation, then perform a device-group commit push with "include device and network templates"

33. DRAG DROP

Match each GlobalProtect component to the purpose of that component

34. An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used. After looking at the configuration, the administrator believes that the firewall is not using a static route.

What are two reasons why the firewall might not use a static route? (Choose two.)

no install on the route

duplicate static route

path monitoring on the static route

disabling of the static route

35. Given the following configuration, which route is used for destination 10.10.0.4?

Route 4

Route 3

Route 1

Route 3

36. You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.

For.

Which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three)

High

Medium

Critical

Informational

Low

37. When you configure an active/active high availability pair which two links can you use? (Choose two)

HA2 backup

HA3

Console Backup

HSCI-C

38. An engineer is planning an SSL decryption implementation

Which of the following statements is a best practice for SSL decryption?

Obtain an enterprise CA-signed certificate for the Forward Trust certificate

Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate

Use an enterprise CA-signed certificate for the Forward Untrust certificate

Use the same Forward Trust certificate on all firewalls in the network

39. As a best practice, which URL category should you target first for SSL decryption*?

Online Storage and Backup

High Risk

Health and Medicine

Financial Services

40. A company needs to preconfigure firewalls to be sent to remote sites with the least amount of preconfiguration Once deployed each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers

Which VPN preconfigured configuration would adapt to changes when deployed to the future site?

IPsec tunnels using IKEv2

PPTP tunnels

GlobalProtect satellite

GlobalProtect client

Page 5 of 8

41. What are three valid qualifiers for a Decryption Policy Rule match? (Choose three)

Destination Zone

App-ID

Custom URL Category

User-ID

Source Interface

42. You need to allow users to access the office-suite applications of their choice .

How should you configure the firewall to allow access to any office-suite application?

Create an Application Group and add Office 365, Evernote Google Docs and Libre Office

Create an Application Group and add business-systems to it.

Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory.

Create an Application Filter and name it Office Programs then filter on the business-systems category.

43. in a template you can configure which two objects? (Choose two.)

SD WAN path quality profile

application group

IPsec tunnel

Monitor profile

44. Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process?

performing a local firewall commit

removing the firewall as a managed device in Panorama

performing a factory reset of the firewall

removing the Panorama serial number from the ZTP service

45. Which two statements are true for the DNS Security service? (Choose two.)

It eliminates the need for dynamic DNS updates

It functions like PAN-DB and requires activation through the app portal

It removes the 100K limit for DNS entries for the downloaded DNS updates

It is automatically enabled and configured

46. An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls.

The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration

Which two solutions can the administrator use to scale this configuration? (Choose two.)

variables

template stacks

collector groups

virtual systems

47. What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three)

configure a device block list

rename a vsys on a multi-vsys firewall

enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode

add administrator accounts

change the firewall management IP address

48. Which of the following commands would you use to check the total number of the sessions that are currently going through SSL Decryption processing?

show session all ssI-decrypt yes count yes

show session filter ssl-decryption yes total-count yes

show session all filter ssl-decrypt yes count yes

show session all filter ssl-decryption yes total-count yes

49. What happens when an A P firewall cluster synchronies IPsec tunnel security associations (SAs)?

Phase 2 SAs are synchronized over HA2 finks

Phase 1 and Phase 2 SAs are synchronized over HA2 links

Phase 1 SAs are synchronized over HA1 links

Phase 1 and Phase 2 SAs are synchronized over HA3 links

50. A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects.

Which type of role-based access is most appropriate for this project?

Create a Dynamic Admin with the Panorama Administrator role

Create a Custom Panorama Admin

Create a Device Group and Template Admin

Create a Dynamic Read only superuser

Page 6 of 8

51. Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)

inherit address-objects from templates

define a common standard template configuration for firewalls

standardize server profiles and authentication configuration across all stacks

standardize log-forwarding profiles for security polices across all stacks

52. Which type of interface does a firewall use to forward decrypted traffic to a security chain for inspection?

Layer 2

Tap

Layer 3

Decryption Mirror

53. A network administrator wants to use a certificate for the SSL/TLS Service Profile.

Which type of certificate should the administrator use?

certificate authority (CA) certificate

client certificate

machine certificate

server certificate

54. In a firewall, which three decryption methods are valid? (Choose three)

SSL Inbound Inspection

SSL Outbound Proxyless Inspection

SSL Inbound Proxy

Decryption Mirror

SSH Proxy

55. Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

PAN-OS integrated User-ID agent

LDAP Server Profile configuration

GlobalProtect

Windows-based User-ID agent

56. What are two valid deployment options for Decryption Broker? (Choose two)

Transparent Bridge Security Chain

Layer 3 Security Chain

Layer 2 Security Chain

Transparent Mirror Security Chain

57. Which GlobalProtect gateway setting is required to enable split-tunneling by access route, destination domain, and application?

No Direct Access to local networks

Satellite mode

Tunnel mode

IPSec mode

58. An administrator needs to implement an NGFW between their DMZ and Core network EIGRP Routing between the two environments is required.

Which interface type would support this business requirement?

Layer 3 interfaces but configuring EIGRP on the attached virtual router

Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ

Layer 3 or Aggregate Ethernet interfaces but configuring EIGRP on subinterfaces only

Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel {with the GlobalProtect License to support LSVPN and EIGRP protocols)

59. In a security-first network what is the recommended threshold value for content updates to be dynamically updated?

1 to 4 hours

6 to 12 hours

24 hours

36 hours

60. A security engineer needs firewall management access on a Inside interface.

When three settings are required on an SSI/TVS Service Profile to provide secure Wet) Ui authentication? (Choose three.)

Maximum TLS version

Minimum TLV version

Encryption Algorithm

Certificate

Authentication Algorithm

Page 7 of 8

61. Which three statements accurately describe Decryption Mirror? (Choose three.)

Decryption Mirror requires a tap interface on the firewall

Decryption, storage, inspection and use of SSL traffic are regulated in certain countries

Only management consent is required to use the Decryption Mirror feature

You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment

Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel

62. An administrator is attempting to create policies tor deployment of a device group and template stack When creating the policies, the zone drop down list does not include the required zone.

What must the administrator do to correct this issue?

Specify the target device as the master device in the device group

Enable "Share Unused Address and Service Objects with Devices" in Panorama settings

Add the template as a reference template in the device group

Add a firewall to both the device group and the template

63. In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

wildcard server certificate

enterprise CA certificate

client certificate

server certificate

self-signed CA certificate

64. Which configuration task is best for reducing load on the management plane?

Disable logging on the default deny rule

Enable session logging at start

Disable pre-defined reports

Set the URL filtering action to send alerts

65. A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system.

Where is the best place to validate if the firewall is blocking the user's TAR file?

Threat log

Data Filtering log

WildFire Submissions log

URL Filtering log

66. A customer is replacing its legacy remote-access VPN solution Prisma Access has been selected as the replacement During onboarding, the following options and licenses were selected and enabled:

The customer wants to forward to a Splunk SIEM the logs that are generated by users that are connected to Prisma Access for Mobile Users

Which two settings must the customer configure? (Choose two)

Configure a log forwarding profile and select the Panorama/Cortex Data Lake checkbox Apply the Log Forwarding profile to all of the security policy rules in Mobile_User_Device_Group

Configure Cortex Data Lake log forwarding and add the Splunk syslog server

Configure a Log Forwarding profile, select the syslog checkbox and add the Splunk syslog server Apply the Log Forwarding profile to all of the security policy rules in the Mobiie_User_Device_Group

Configure Panorama Collector group device log forwarding to send logs to the Splunk syslog server

67. A remote administrator needs firewall access on an untrusted interface.

Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two)

client certificate

certificate profile

certificate authority (CA) certificate

server certificate

68. An existing NGFW customer requires direct interne! access offload locally at each site and iPSec connectivity to all branches over public internet. One requirement is mat no new SD-WAN hardware be introduced to the environment.

What is the best solution for the customer?

Configure a remote network on PAN-OS

Upgrade to a PAN-OS SD-WAN subscription

Deploy Prisma SD-WAN with Prisma Access

Configure policy-based forwarding

69. A remote administrator needs access to the firewall on an untrust interlace .

Which three options would you configure on an interface Management profile lo secure management access? (Choose three)

HTTP

User-ID

SSH

HTTPS

Permitted IP Addresses

70. An administrator has purchased WildFire subscriptions for 90 firewalls globally.

What should the administrator consider with regards to the WildFire infrastructure?

To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally.

Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.

Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.

The WildFire Global Cloud only provides bare metal analysis.

Page 8 of 8

71. Which rule type controls end user SSL traffic to external websites?

SSL Outbound Proxyless Inspection

SSL Forward Proxy

SSL Inbound Inspection

SSH Proxy

72. What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

IP Netmask

IP Wildcard Mask

IP Address

IP Range

73. A network administrator wants to deploy GlobalProtect with pre-logon for Windows 10 endpoints and follow Palo Alto Networks best practices.

To install the certificate and key for an endpoint, which three components are required? (Choose three.)

server certificate

local computer store

private key

self-signed certificate

machine certificate

74. A customer is replacing their legacy remote access VPN solution. The current solution is in place to secure internet egress and provide access to resources located in the main datacenter for the connected clients.

Prisma Access has been selected to replace the current remote access VPN solution.

During onboarding the following options and licenses were selected and enabled

What must be configured on Prisma Access to provide connectivity to the resources in the datacenter?

Configure a mobile user gateway in the region closest to the datacenter to enable connectivity to the datacenter

Configure a remote network to provide connectivity to the datacenter

Configure Dynamic Routing to provide connectivity to the datacenter

Configure a service connection to provide connectivity to the datacenter

75. DRAG DROP

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.

76. DRAG DROP

Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order.

77. in an HA failover scenario what occurs when sessions match an SSL Forward Proxy Decryption policy?

HA Sync does not occur the existing session is transferred to the active firewall.

HA Sync does not occur the firewall drops the session.

HA Sync occurs the session is sent to testpath

HA Sync occurs the firewall allows the session Put does not decrypt the session.

78. When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

The interface must be used for traffic to the required services

You must enable DoS and zone protection

You must set the interface to Layer 2 Layer 3. or virtual wire

You must use a static IP address

79. While troubleshooting an SSL Forward Proxy decryption issue which PAN-OS CLI command would you use to check the details of the end-entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?

show system setting ssl-decrypt certs

show systea setting ssl-decrypt certificate-cache

show systen setting ssl-decrypt certificate

debug dataplane show ssl-decrypt ssl-stats

80. A traffic log might list an application as "not-applicable" for which two reasons'? (Choose two)

The firewall did not install the session

The TCP connection terminated without identifying any application data

The firewall dropped a TCP SYN packet

There was not enough application data after the TCP connection was established

Good PCNSE Study Guide – Try To Test Free PCNSE Dumps Questions Online