Paloalto-Networks PCNSE Free Practice Questions

NEW QUESTION 1
Refer to the exhibit.

Which certificates can be used as a Forwarded Trust certificate?

• A. Certificate from Default Trust Certificate Authorities
• B. Domain Sub-CA
• C. Forward_Trust
• D. Domain-Root-Cert

Answer: A

NEW QUESTION 2
Which virtual router feature determines if a specific destination IP address is reachable?

• A. Heartbeat Monitoring
• B. Failover
• C. Path Monitoring
• D. Ping-Path

Answer: C

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/pbf

NEW QUESTION 3
Several offices are connected with VPNs using static IPV4 routes. An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accoumplish this goal?

• A. Assign an IP address on each tunnel interface at each site
• B. Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0
• C. Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces
• D. Create new VPN zones at each site to terminate each VPN connection

Answer: C

NEW QUESTION 4
Which command can be used to validate a Captive Portal policy?

• A. eval captive-portal policy <criteria>
• B. request cp-policy-eval <criteria>
• C. test cp-policy-match <criteria>
• D. debug cp-policy <criteria>

Answer: C

NEW QUESTION 5
How is the Forward Untrust Certificate used?

• A. It issues certificates encountered on the Untrust security zone when clients attempt to connect to a site that has be decrypted/
• B. It is used when web servers request a client certificate.
• C. It is presented to clients when the server they are connecting to is signed by a certificate authority that is not trusted by firewall.
• D. It is used for Captive Portal to identify unknown users.

Answer: C

NEW QUESTION 6
A company hosts a publically accessible web server behind a Palo Alto Networks next generation firewall with the following configuration information.
Users outside the company are in the "Untrust-L3" zone The web server physically resides in the "Trust-L3" zone. Web server public IP address: 23.54.6.10
Web server private IP address: 192.168.1.10
Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the web server? (Choose two)

• A. Untrust-L3 for both Source and Destination zone
• B. Destination IP of 192.168.1.10
• C. Untrust-L3 for Source Zone and Trust-L3 for Destination Zone
• D. Destination IP of 23.54.6.10

Answer: CD

NEW QUESTION 7
When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?

• A. To enable Gateway authentication to the Portal
• B. To enable Portal authentication to the Gateway
• C. To enable user authentication to the Portal
• D. To enable client machine authentication to the Portal

Answer: C

Explanation: The additional options of Browser and Satellite enable you to specify the authentication profile to use for specific scenarios. Select Browser to specify the authentication profile to use to authenticate a user accessing the portal from a web browser with the intent of downloading the GlobalProtect agent (Windows and Mac). Select Satellite to specify the authentication profile to use to authenticate the satellite.
Reference https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/globalprotect/network-globalprotect-portals

NEW QUESTION 8
If an administrator does not possess a website’s certificate, which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites?

• A. SSL Forward Proxy
• B. SSL Inbound Inspection
• C. TLS Bidirectional proxy
• D. SSL Outbound Inspection

Answer: A

NEW QUESTION 9
A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.
Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.

• A. application: web-browsing; service: application-default
• B. application: web-browsing; service: service-https
• C. application: ssl; service: any
• D. application: web-browsing; service: (custom with destination TCP port 8080)

Answer: A

NEW QUESTION 10
When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

• A. Load named configuration snapshot
• B. Load configuration version
• C. Save candidate config
• D. Export device state

Answer: A

NEW QUESTION 11
Which two interface types can be used when configuring GlobalProtect Portal?(Choose two)

• A. Virtual Wire
• B. Loopback
• C. Layer 3
• D. Tunnel

Answer: BC

NEW QUESTION 12
Click the Exhibit button below,

A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address. He makes an HTTPS connection to 172.16.10.20.
Which is the next hop IP address for the HTTPS traffic from Will's PC?

• A. 172.20.30.1
• B. 172.20.40.1
• C. 172.20.20.1
• D. 172.20.10.1

Answer: C

NEW QUESTION 13
An administrator wants a new Palo Alto Networks NGFW to obtain automatic application updates daily, so it is configured to use a scheduler for the application database. Unfortunately, they required the management network to be isolated so that it cannot reach the internet. Which configuration will enable the firewall to download and install application updates automatically?

• A. Configure a Policy Based Forwarding policy rule for the update server IP address so that traffic sourced from themanagement interfaced destined for the update servers goes out of the interface acting as your internet connection.
• B. Configure a security policy rule to allow all traffic to and from the update servers.
• C. Download and install application updates cannot be done automatically if the MGT port cannot reach the internet.
• D. Configure a service route for Palo Alto networks services that uses a dataplane interface that can route traffic to the internet, and create a security policy rule to allow the traffic from that interface to the update servers if necessary.

Answer: B

NEW QUESTION 14
A network Administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects> Security Profiles> Anti-Spyware and select default profile.
What should be done next?

• A. Click the simple-critical rule and then click the Action drop-down list.
• B. Click the Exceptions tab and then click show all signatures.
• C. View the default actions displayed in the Action column.
• D. Click the Rules tab and then look for rules with "default" in the Action column.

Answer: B

NEW QUESTION 15
Which two settings can be configured only locally on the firewall and not pushed from a Panorama template or template stack? (Choose two)

• A. HA1 IP Address
• B. Network Interface Type
• C. Master Key
• D. Zone Protection Profile

Answer: AB

NEW QUESTION 16
If the firewall has the link monitoring configuration, what will cause a failover?

• A. ethernet1/3 and ethernet1/6 going down
• B. ethernet1/3 going down
• C. ethernet1/3 or Ethernet1/6 going down
• D. ethernet1/6 going down

Answer: A

NEW QUESTION 17
What can missing SSL packets when performing a packet capture on dataplane interfaces?

• A. The packets are hardware offloaded to the offloaded processor on the dataplane
• B. The missing packets are offloaded to the management plane CPU
• C. The packets are not captured because they are encrypted
• D. There is a hardware problem with offloading FPGA on the management plane

Answer: A