• Home
  • Articles
  • PCNSE PAN-OS PCNSE Dumps Full Questions with Free PDF Questions to Pass [Q63-Q88]

PCNSE PAN-OS PCNSE Dumps Full Questions with Free PDF Questions to Pass [Q63-Q88]

Share

PCNSE PAN-OS PCNSE Dumps Full Questions with Free PDF Questions to Pass

100% Updated Palo Alto Networks PCNSE Enterprise PDF Dumps


How to book the PCNSE Exam

These are following steps for registering the Palo Alto Networks PCNSE exam.

  • Step 1: Visit to Pearson VUE Exam Registration
  • Step 2: Signup/Login to Pearson VUE account
  • Step 3: Search for Palo Alto Networks PCNSE Exam Certifications Exam
  • Step 4: Select Date, time and confirm with payment method

 

NEW QUESTION # 63
SSL Forward Proxy decryption is configured but the firewall uses Untrusted-CA to sign the website https
//www important-website com certificate End-users are receiving me "security certificate is not trusted is warning Without SSL decryption the web browser shows that the website certificate is trusted and signed by a well-known certificate chain Well-Known-lntermediate and Well-Known-Root- CA.
The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:
1 End-users must not get the warning for the https://www.very-important-website.com website.
2 End-users should get the warning for any other untrusted website
Which approach meets the two customer requirements?

  • A. Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration
  • B. Navigate to Device > Certificate Management - Certificates s Default Trusted Certificate Authorities import Well-Known-intermediate-CA and Well-Known-Root-CA select the Trusted Root CA check box and commit the configuration
  • C. Navigate to Device > Certificate Management > Certificates > Device Certificates import Well-Known-lntermediate-CA and Well-Known-Root-CA select the Trusted Root CA checkbox and commit the configuration
  • D. Install the Well-Known-lntermediate-CA and Well-Known-Root-CA certificates on all end-user systems m the user and local computer stores

Answer: B

Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-certificate-management-c


NEW QUESTION # 64
To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?

  • A. Device> Setup>Management >AutoFocus
  • B. AutoFocus is enabled by default on the Palo Alto Networks NGFW
  • C. Device>Setup>WildFire>AutoFocus
  • D. Device>Setup> Management> Logging and Reporting Settings
  • E. Device>Setup>Services>AutoFocus

Answer: A

Explanation:
Explanation/Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/getting-started/enable- autofocus-threat-intelligence


NEW QUESTION # 65
A company.com wants to enable Application Override. Given the following screenshot:

Which two statements are true if Source and Destination traffic match the Application Override policy?
(Choose two)

  • A. Traffic will be forced to operate over UDP Port 16384.
  • B. Traffic that matches "rtp-base" will bypass the App-ID and Content-ID engines.
  • C. Traffic utilizing UDP Port 16384 will now be identified as "rtp-base".
  • D. Traffic utilizing UDP Port 16384 will bypass the App-ID and Content-ID engines.

Answer: B,C


NEW QUESTION # 66
Which method does an administrator use to integrate all non-native MFA platforms in PAN- OS software?

  • A. RADIUS
  • B. DUO
  • C. Okta
  • D. PingID

Answer: A


NEW QUESTION # 67
Given the following table.

Which configuration change on the firewall would cause it to use 10.66.24.88 as the next hop for the
192.168.93.0/30 network?

  • A. Configuring the administrative Distance for RIP to be higher than that of OSPF Ext.
  • B. Configuring the administrative Distance for RIP to be lower than that of OSPF Int.
  • C. Configuring the metric for RIP to be lower than that OSPF Ext.
  • D. Configuring the metric for RIP to be higher than that of OSPF Int.

Answer: B


NEW QUESTION # 68
Which logs enable a firewall administrator to determine whether a session was decrypted?

  • A. Decryption
  • B. Traffic
  • C. Security Policy
  • D. Correlated Event

Answer: A

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and- monitor-decryption.html#ida09e44a8-fd80-41e8-8572-33e9b122ad22


NEW QUESTION # 69
Which three rule types are available when defining policies in Panorama? (Choose three.)

  • A. Post Rules
  • B. Pre Rules
  • C. Stealth Rules
  • D. Clean Up Rules
  • E. Default Rules

Answer: A,B,E

Explanation:
https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/panorama-web-interface/defining-policies-on-panorama"rks.com/documentation/71/pan-os/web-inter
https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/panorama-web-interface/defining-policies-on-panorama"face-help/panorama-web-interface/defining-policies-on-panorama


NEW QUESTION # 70
During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.
Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

  • A. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.
  • B. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust
  • C. Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.
  • D. Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.

Answer: A


NEW QUESTION # 71
What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an active/passive High Availability (HA) pair? (Choose two.)

  • A. HA1 should be connected to HA1. Either directly or with an intermediate Layer 2 device.
  • B. The firewalls must have the same set of licenses.
  • C. The peer HA1 IP address must be the same on both firewalls.
  • D. The management interfaces must to be on the same network.

Answer: A,B


NEW QUESTION # 72
Which three firewall states are valid? (Choose three.)

  • A. Passive
  • B. Suspended
  • C. Pending
  • D. Functional
  • E. Active

Answer: A,B,E

Explanation:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high- availability/ha-firewall-states


NEW QUESTION # 73
Which method will dynamically register tags on the Palo Alto Networks NGFW?

  • A. Restful API or the VMWare API on the firewall or on the User-ID agent or the read-only domain controller (RODC)
  • B. XML API or the VM Monitoring agent on the NGFW or on the User-ID agent
  • C. XML-API or the VMware API on the firewall or on the User-ID agent or the CLI
  • D. Restful API or the VMware API on the firewall or on the User-ID agent

Answer: D

Explanation:
Reference:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/policy/monitor-changes-in-the-virtual-environment/use-dynamic-address-groups-in-policy.html#


NEW QUESTION # 74
A VPN connection is set up between Site-A and Site-B, but no traffic is passing in the system log of Site-A, there is an event logged as like-nego-p1-fail-psk.
What action will bring the VPN up and allow traffic to start passing between the sites?

  • A. Enable NAT Traversal on the Site-A IKE Gateway profile.
  • B. Change the Site-A IKE Gateway profile exchange mode to aggressive mode.
  • C. Change the Site-B IKE Gateway profile version to match Site-A,
  • D. Change the pre-shared key of Site-B to match the pre-shared key of Site-A

Answer: D


NEW QUESTION # 75
An administrator wants to upgrade an NGFW from PAN-OS 9.0 to PAN-OS 10.0. The firewall is not a part of an HA pair. What needs to be updated first?

  • A. XML Agent
  • B. Applications and Threats
  • C. WildFire
  • D. PAN-OS Upgrade Agent

Answer: B

Explanation:
Explanation
https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/upgrade-to-pan-os-80/upgrade-th


NEW QUESTION # 76
An administrator needs to validate that policies mat will be deployed win match the appropriate rules in the device-group hierarchy Which toot can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?

  • A. Managed Devices Health
  • B. Policy Optimizer
  • C. Test Policy Match
  • D. Preview Changes

Answer: C

Explanation:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/troubleshooting/test-policy-match-and-connectivity-for-managed-devices.html
After you successfully push the device group and template stack configurations to your firewalls, Log Collectors, and WF-500 appliances, test that the correct traffic matches the policy rules pushed to your managed devices and that your firewalls can successfully connect to all appropriate network resources.


NEW QUESTION # 77
Which administrative authentication method supports authorization by an external service?

  • A. RADIUS
  • B. LDAP
  • C. SSH keys
  • D. Certificates

Answer: A

Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/firewall-administration/ manage-firewall-administrators/administrative-authentication


NEW QUESTION # 78
An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted information Security to look for more controls that can secure access to critical assets. For users that need to access these systems, Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.
What should the enterprise do to use PAN-OS MFA?

  • A. Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy.
  • B. Configure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile.
  • C. Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns.
  • D. Configure a Captive Portal authentication policy that uses an authentication sequence.

Answer: A

Explanation:
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure- multi-factor-authentication.html#id1eeb304d-b2f4-46a3-a3b8-3d84c69fb214_idc4b47dbd-9777-
4ec8-be70-c16ca0ea1756


NEW QUESTION # 79
A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?

  • A. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each iinterface/sub interface to a unique zone.
  • B. Create V-Wire objects with two V-Wire interfaces and define a range of "0-4096 in the "Tag Allowed" field of the V-Wire object.
  • C. Create Layer 3 subinterfaces that are each assigned tA. single VLAN ID and a common virtual router.
    The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface tA.
    unique zone. Do not assign any interface an IP address.
  • D. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface to a unique zone.

Answer: A

Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/vlan-tagged-traffic
Virtual wire interfaces by default allow all untagged traffic. You can, however, use a virtual wire to connect two interfaces and configure either interface to block or allow traffic based on the virtual LAN (VLAN) tags. VLAN tag 0 indicates untagged traffic.You can also create multiple subinterfaces, add them into different zones, and then classify traffic according to a VLAN tag or a combination of a VLA N tag with IP classifiers (address, range, or subnet) to apply granular policy control for specific VLAN tags or for VLAN tags from a specific source IP address, range, or subnet.


NEW QUESTION # 80
An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS?software, the administrator enables log forwarding from the firewalls to Panorama. Pre-existing logs from the firewalls are not appearing in Panorama.
Which action would enable the firewalls to send their pre-existing logs to Panorama?

  • A. Use the import option to pull logs into Panorama.
  • B. Use the ACC to consolidate pre-existing logs.
  • C. The log database will need to exported form the firewalls and manually imported into Panorama.
  • D. A CLI command will forward the pre-existing logs to Panorama.

Answer: C


NEW QUESTION # 81
Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) received HTTP traffic and host B(10.1.1.101) receives SSH traffic.
Which two security policy rules will accomplish this configuration? (Choose two)

  • A. Untrust (Any) to Untrust (10.1.1.1) Ssh-Allow
  • B. Untrust (Any) to DMZ (1.1.1.100) Web-browsing -Allow
  • C. Untrust (Any) to Untrust (10.1.1.1) Web-browsing -Allow
  • D. Untrust (Any) to DMZ (1.1.1.100) Ssh-Allow

Answer: B,D


NEW QUESTION # 82
With the default TCP and UDP settings on the firewall what will be me identified application in the following session?

  • A. unknown-tcp
  • B. incomplete
  • C. unknown-udp
  • D. insufficient-data

Answer: B


NEW QUESTION # 83
Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured to dynamically create the routes between the sites. The OSPF configuration in Site-A is configured properly, but the route for the tunner is not being established. The Site-B interfaces in the graphic are using a broadcast Link Type. The administrator has determined that the OSPF configuration in Site-B is using the wrong Link Type for one of its interfaces.

Which Link Type setting will correct the error?

  • A. Set tunnel. 1 to p2p
  • B. Set Ethernet 1/1 to p2p
  • C. Set Ethernet 1/1 to p2mp
  • D. Set tunnel. 1 to p2mp

Answer: A


NEW QUESTION # 84
A global corporate office has a large-scale network with only one User-ID agent, which creates a
bottleneck near the User-ID agent server.
Which solution in PAN-OSĀ® software would help in this case?

  • A. content inspection
  • B. application override
  • C. redistribution of user mappings
  • D. Virtual Wire mode

Answer: C

Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/deploy-user-id-in-
a-large-scale-network


NEW QUESTION # 85
A network administrator uses Panorama to push security polices to managed firewalls at branch offices. Which policy type should be configured on Panorama if the administrators at the branch office sites to override these products?

  • A. Explicit Rules
  • B. Post Rules
  • C. Pre Rules
  • D. Implicit Rules

Answer: B

Explanation:
https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/documentation_tkb/134/1/ Panorama-Design-Planning.pdf


NEW QUESTION # 86
An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet.
Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22 Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?

A:

B:

C:

D:

  • A. Option A
  • B. Option B
  • C. Option D
  • D. Option C

Answer: D


NEW QUESTION # 87
A security engineer needs to mitigate packet floods that occur on a set of servers behind the internet facing interface of the firewall.
Which Security Profile should be applied to a policy to prevent these packet floods?

  • A. URL Filtering profile
  • B. DoS Protection profile
  • C. Vulnerability Protection profile
  • D. Data Filtering profile

Answer: B

Explanation:
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/security-profiles


NEW QUESTION # 88
......

Use Valid Exam PCNSE by VCE4Plus Books For Free Website: https://examschief.vce4plus.com/Palo-Alto-Networks/PCNSE-valid-vce-dumps.html

Related Articles

more
Palo Alto Networks PCNSE Certification Practice Exam