Updated PCNSE Practice Questions - Confirmed As Valid PCNSE Materials

Updated PCNSE Practice Questions – Confirmed As Valid PCNSE Materials

Eleanor2022-04-29T08:28:34+00:00

To all, the most updated PCNSE practice questions have been released with 88 exam questions, which have been confirmed as valid PCNSE preparation materials. Also all the answers of the updated PCNSE practice questions have been verified as correct ones to ensure that you can pass PCNSE Palo Alto Networks Certified Network Security Engineer Exam in the first attempt. You actually can rely on the updated PCNSE practice questions for preparation and get success in actual PCNSE exam.

Below are PCNSE free questions for practicing online:

Page 1 of 3

1. Which configuration task is best for reducing load on the management plane?

Set the URL filtering action to send alerts.

Enable session logging at start.

Disable pre-defined reports.

Disable logging on the default deny rule.

2. What is the best description of the HA4 Keep-alive Threshold (ms)?

the time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

the timeframe that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing

the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational

the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional

3. You need to allow users to access the office-suite applications of their choice.

How should you configure the firewall to allow access to any office-suite application?

Create an Application Filter and name it Office Programs, then filter it on the business-systems category.

Create an Application Group and add business-systems to it.

Create an Application Filter and name it Office Programs, then filter it on the office-programs subcategory.

Create an Application Group and add Office 365, Evernote, Google Docs, and Libre Office.

4. What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain?

a Security policy with "known-user” selected in the Source User field

an Authentication policy with "known-user” selected in the Source User field

an Authentication policy with 'unknown' selected in the Source User field

a Security policy with “unknown” selected in the Source User field

5. Which statement is correct given the following message from the PanGPA.log on the GlobalProtect app?

Failed to connect to server at port: 4767

The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767.

The PanGPS process failed to connect to the PanGPA process on port 4767.

The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767.

The PanGPA process failed to connect to the PanGPS process on port 4767.

6. An existing NGFW customer requires direct internet access offload locally at each site, and IPSec connectivity to all branches over public internet. One requirement is that no new SD-WAN hardware be introduced to the environment.

What is the best solution for the customer?

Upgrade to a PAN-OS SD-WAN subscription

Configure policy-based forwarding

Deploy Prisma SD-WAN with Prisma Access

Configure a remote network on PAN-OS

7. A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (CAs):

i. Enterprise-Trusted-CA, which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system.)

ii. Enterprise-Untrusted-CA, which is verified as Forward Untrust Certificate

iii. Enterprise-Intermediate-CA

iv. Enterprise-Root-CA, which is verified only as Trusted Root CA

An end-user visits https://www.example-website.com/ with a server certificate Common Name (CN): www.example-website.com.The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall.

The end-user's browser will show that the certificate for www.example-website.comwas issued by which of the following?

Enterprise-Root-CA which is a self-signed CA

Enterprise-Intermediate-CA which was, in turn, issued by Enterprise-Root-CA

Enterprise-Untrusted-CA which is a self-signed CA

Enterprise-Trusted-CA which is a self-signed CA

8. When you navigate to Network>Global Protect>Portals>Agent>(config)>App and look in the Connect Method section, which three options are available? (Choose three.)

pre-logon the non-demand

certificate-logon

on-demand (manual user-initiated connection)

post-logon (always on)

user-logon (always on)

9. SAML SLO is supported for which two firewall features? (Choose two.)

WebUI

CLI

GlobalProtectPortal

CaptivePortal

10. Refer to the image.

An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the Global template NTP servers. The administrator needs to change the IP address to a preferable server for this template stack but cannot impact other template stacks.

How can the issue be corrected?

Override the value on the NYCFW template.

Enable "objects defined in ancestors will take higher precedence" under Panorama settings.

Override the value on the Global template.

Override a template value using a template stack variable.

Page 2 of 3

11. 1.An administrator wants to enable WildFire inline machine learning.

Which three file types does WildFire inline ML analyze? (Choose three.)

APK

VBscripts

MS Office

ELF

Powershell scripts

12. What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

IP Netmask

IP Address

IP Wildcard Mask

IP Range

13. A remote administrator needs firewall access on an untrusted interface.

Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two)

certificate profile

server certificate

client certificate

certificate authority (CA) certificate

14. Given the following snippet of a WildFire submission log, did the end-user get access to the requested information and why or why not?

Yes. because the action is set to "allow ''

No because WildFire classified the seventy as "high."

Yes because the action is set to "alert"

No because WildFire categorized a file with the verdict "malicious"

15. Which statement regarding HA timer settings is true?

Use the Aggressive profile for slower failover timer settings.

Use the Moderate profile for typical failover timer settings.

Use the Critical profile for faster failover timer settings.

Use the Recommended profile for typical failover timer settings.

16. A firewall has been assigned to a new template stack that contains both "Global" and "Local" templates in Panorama, and a successful commit and push has been performed. While validating the configuration on the local firewall, the engineer discovers that some settings are not being applied as intended.

The setting values from the "Global" template are applied to the firewall instead of the "Local" template that has different values for the same settings.

What should be done to ensure that the settings in the "Local" template are applied while maintaining settings from both templates?

Move the "Global" template above the "Local” template in the template stack.

Move the "Local" template above the "Global" template in the template stack.

Perform a commit and push with the "Force Template Values" option selected.

Override the values on the local firewall and apply the correct settings for each value.

17. A network administrator plans a Prisma Access deployment with three service connections, each with a BGP peering to a CPE. The administrator needs to minimize the BGP configuration and management overhead on on-prem network devices.

What should the administrator implement?

hot potato routing

summarized BGP routes before advertising

target service connection for traffic steering

default routing

18. A Panorama administrator configures a new zone and uses the zone in a new Security policy.

After the administrator commits the configuration to Panorama, which device-group commit push operation should the administrator use to ensure that the push is successful?

merge with candidate config

force template values

specify the template as a reference template

include device and network templates

19. A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a Palo Alto Networks firewall that was previously being used in a lab. The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg txt. The firewall is currently running PAN-OS 10.0 and using a lab config.

The contents of init-cfg.txi in the USB flash drive are as follows:

The USB flash drive has been inserted in the firewalls' USB port, and the firewall has been restarted using command:> request resort system

Upon restart, the firewall fails to begin the bootstrapping process.

The failure is caused because:

Firewall must be in factory default state or have all private data deleted for bootstrapping

The USB must be formatted using the ext3 file system, FAT32 is not supported

The hostname is a required parameter, but it is missing in init-cfg txt

The bootstrap.xml file is a required file but it is missing

20. PBF can address which two scenarios? (Choose two.)

providing application connectivity the primary circuit fails

enabling the firewall to bypass Layer 7 inspection

forwarding all traffic by using source port 78249 to a specific egress interface

routing FTP to a backup ISP link to save bandwidth on the primary ISP link

Page 3 of 3

21. When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

You must set the interface to Layer 2, Layer 3, or virtual wire.

You must enable DoS and zone protection.

The interface must be used for traffic to the required services.

You must use a static IP address.

22. An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall.

Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?

A)

Option A

Option B

Option C

Option D

23. A firewall administrator is trying to identify active routes learned via BGP in the virtual router runtime stats within the GUI.

Where can they find this information?

under the BGP Summary tab

routes listed in the routing table with flags A?B

routes listed in the forwarding table with BGP in the Protocol column

routes listed in the routing table with flags Oi

24. An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority.

Match the default Administrative Distances for each routing protocol.

25. Which component enables you to configure firewall resource protection settings?

Zone Protection Profile

DoS Protection Profile

DoS Protection policy

QoS Profile

26. In the screenshot above, which two pieces of information can be determined from the ACC configuration shown? (Choose two.)

Threats with a severity of "high" are always listed at the top of the Threat Name list.

The ACC has been filtered to only show the FTP application.

The Network Activity tab will display all applications, including FT

Insecure-credentials, brute-force, and protocol-anomaly are all a part of the vulnerability Threat Type.

27. A user at an external system with the IP address 65. 124.57.5 queries the DNS server at 4.2.2.2 for the IP address of the web server, www.xyz.com. The DNS server returns an address of 172.16.15.1

In order to reach the web server, which Security rule and NAT rule must be configured on the firewall?

NAT Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3 (192.168. 15.47) - Application: Web-browsing

NAT Rule: Untrust-L3 (any) - Untrust-L3 (172.16. 15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) - Application: Web-browsing

NAT Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) Destination Translation: 192.168.15.47 Security Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) - Application: Web-browsing

NAT Rule: Untrust-L3 (any) - Untrust-L3 (any) Destination Translation: 192.168.15.1 Security Rule: Untrust-L3 (any) - Trust-L3 (172.16.15.1) - Application: Web-browsing

28. Your company has 10 Active Directory domain controllers spread across multiple WAN links. All users authenticate to Active Directory. Each link has substantial network bandwidth to support all mission-critical applications. The firewall's management plane is highly utilized.

Given this scenario, which type of User-ID agent is considered a best practice by Palo Alto Networks?

PAN-OS integrated agent

Citrix terminal server agent with adequate data-plane resources

Captive Portal

Windows- based User-ID agent on a standalone server

29. What are three important considerations during SD-WAN configuration planning? (Choose three.)

branch and hub locations

dynamic routing

link requirements

connection throughput

IP Addresses

30. Which statement is true regarding a Best Practice Assessment?

It runs only on firewalls.

It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.

When guided by an authorized sales engineer, it helps determine the areas of greatest risk where you should focus prevention activities.

It shows how your current configuration compares to Palo Alto Networks recommendations.

Updated PCNSE Practice Questions – Confirmed As Valid PCNSE Materials