Prepare For Palo Alto Networks Certified Network Security Engineer PCNSE Exam Well: PCNSE Updated Dumps Questions

Eleanor2023-02-10T08:45:31+00:00

By Eleanor Palo Alto Networks, PCNSE PCNSE, PCNSE exam demo, PCNSE exam questions 0 Comments

To prepare for the Palo Alto Networks Certified Network Security Engineer PCNSE exam well, the most updated PCNSE dumps questions of ITPrepare can be the best materials. The Palo Alto Networks PCNSE exam questions are in a pdf file. You don’t need to go anywhere or take any classes as you can prepare your Palo Alto Networks Certified Network Security Engineer PCNSE through the comfort of your home or office. In one word, come to ITPrepare to get the PCNSE exam dumps questions for learning.

Come to get the PCNSE free demo to check the quality of the updated dumps:

Page 1 of 8

1. A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama.

What are the next steps to migrate configuration from the firewalls to Panorama?

Use API calls to retrieve the configuration directly from the managed devices

Export Named Configuration Snapshot on each firewall followed by Import Named Configuration Snapshot in Panorama

import Device Configuration to Panorama followed by Export or Push Device Config Bundle

Use the Firewall Migration plugin to retrieve the configuration directly from the managed devices

2. Cortex XDR notifies an administrator about grayware on the endpoints. There are no entries about grayware in any of the logs of the corresponding firewall.

Which setting can the administrator configure on the firewall to log grayware verdicts?

within the log forwarding profile attached to the Security policy rule

within the log settings option in the Device tab

in WildFire General Settings, select "Report Grayware Files"

in Threat General Settings, select "Report Grayware Files"

3. An engineer has discovered that certain real-time traffic is being treated as best effort due to it exceeding defined bandwidth.

Which QoS setting should the engineer adjust?

QoS profile: Egress Max

QoS interface: Egress Guaranteed

QoS profile: Egress Guaranteed

QoS interface: Egress Max

4. Which GlobalProtect component must be configured to enable Clientless VPN?

GlobalProtect satellite

GlobalProtect app

GlobalProtect portal

GlobalProtect gateway

5. Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection

Create a zone protection profile with flood protection configured to defend an entire egress zone against SY

ICMP ICMPv6, UD

and other IP flood attacks

Add a WildFire subscription to activate DoS and zone protection features

Replace the hardware firewall because DoS and zone protection are not available with VM-Series systems

6. Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

Yes. because the action is set to "allow ''

No because WildFire categorized a file with the verdict "malicious"

Yes because the action is set to "alert"

No because WildFire classified the seventy as "high."

7. A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.

Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?

Syslog listener

agentless User-ID with redistribution

standalone User-ID agent

captive portal

8. When using certificate authentication for firewall administration, which method is used for authorization?

Radius

LDAP

Kerberos

Local

9. A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business application uptime requirements.

What is the correct setting?

Change the HA timer profile to "aggressive" or customize the settings in advanced profile.

Change the HA timer profile to "fast".

Change the HA timer profile to "user-defined" and manually set the timers.

Change the HA timer profile to "quick" and customize in advanced profile.

10. Where is information about packet buffer protection logged?

Alert entries are in the Alarms log. Entries for dropped traffic, discarded sessions, and blocked IP address are in the Threat log

All entries are in the System log

Alert entries are in the System log. Entries for dropped traffic, discarded sessions and blocked IP addresses are in the Threat log

All entries are in the Alarms log

Page 2 of 8

11. Which data flow describes redistribution of user mappings?

User-ID agent to firewall

firewall to firewall

Domain Controller to User-ID agent

User-ID agent to Panorama

12. Given the screenshot, how did the firewall handle the traffic?

Traffic was allowed by profile but denied by policy as a threat

Traffic was allowed by policy but denied by profile as..

Traffic was allowed by policy but denied by profile as ..

Traffic was allowed by policy but denied by profile as a..

13. The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate and set them as such.

The admin has not yet installed the root certificate onto client systems

What effect would this have on decryption functionality?

Decryption will function and there will be no effect to end users

Decryption will not function because self-signed root certificates are not supported

Decryption will not function until the certificate is installed on client systems

Decryption will function but users will see certificate warnings for each SSL site they visit

14. What is a key step in implementing WildFire best practices?

In a mission-critical network, increase the WildFire size limits to the maximum value.

Configure the firewall to retrieve content updates every minute.

In a security-first network, set the WildFire size limits to the minimum value.

Ensure that a Threat Prevention subscription is active.

15. DRAG DROP

Place the steps in the WildFire process workflow in their correct order.

16. An administrator needs firewall access on a trusted interface.

Which two components are required to configure certificate based, secure authentication to the web Ul? (Choose two)

certificate profile

server certificate

SSH Service Profile

SSL/TLS Service Profile

17. Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)

inherit address-objects from templates

define a common standard template configuration for firewalls

standardize server profiles and authentication configuration across all stacks

standardize log-forwarding profiles for security polices across all stacks

18. An administrator has 750 firewalls. The administrator's central-management Panorama instance deploys dynamic updates to the firewalls. The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.

If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear, what is the root cause?

Panorama does not have valid licenses to push the dynamic updates.

Panorama has no connection to Palo Alto Networks update servers.

No service route is configured on the firewalls to Palo Alto Networks update servers.

Locally-defined dynamic update settings take precedence over the settings that Panorama pushed.

19. What are three reasons for excluding a site from SSL decryption? (Choose three.)

the website is not present in English

unsupported ciphers

certificate pinning

unsupported browser version

mutual authentication

20. An administrator wants to grant read-only access to all firewall settings, except administrator accounts, to a new-hire colleague in the IT department.

Which dynamic role does the administrator assign to the new-hire colleague?

Device administrator (read-only)

System administrator (read-only)

Firewall administrator (read-only)

Superuser (read-only)

Page 3 of 8

21. An administrator is seeing one of the firewalls in a HA active/passive pair moved to 'suspended" state due to Non-functional loop.

Which three actions will help the administrator troubleshool this issue? (Choose three.)

Use the CLI command show high-availability flap-statistics

Check the HA Link Monitoring interface cables.

Check the High Availability > Link and Path Monitoring settings.

Check High Availability > Active/Passive Settings > Passive Link State

Check the High Availability > HA Communications > Packet Forwarding settings.

22. A company is using wireless controllers to authenticate users.

Which source should be used for User-ID mappings?

Syslog

XFF headers

server monitoring

client probing

23. A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.

Which two mandatory options are used to configure a VLAN interface? (Choose two.)

Virtual router

Security zone

ARP entries

Netflow Profile

24. In a Panorama template which three types of objects are configurable? (Choose three)

HIP objects

QoS profiles

interface management profiles

certificate profiles

security profiles

25. An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used. After looking at the configuration, the administrator believes that the firewall is not using a static route.

What are two reasons why the firewall might not use a static route? (Choose two.)

no install on the route

duplicate static route

path monitoring on the static route

disabling of the static route

26. An engineer is creating a template and wants to use variables to standardize the configuration across a large number of devices.

Which Mo variable types can be defined? (Choose two.)

Path group

Zone

IP netmask

FQDN

27. Which statement regarding HA timer settings is true?

Use the Recommended profile for typical failover timer settings

Use the Moderate profile for typical failover timer settings

Use the Aggressive profile for slower failover timer settings.

Use the Critical profile for faster failover timer settings.

28. How does Panorama prompt VMWare NSX to quarantine an infected VM?

Email Server Profile

Syslog Sewer Profile

SNMP Server Profile

HTTP Server Profile

29. A network security engineer wants to prevent resource-consumption issues on the firewall.

Which strategy is consistent with decryption best practices to ensure consistent performance?

Use RSA in a Decryption profile tor higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for lower-risk traffic

Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for tower-risk traffic

Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that are less processor-intensive

Use Decryption profiles to drop traffic that uses processor-intensive ciphers

30. An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group.

How should the administrator identify the configuration changes?

review the configuration logs on the Monitor tab

click Preview Changes under Push Scope

use Test Policy Match to review the policies in Panorama

context-switch to the affected firewall and use the configuration audit tool

Page 4 of 8

31. Which statement best describes the Automated Commit Recovery feature?

It performs a connectivity check between the firewall and Panorama after every configuration commit on the firewall. It reverts the configuration changes on the firewall if the check fails.

It restores the running configuration on a firewall and Panorama if the last configuration commit fails.

It performs a connectivity check between the firewall and Panorama after every configuration commit on the firewall. It reverts the configuration changes on the firewall and on Panorama if the check fails.

It restores the running configuration on a firewall if the last configuration commit fails.

32. What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain'?

a Security policy with 'known-user" selected in the Source User field

an Authentication policy with 'unknown' selected in the Source User field

a Security policy with 'unknown' selected in the Source User field

an Authentication policy with 'known-user' selected in the Source User field

33. An administrator is building Security rules within a device group to block traffic to and from malicious locations

How should those rules be configured to ensure that they are evaluated with a high priority?

Create the appropriate rules with a Block action and apply them at the top of the Default Rules

Create the appropriate rules with a Block action and apply them at the top of the Security Post-Rules.

Create the appropriate rules with a Block action and apply them at the top of the local firewall Security rules.

Create the appropriate rules with a Block action and apply them at the top of the Security Pre-Rules

34. A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between peers.

Where can the administrator find the corresponding logs after running a test command to initiate the VPN?

Configuration logs

System logs

Traffic logs

Tunnel Inspection logs

35. An administrator creates an application-based security policy rule and commits the change to the firewall.

Which two methods should be used to identify the dependent applications for the respective rule? (Choose two.)

Use the show predefined xpath <value> command and review the output.

Review the App Dependency application list from the Commit Status view.

Open the security policy rule and review the Depends On application list.

Reference another application group containing similar applications.

36. In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

wildcard server certificate

enterprise CA certificate

client certificate

server certificate

self-signed CA certificate

37. Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

PAN-OS integrated User-ID agent

GlobalProtect

Windows-based User-ID agent

LDAP Server Profile configuration

38. 1.An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks.

Which sessions does Packet Buffer Protection apply to?

It applies to existing sessions and is not global

It applies to new sessions and is global

It applies to new sessions and is not global

It applies to existing sessions and is global

39. Refer to the image.

An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the Global template NTP servers. The administrator needs to change the IP address to a preferable server for this template stack but cannot impact other template stacks.

How can the issue be corrected?

Override the value on the NYCFW template.

Override a template value using a template stack variable.

Override the value on the Global template.

Enable "objects defined in ancestors will take higher precedence" under Panorama settings.

40. How would an administrator configure a Bidirectional Forwarding Detection profile for BGP after enabling the Advance Routing Engine run on PAN-OS 10.2?

create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD profile under Network > Virtual Router > BGP > BFD

create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD profile under Network > Virtual Router > BGP > General > Global BFD Profile

create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD profile under Network > Routing > Logical Routers > BGP > General > Global BFD Profile

create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD profile under Network > Routing > Logical Routers > BGP > BFD

Page 5 of 8

41. An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network.

What is a common obstacle for decrypting traffic from guest devices?

Guest devices may not trust the CA certificate used for the forward untrust certificate.

Guests may use operating systems that can't be decrypted.

The organization has no legal authority to decrypt their traffic.

Guest devices may not trust the CA certificate used for the forward trust certificate.

42. A firewall should be advertising the static route 10.2.0.0/24 Into OSPF. The configuration on the neighbor is correct, but the route is not in the neighbor's routing table.

Which two configurations should you check on the firewall? (Choose two.)

In the OSFP configuration, ensure that the correct redistribution profile is selected in the OSPF Export Rules section.

Within the redistribution profile ensure that Redist is selected.

Ensure that the OSPF neighbor state Is "2-Way."

In the redistribution profile check that the source type is set to "ospf."

43. The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when trying to install.

When performing an upgrade on Panorama to PAN-OS 10.2, what is the potential cause of a failed install?

Management only mode

Expired certificates

Outdated plugins

GlobalProtect agent version

44. Which steps should an engineer take to forward system logs to email?

Create a new email profile under Device > server profiles; then navigate to Objects > Log Forwarding profile > set log type to system and the add email profile.

Enable log forwarding under the email profile in the Objects tab.

Create a new email profile under Device > server profiles: then navigate to Device > Log Settings > System and add the email profile under email.

Enable log forwarding under the email profile in the Device tab.

45. An engineer is configuring SSL Inbound Inspection for public access to a company's application.

Which certificate(s) need to be installed on the firewall to ensure that inspection is performed successfully?

Self-signed CA and End-entity certificate

Root CA and Intermediate CA(s)

Self-signed certificate with exportable private key

Intermediate CA (s) and End-entity certificate

46. A firewall administrator notices that many Host Sweep scan attacks are being allowed through the firewall sourced from the outside zone.

What should the firewall administrator do to mitigate this type of attack?

Create a DOS Protection profile with SYN Flood protection enabled and apply it to all rules allowing traffic from the outside zone

Enable packet buffer protection in the outside zone.

Create a Security rule to deny all ICMP traffic from the outside zone.

Create a Zone Protection profile, enable reconnaissance protection, set action to Block, and apply it to the outside zone.

47. What is the dependency for users to access services that require authentication?

An Authentication profile that includes those services

Disabling the authentication timeout

An authentication sequence that includes those services

A Security policy allowing users to access those services

48. What can be used to create dynamic address groups?

dynamic address

region objects

tags

FODN addresses

49. A standalone firewall with local objects and policies needs to be migrated into Panorama.

What procedure should you use so Panorama is fully managing the firewall?

Use the "import Panorama configuration snapshot" operation, then perform a device-group commit push with "include device and network templates"

Use the "import device configuration to Panorama" operation, then "export or push device config bundle" to push the configuration

Use the "import Panorama configuration snapshot" operation, then "export or push device config bundle" to push the configuration

Use the "import device configuration to Panorama" operation, then perform a device-group commit push with "include device and network templates"

50. A network administrator wants to deploy SSL Forward Proxy decryption.

What two attributes should a forward trust certificate have? (Choose two.)

A subject alternative name

A private key

A server certificate

A certificate authority (CA) certificate

Page 6 of 8

51. A firewall administrator wants to avoid overflowing the company syslog server with traffic logs.

What should the administrator do to prevent the forwarding of DNS traffic logs to syslog?

Disable logging on security rules allowing DN

Go to the Log Forwarding profile used to forward traffic logs to syslog. Then, under traffic logs match list, create a new filter with application not equal to DN

Create a security rule to deny DNS traffic with the syslog server in the destination

Go to the Log Forwarding profile used to forward traffic logs to syslog. Then, under traffic logs match list, create a new filter with application equal to DN

52. Which statement about High Availability timer settings is true?

Use the Moderate timer for typical failover timer settings.

Use the Critical timer for taster failover timer settings.

Use the Recommended timer tor faster failover timer settings.

Use the Aggressive timer for taster failover timer settings

53. DRAG DROP

Match each GlobalProtect component to the purpose of that component

54. An engineer is tasked with configuring a Zone Protection profile on the untrust zone.

Which three settings can be configured on a Zone Protection profile? (Choose three.)

Ethernet SGT Protection

Protocol Protection

DoS Protection

Reconnaissance Protection

Resource Protection

55. An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Path Monitoring has been enabled with a Failure Condition of "any." A path group is configured with Failure Condition of "all" and contains a destination IP of 8.8.8.8 and 4.2.2.2 with a Ping Interval of 500ms and a Ping count of 3.

Which scenario will cause the Active firewall to fail over?

IP address 8.8.8.8 is unreachable for 1 second.

IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 1 second.

IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 2 seconds

IP address 4.2.2.2 is unreachable for 2 seconds.

56. A user at an external system with the IP address 65.124.57.5 queries the DNS server at 4. 2.2.2 for the IP address of the web server, www,xyz.com. The DNS server returns an address of 172.16.15.1

In order to reach Ire web server, which Security rule and NAT rule must be configured on the firewall?

Option A

Option B

Option C

Option D

57. Which CLI command is used to determine how much disk space is allocated to logs?

show logging-status

show system info

debug log-receiver show

show system logdfo-quota

58. In the screenshot above which two pieces ot information can be determined from the ACC configuration shown? (Choose two)

The Network Activity tab will display all applications, including FT

Threats with a severity of "high" are always listed at the top of the Threat Name list

Insecure-credentials, brute-force and protocol-anomaly are all a part of the vulnerability Threat Type

The ACC has been filtered to only show the FTP application

59. Four configuration choices are listed, and each could be used to block access to a specific URL II you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL1?

PAN-DB URL category in URL Filtering profile

Custom URL category in Security policy rule

Custom URL category in URL Filtering profile

EDL in URL Filtering profile

60. You need to allow users to access the office-suite applications of their choice.

How should you configure the firewall to allow access to any office-suite application?

Create an Application Group and add Office 365, Evernote Google Docs and Libre Office

Create an Application Group and add business-systems to it.

Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory.

Create an Application Filter and name it Office Programs then filter on the business-systems category.

Page 7 of 8

61. Which GlobalProtect component must be configured to enable Clientless VPN?

GlobalProtect satellite

GlobalProtect app

GlobalProtect portal

GlobalProtect gateway

62. The UDP-4501 protocol-port is used between which two GlobalProtect components?

GlobalProtect app and GlobalProtect gateway

GlobalProtect portal and GlobalProtect gateway

GlobalProtect app and GlobalProtect satellite

GlobalProtect app and GlobalProtect portal

63. An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall.

Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?

A)

Option A

Option B

Option C

Option D

64. An engineer needs to collect User-ID mappings from the company's existing proxies.

What two methods can be used to pull this data from third party proxies? (Choose two.)

Syslog

XFF Headers

Client probing

Server Monitoring

65. Which configuration is backed up using the Scheduled Config Export feature in Panorama?

Panorama running configuration

Panorama candidate configuration

Panorama candidate configuration and candidate configuration of all managed devices

Panorama running configuration and running configuration of all managed devices

66. During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted

How should the engineer proceed?

Allow the firewall to block the sites to improve the security posture

Add the sites to the SSL Decryption Exclusion list to exempt them from decryption

Install the unsupported cipher into the firewall to allow the sites to be decrypted

Create a Security policy to allow access to those sites

67. WildFire will submit for analysis blocked files that match which profile settings?

files matching Anti-Spyware signatures

files that are blocked by URL filtering

files that are blocked by a File Blocking profile

files matching Anti-Virus signatures

68. An engineer is tasked with enabling SSL decryption across the environment.

What are three valid parameters of an SSL Decryption policy? (Choose three.)

URL categories

source users

source and destination IP addresses

App-ID

GlobalProtect HIP

69. Which Panorama feature protects logs against data loss if a Panorama server fails?

Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.

Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.

Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.

Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group

70. Which benefit do policy rule UUlDs provide?

An audit trail across a policy's lifespan

Functionality for scheduling policy actions

The use of user IP mapping and groups in policies

Cloning of policies between device-groups

Page 8 of 8

71. DRAG DROP

Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.

72. The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall.

Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice?

action 'reset-both' and packet capture 'extended-capture'

action 'default' and packet capture 'single-packet'

action 'reset-both' and packet capture 'single-packet'

action 'reset-server' and packet capture 'disable'

73. You have upgraded Panorama to 10.2 and need to upgrade six Log Collectors.

When upgrading Log Collectors to 10.2, you must do what?

Upgrade the Log Collectors one at a time.

Add Panorama Administrators to each Managed Collector.

Add a Global Authentication Profile to each Managed Collector.

Upgrade all the Log Collectors at the same time.

74. An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all its vsys in a single device group.

Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

75. A Security policy rule is configured with a Vulnerability Protection Profile and an action of "Deny."

Which action will this configuration cause on the matched traffic?

The Profile Settings section will be grayed out when the Action is set to "Deny"

It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit

The configuration will allow the matched session unless a vulnerability signature is detected.

The "Deny" action will supersede the per-severity defined actions defined in the associated Vulnerability Protection Profile It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is set to "Deny"

76. What is considered the best practice with regards to zone protection?

Review DoS threat activity (ACC > Block Activity) and look for patterns of abuse

Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately from other threat logs

If the levels of zone and DoS protection consume too many firewall resources, disable zone protection

Set the Alarm Rate threshold for event-log messages to high severity or critical severity

77. What is the best description of the HA4 Keep-Alive Threshold (ms)?

the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.

The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.

The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.

78. A client wants to detect the use of weak and manufacturer-default passwords for loT devices.

Which option will help the customer?

Configure a Data Filtering profile with alert mode.

Configure an Antivirus profile with alert mode.

Configure a Vulnerability Protection profile with alert mode

Configure an Anti-Spyware profile with alert mode.

79. A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.

What should the administrator do to allow the tool to scan through the firewall?

Remove the Zone Protection profile from the zone setting.

Add the tool IP address to the reconnaissance protection source address exclusion in the Zone Protection profile.

Add the tool IP address to the reconnaissance protection source address exclusion in the DoS Protection profile.

Change the TCP port scan action from Block to Alert in the Zone Protection profile.

80. An administrator device-group commit push is tailing due to a new URL category

How should the administrator correct this issue?

verify that the URL seed Tile has been downloaded and activated on the firewall

change the new category action to alert" and push the configuration again

update the Firewall Apps and Threat version to match the version of Panorama

ensure that the firewall can communicate with the URL cloud

Prepare For Palo Alto Networks Certified Network Security Engineer PCNSE Exam Well: PCNSE Updated Dumps Questions