Paloalto-Networks PCNSE Free Practice Questions

NEW QUESTION 1
A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.
Which two mandatory options are used to configure a VLAN interface? (Choose two.)

• A. Virtual router
• B. Security zone
• C. ARP entries
• D. Netflow Profile

Answer: AB

Explanation: Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/network/network-interfaces/pa-7000-series- layer-2-interface#idd2bcaacc-54b9-4ec9-a1dd- 8064499f5b9d

NEW QUESTION 2
Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three.)

• A. dll
• B. exe
• C. src
• D. apk
• E. pdf
• F. jar

Answer: DEF

Explanation: Reference: https://www.paloaltonetworks.com/documentation/80/wildfire/wf_admin/wildfire-overview/wildfire-file-type-support

NEW QUESTION 3
Given the following table.

Which configuration change on the firewall would cause it to use 10.66.24.88 as the next hop for the 192.168.93.0/30 network?

• A. Configuring the administrative Distance for RIP to be lower than that of OSPF Int.
• B. Configuring the metric for RIP to be higher than that of OSPF Int.
• C. Configuring the administrative Distance for RIP to be higher than that of OSPF Ext.
• D. Configuring the metric for RIP to be lower than that OSPF Ext.

Answer: A

NEW QUESTION 4
An administrator has configured the Palo Alto Networks NGFW’s management interface to connect
to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?

• A. A scheduler will need to be configured for application signatures.
• B. A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers.
• C. A Threat Prevention license will need to be installed.
• D. A service route will need to be configured.

Answer: D

Explanation: The firewall uses the service route to connect to the Update Server and checks for new content release versions and, if there are updates available, displays them at the top of the list.
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-dynamic-updates

NEW QUESTION 5
Which Public Key infrastructure component is used to authenticate users for GlobalProtect when the Connect Method is set to pre-logon?

• A. Certificate revocation list
• B. Trusted root certificate
• C. Machine certificate
• D. Online Certificate Status Protocol

Answer: C

NEW QUESTION 6
Which three options are supported in HA Lite? (Choose three.)

• A. Virtual link
• B. Active/passive deployment
• C. Synchronization of IPsec security associations
• D. Configuration synchronization
• E. Session synchronization

Answer: BCD

Explanation: Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-high-availability/ha-lite

NEW QUESTION 7
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?

• A. Anti-Spyware
• B. WildFire
• C. Vulnerability Protection
• D. Antivirus

Answer: A

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/antivirus- profiles

NEW QUESTION 8
An administrator needs to upgrade an NGFW to the most current version of PAN-OS® software. The following is occurring:
•Firewall has Internet connectivity through e1/1.
•Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.
•Service route is configured, sourcing update traffic from e1/1.
•A communication error appears in the System logs when updates are performed.
•Download does not complete.
What must be configured to enable the firewall to download the current version of PAN-OS software?

• A. DNS settings for the firewall to use for resolution
• B. scheduler for timed downloads of PAN-OS software
• C. static route pointing application PaloAlto-updates to the update servers
• D. Security policy rule allowing PaloAlto-updates as the application

Answer: D

NEW QUESTION 9
An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make?
A)

B)

C)

D)

E)

• A. Option A
• B. Option B
• C. Option C
• D. Option D
• E. Option E

Answer: B

NEW QUESTION 10
A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers. Which option will protect the individual servers?

• A. Enable packet buffer protection on the Zone Protection Profile.
• B. Apply an Anti-Spyware Profile with DNS sinkholing.
• C. Use the DNS App-ID with application-default.
• D. Apply a classified DoS Protection Profile.

Answer: A

NEW QUESTION 11
Which event will happen if an administrator uses an Application Override Policy?

• A. Threat-ID processing time is decreased.
• B. The Palo Alto Networks NGFW stops App-ID processing at Layer 4.
• C. The application name assigned to the traffic by the security rule is written to the Traffic log.
• D. App-ID processing time is increased.Explanation:

Answer: B

Explanation: Reference: https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-How-to-Create-an-Application-Override/ta-p/65513

NEW QUESTION 12
Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)

• A. The firewall is in multi-vsys mode.
• B. The traffic is offloaded.
• C. The traffic does not match the packet capture filter.
• D. The firewall’s DP CPU is higher than 50%.

Answer: BC

Explanation: Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/take-packet-captures/disable-hardware-offload

NEW QUESTION 13
Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?

• A. Both SSH keys and SSL certificates must be generated.
• B. No prerequisites are required.
• C. SSH keys must be manually generated.
• D. SSL certificates must be generated.

Answer: B

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/configure-ssh-proxy

NEW QUESTION 14
An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same NGFW. The update contains an application that matches the same traffic signatures as the custom application. Which application should be used to identify traffic traversing the NGFW?

• A. Custom application
• B. System logs show an application error and neither signature is used.
• C. Downloaded application
• D. Custom and downloaded application signature files are merged and both are used

Answer: A

NEW QUESTION 15
Which three rule types are available when defining policies in Panorama? (Choose three.)

• A. Pre Rules
• B. Post Rules
• C. Default Rules
• D. Stealth Rules
• E. Clean Up Rules

Answer: ABC

Explanation: https://www.paloaltonetwoHYPERLINK "https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/panorama- web-interface/defining-policies-on-panorama"rks.com/documentation/71/pan-os/web-
interHYPERLINK "https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface- help/panorama-web-interface/defining-policies-on-panorama"face-help/panorama-web- interface/defining-policies-on-panorama

NEW QUESTION 16
An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?

• A. Enable and configure the Packet Buffer protection thresholds.Enable Packet Buffer Protection per ingress zone.
• B. Enable and then configure Packet Buffer thresholdsEnable Interface Buffer protection.
• C. Create and Apply Zone Protection Profiles in all ingress zones.Enable Packet Buffer Protection per ingress zone.
• D. Configure and apply Zone Protection Profiles for all egress zones.Enable Packet Buffer Protection pre egress zone.
• E. Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits.Enable Zone Buffer Protection per zone.

Answer: A

NEW QUESTION 17
Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?

• A. Deny application facebook-chat before allowing application facebook
• B. Deny application facebook on top
• C. Allow application facebook on top
• D. Allow application facebook before denying application facebook-chat

Answer: A

Explanation: Reference: https://live.paloaltonetworks.com/t5/Configuration-Articles/Failed-to-Block-Facebook-Chat-Consistently/ta-p/115673