Paloalto-Networks PCNSE Free Practice Questions

NEW QUESTION 1
A company is upgrading its existing Palo Alto Networks firewall from version 7.0.1 to 7.0.4.
Which three methods can the firewall administrator use to install PAN-OS 8.0.4 across the enterprise?( Choose three)

• A. Download PAN-OS 8.0.4 files from the support site and install them on each firewall after manually uploading.
• B. Download PAN-OS 8.0.4 to a USB drive and the firewall will automatically update after the USB drive is inserted in the firewall.
• C. Push the PAN-OS 8.0.4 updates from the support site to install on each firewall.
• D. Push the PAN-OS 8.0.4 update from one firewall to all of the other remaining after updating one firewall.
• E. Download and install PAN-OS 8.0.4 directly on each firewall.
• F. Download and push PAN-OS 8.0.4 from Panorama to each firewall.

Answer: ACF

NEW QUESTION 2
Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?

• A. web-browsing and 443
• B. SSL and 80
• C. SSL and 443
• D. web-browsing and 80

Answer: A

NEW QUESTION 3
What are the differences between using a service versus using an application for Security Policy match?

• A. Use of a "service" enables the firewall to take action after enough packets allow for App-IDidentification
• B. Use of a "service" enables the firewall to take immediate action with the first observed packet based on port numbers Use ofan "application" allows the firewall to take action after enough packets allow for App-ID identification regardless of the portsbeing used.
• C. There are no differences between "service" or "application” Use of an "application" simplifies configuration by allowing use ofa friendly application name instead of port numbers.
• D. Use of a "service" enables the firewall to take immediate action with the first observed packet based on port number
• E. Use ofan "application" allows the firewall to take immediate action it the port being used is a member of the application standardport list

Answer: B

NEW QUESTION 4
What are two benefits of nested device groups in Panorama? (Choose two.)

• A. Reuse of the existing Security policy rules and objects
• B. Requires configuring both function and location for every device
• C. All device groups inherit settings form the Shared group
• D. Overwrites local firewall configuration

Answer: BC

NEW QUESTION 5
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.
Which priority is correct for the passive firewall?

• A. 99
• B. 1
• C. 255

Answer:

Explanation: Reference:
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/71/pan-os/pan-os/section_5.pdf (page 9)

NEW QUESTION 6
A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server.
What can be done to simplify the NAT policy?

• A. Configure ECMP to handle matching NAT traffic
• B. Configure a NAT Policy rule with Dynamic IP and Port
• C. Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi-directional option
• D. Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bi- directional option

Answer: C

Explanation: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-configuration-examples

NEW QUESTION 7
Which three firewall states are valid? (Choose three.)

• A. Active
• B. Functional
• C. Pending
• D. Passive
• E. Suspended

Answer: ADE

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high-availability/ha-firewall-states

NEW QUESTION 8
Refer to exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security
management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?

• A. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.
• B. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW.
• C. Configure log compression and optimization features on all remote firewalls.
• D. Any configuration on an M-500 would address the insufficient bandwidth concerns.

Answer: A

NEW QUESTION 9
What are three valid method of user mapping? (Choose three)

• A. Syslog
• B. XML API
• C. 802.1X
• D. WildFire
• E. Server Monitoring

Answer: ABE

NEW QUESTION 10
A company.com wants to enable Application Override. Given the following screenshot:

Which two statements are true if Source and Destination traffic match the Application Override policy? (Choose two)

• A. Traffic that matches "rtp-base" will bypass the App-ID and Content-ID engines.
• B. Traffic will be forced to operate over UDP Port 16384.
• C. Traffic utilizing UDP Port 16384 will now be identified as "rtp-base".
• D. Traffic utilizing UDP Port 16384 will bypass the App-ID and Content-ID engines.

Answer: AC

NEW QUESTION 11
A network design change requires an existing firewall to start accessing Palo Alto Updates from a data plane interface address instead of the management interface.
Which configuration setting needs to be modified?

• A. Service route
• B. Default route
• C. Management profile
• D. Authentication profile

Answer: A

NEW QUESTION 12
A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)?

• A. Define a custom App-ID to ensure that only legitimate application traffic reaches the server.
• B. Add a Vulnerability Protection Profile to block the attack.
• C. Add QoS Profiles to throttle incoming requests.
• D. Add a DoS Protection Profile with defined session count.Explanation:

Answer: D

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/dos-protection-profiles

NEW QUESTION 13
An administrator has left a firewall to use the default port for all management services. Which three
functions are performed by the dataplane? (Choose three.)

• A. WildFire updates
• B. NAT
• C. NTP
• D. antivirus E.File blocking

Answer: ABC

NEW QUESTION 14
An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company’s proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats.
Which option would achieve this result?

• A. Create a custom App-ID and enable scanning on the advanced tab.
• B. Create an Application Override policy.
• C. Create a custom App-ID and use the “ordered conditions” check box.
• D. Create an Application Override policy and custom threat signature for the application.

Answer: A

NEW QUESTION 15
Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.
Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?

• A. Create a custom Application without signatures, then create an Application Override policy that includes the source, Destination, Destination Port/Protocol and Custom Application of the traffic.
• B. Wait until an official Application signature is provided from Palo Alto Networks.
• C. Modify the session timer settings on the closest referanced application to meet the needs of the in-house application
• D. Create a Custom Application with signatures matching unique identifiers of the in-house application traffic

Answer: D

NEW QUESTION 16
A logging infrastructure may need to handle more than 10,000 logs per second. Which two options support a dedicated log collector function? (Choose two)

• A. Panorama virtual appliance on ESX(i) only
• B. M-500
• C. M-100 with Panorama installed
• D. M-100

Answer: BC

Explanation: (httpHYPERLINK "https://live.paloaltonetworks.com/t5/Management-Articles/Panorama-Sizing-and- Design-Guide/ta-p/72181"s://live.paloaltonetworks.com/t5/Management-Articles/Panorama-Sizing- and-Design-Guide/ta-p/72181)

NEW QUESTION 17
Which logs enable a firewall administrator to determine whether a session was decrypted?

• A. Correlated Event
• B. Traffic
• C. Decryption
• D. Security Policy

Answer: B