Paloalto-Networks PCNSE Free Practice Questions

NEW QUESTION 1
If an administrator wants to decrypt SMTP traffic and possesses the server’s certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?

• A. TLS Bidirectional Inspection
• B. SSL Inbound Inspection
• C. SSH Forward Proxy
• D. SMTP Inbound DecryptionExplanation:

Answer: B

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/configure-ssl-inbound-inspection

NEW QUESTION 2
When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall?

• A. When configuring Certificate Profiles
• B. When configuring GlobalProtect portal
• C. When configuring User Activity Reports
• D. When configuring Antivirus Dynamic Updates

Answer: D

NEW QUESTION 3
Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site A connects directly to the internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect to the internet.
How should NAT Traversal be implemented for the VPN connection to be established between Site-A and Site-B?

• A. Enable on Site-A only
• B. Enable on Site-B only
• C. Enable on Site-B only with passive mode
• D. Enable on Site-A and Site-B

Answer: D

NEW QUESTION 4
A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled.
Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?

• A. Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole
• B. File Blocking profiles applied to outbound security policies with action set to alert
• C. Vulnerability Protection profiles applied to outbound security policies with action set to block
• D. Antivirus profiles applied to outbound security policies with action set to alert

Answer: A

NEW QUESTION 5
Which CLI command displays the current management plane memory utilization?

• A. > debug management-server show
• B. > show running resource-monitor
• C. > show system info
• D. > show system resources

Answer: D

Explanation: https://HYPERLINK "https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Interpret-show-system-resources/ta-p/59364"live.paloaltonetworks.com/t5/Learning-Articles/How-to-Interpret- show-system-resources/ta-p/59364
"The command show system resources gives a snapshot of Management Plane (MP) resource utilization including memory and CPU. This is similar to the ‘top’ command in Linux." https://live.HYPERLINK "https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Interpret- show-system-resources/ta-p/59364"paloHYPERLINK
"https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Interpret-show-system- resources/ta-p/59364"altonetworHYPERLINK "https://live.paloaltonetworks.com/t5/Learning- Articles/How-to-Interpret-show-system-resources/ta-p/59364"ks.com/t5/Learning-Articles/How-to- Interpret-show-system-resources/ta-p/59364

NEW QUESTION 6
A company hosts a publicly accessible web server behind a Palo Alto Networks next-generation firewall with the following configuration information:
* Users outside the company are in the "Untrust-L3" zone.
* The web server physically resides in the "Trust-L3" zone.
* Web server public IP address: 23.54.6.10
* Web server private IP address: 192.168.1.10
Which two items must the NAT policy contain to allow users in the Untrust-L3 zone to access the web server? (Choose two.)

• A. Destination IPof 23.54.6.10
• B. UntrustL3 for both Source and Destination Zone
• C. Destination IP of 192.168.1.10
• D. UntrustL3 for Source Zone and Trust-L3 for Destination Zone

Answer: AB

NEW QUESTION 7
To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?

• A. Device>Setup>Services>AutoFocus
• B. Device> Setup>Management >AutoFocus
• C. AutoFocus is enabled by default on the Palo Alto Networks NGFW
• D. Device>Setup>WildFire>AutoFocus
• E. Device>Setup> Management> Logging and Reporting Settings

Answer: B

Explanation: Reference: https://www.paloaHYPERLINK
"https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/getting-started/enable-autofocus-threat-intelligence"ltonetworks.com/documentation/71/pan-os/pan-os/getting-started/enable-autofocus-threat-intelligence

NEW QUESTION 8
Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.)

• A. Verify AutoFocus status using CLI.
• B. Check the WebUI Dashboard AutoFocus widget.
• C. Check for WildFire forwarding logs.
• D. Check the license
• E. Verify AutoFocus is enabled below Device Management tab.

Answer: BD

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/getting-started/enable-autofocus-threat-intelligence

NEW QUESTION 9
A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server.
Which solution in PAN-OS® software would help in this case?

• A. application override
• B. Virtual Wire mode
• C. content inspection
• D. redistribution of user mappings

Answer: D

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/deploy-user-id-in-a-large-scale-network

NEW QUESTION 10
Which setting allow a DOS protection profile to limit the maximum concurrent sessions from a source IP address?

• A. Set the type to Aggregate, clear the session’s box and set the Maximum concurrent Sessions to 4000.
• B. Set the type to Classified, clear the session’s box and set the Maximum concurrent Sessions to 4000.
• C. Set the type Classified, check the Sessions box and set the Maximum concurrent Sessions to 4000.
• D. Set the type to aggregate, check the Sessions box and set the Maximum concurrent Sessions to 4000.

Answer: C

NEW QUESTION 11
The company's Panorama server (IP 10.10.10.5) is not able to manage a firewall that was recently deployed. The firewall's dedicated management port is being used to connect to the management network.
Which two commands may be used to troubleshoot this issue from the CLI of the new firewall? (Choose two)

• A. test panoramas-connect 10.10.10.5
• B. show panoramas-status
• C. show arp all I match 10.10.10.5
• D. topdump filter "host 10.10.10.5
• E. debug dataplane packet-diag set capture on

Answer: BD

NEW QUESTION 12
Which three fields can be included in a pcap filter? (Choose three)

• A. Egress interface
• B. Source IP
• C. Rule number
• D. Destination IP
• E. Ingress interface

Answer: BCD

Explanation: (https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Packet-Capture/ta- p/72069)

NEW QUESTION 13
Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS 8.0? (Choose two.)

• A. KVM
• B. VMware ESX
• C. VMware NSX
• D. AWS

Answer: AB

NEW QUESTION 14
When a malware-infected host attempts to resolve a known command-and-control server, the traffic matches a security policy with DNS sinhole enabled, generating a traffic log.
What will be the destination IP Address in that log entry?

• A. The IP Address of sinkhole.paloaltonetworks.com
• B. The IP Address of the command-and-control server
• C. The IP Address specified in the sinkhole configuration
• D. The IP Address of one of the external DNS servers identified in the anti-spyware database

Answer: C

Explanation: https://live.paloaltonetworks.com/t5/MaHYPERLINK "https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Verify-DNS-Sinkhole-Function- is-Working/ta-p/65864"naHYPERLINK "https://live.paloaltonetworks.com/t5/Management- Articles/How-to-Verify-DNS-Sinkhole-Function-is-Working/ta-p/65864"gement-Articles/How-to- Verify-DNS-Sinkhole-Function-is-Working/ta-p/65864

NEW QUESTION 15
Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log?

• A. Log
• B. Alert
• C. Allow
• D. Default

Answer: B

Explanation: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/url-filtering/url-filtering- profile-actions

NEW QUESTION 16
Several offices are connected with VPNs using static IPv4 routes. An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accomplish this goal?

• A. Assign an IP address on each tunnel interface at each site
• B. Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0
• C. Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces
• D. Create new VPN zones at each site to terminate each VPN connection

Answer: C

NEW QUESTION 17
YouTube videos are consuming too much bandwidth on the network, causing delays in mission- critical traffic. The administrator wants to throttle YouTube traffic. The following interfaces and zones are in use on the firewall:
* ethernet1/1, Zone: Untrust (Internet-facing)
* ethernet1/2, Zone: Trust (client-facing)
A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface Ethernet1/1 has a QoS profile called Outbound, and interface Ethernet1/2 has a QoS profile called Inbound.
Which setting for class 6 with throttle YouTube traffic?

• A. Outbound profile with Guaranteed Ingress
• B. Outbound profile with Maximum Ingress
• C. Inbound profile with Guaranteed Egress
• D. Inbound profile with Maximum Egress

Answer: D