Paloalto-Networks PCNSE Free Practice Questions

NEW QUESTION 1
A network design calls for a "router on a stick" implementation with a PA-5060 performing inter- VLAN routing All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk interface
Which interface type and configuration setting will support this design?

• A. Trunk interface type with specified tag
• B. Layer 3 interface type with specified tag
• C. Layer 2 interface type with a VLAN assigned
• D. Layer 3 subinterface type with specified tag

Answer: D

NEW QUESTION 2
Which PAN-OS® policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data?

• A. Security policy
• B. Decryption policy
• C. Authentication policy
• D. Application Override policy

Answer: C

NEW QUESTION 3
How are IPV6 DNS queries configured to user interface ethernet1/3?

• A. Network > Virtual Router > DNS Interface
• B. Objects > CustomerObjects > DNS
• C. Network > Interface Mgrnt
• D. Device > Setup > Services > Service Route Configuration

Answer: D

NEW QUESTION 4
An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required. Which interface type would support this business requirement?

• A. Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ
• B. Layer 3 or Aggregate Ethernet interfaces, but configuring EIGRP on subinterfaces only
• C. Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel (with the GlobalProtect License to support LSVPN and EIGRPprotocols)
• D. Layer 3 interfaces, but configuring EIGRP on the attached virtual router

Answer: C

NEW QUESTION 5
A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web- browsing traffic to this server on tcp/443.

• A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow
• B. Rule #1: application: web-browsing; service: service-https; action: allow Rule #2: application: ssl; service: application-default; action: allow
• C. Rule # 1: application: ssl; service: application-default; action: allowRule #2: application: web-browsing; service: application-default; action: allow
• D. Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl; service: application-default; action: allow

Answer: A

NEW QUESTION 6
A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule.
Given the following zone information:
• DMZ zone: DMZ-L3
• Public zone: Untrust-L3
• Guest zone: Guest-L3
• Web server zone: Trust-L3
• Public IP address (Untrust-L3): 1.1.1.1
• Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?

• A. Untrust-L3
• B. DMZ-L3
• C. Guest-L3
• D. Trust-L3

Answer: A

NEW QUESTION 7
Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a “No Decrypt” action? (Choose two.)

• A. Block sessions with expired certificates
• B. Block sessions with client authentication
• C. Block sessions with unsupported cipher suites
• D. Block sessions with untrusted issuers
• E. Block credential phishing

Answer: ABC

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/create-a-decryption-profile

NEW QUESTION 8
Which item enables a firewall administrator to see details about traffic that is currently active through the NGFW?

• A. ACC
• B. System Logs
• C. App Scope
• D. Session Browser

Answer: D

NEW QUESTION 9
In the following image from Panorama, why are some values shown in red?

• A. sg2 session count is the lowest compared to the other managed devices.
• B. us3 has a logging rate that deviates from the administrator-configured thresholds.
• C. uk3 has a logging rate that deviates from the seven-day calculated baseline.
• D. sg2 has misconfigured session thresholds.

Answer: C

NEW QUESTION 10
Which authentication source requires the installation of Palo Alto Networks software, other than PAN-OS 7x, to obtain a username-to-IP-address mapping?

• A. Microsoft Active Directory
• B. Microsoft Terminal Services
• C. Aerohive Wireless Access Point
• D. Palo Alto Networks Captive Portal

Answer: B

NEW QUESTION 11
Which three steps will reduce the CPU utilization on the management plane? (Choose three.)

• A. Disable SNMP on the management interface.
• B. Application override of SSL application.
• C. Disable logging at session start in Security policies.
• D. Disable predefined reports.E.Reduce the traffic being decrypted by the firewall.

Answer: CD

NEW QUESTION 12
Based on the following image,

what is the correct path of root, intermediate, and end-user certificate?

• A. Palo Alto Networks > Symantec > VeriSign
• B. Symantec > VeriSign > Palo Alto Networks
• C. VeriSign > Palo Alto Networks > Symantec
• D. VeriSign > Symantec > Palo Alto Networks

Answer: D

NEW QUESTION 13
Palo Alto Networks maintains a dynamic database of malicious domains.
Which two Security Platform components use this database to prevent threats? (Choose two)

• A. Brute-force signatures
• B. BrightCloud Url Filtering
• C. PAN-DB URL Filtering
• D. DNS-based command-and-control signatures

Answer: CD

NEW QUESTION 14
How can a candidate or running configuration be copied to a host external from Panorama?

• A. Commit a running configuration.
• B. Save a configuration snapshot.
• C. Save a candidate configuration.
• D. Export a named configuration snapshot.

Answer: D

Explanation: Reference:
https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/administ er-panorama/back-up-panorama-and-firewall-configurations

NEW QUESTION 15
In a virtual router, which object contains all potential routes?

• A. MIB
• B. RIB
• C. SIP
• D. FIB

Answer: B

Explanation: Reference: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&ved=0ahUKEwiOkbfYzPzXAhVnEJoKHcwVCg4QFghiMAk&url=https%3A%2F%2Flive.paloaltonetworks.com%2Ftwzvq79624%2Fattachments%2Ftwzvq79624%2Fdocumentation_tkb%2F487%2F1%2FRoute%2520Redistribution%2520and%2520Filtering%2520TechNote%2520-%2520Rev% 2520B. pdf&usg=AOvVaw0H9qgaJK0oI2xjIJBNo1Km

NEW QUESTION 16
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

• A. Configure the option for “Threshold”.
• B. Disable automatic updates during weekdays.
• C. Automatically “download only” and then install Applications and Threats later, after the administrator approves the update.
• D. Automatically “download and install” but with the “disable new applications” option used.

Answer: A

NEW QUESTION 17
Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

• A. Create a no-decrypt Decryption Policy rule.
• B. Configure an EDL to pull IP addresses of known sites resolved from a CRL.
• C. Create a Dynamic Address Group for untrusted sites
• D. Create a Security Policy rule with vulnerability Security Profile attached.
• E. Enable the “Block sessions with untrusted issuers” setting.

Answer: AD