How To Pass Palo Alto Networks Certified Network Security Engineer (PCNSE) Exam?

test2022-09-26T06:12:01+00:00

By test Palo Alto Networks Certified Network Security Engineer (PCNSE), PCNSE Certification Dumps, PCNSE practice exam, PCNSE real questions and answers 0 Comments

Are you worried about How To Pass Palo Alto Networks Certified Network Security Engineer (PCNSE) Exam? You can get help here. The purpose of this PCNSE Certification exam dumps is to assist you practice well in the test preparation. These PCNSE sample questions will give you an idea of the kind of questions you’ll see on the PCNSE certification test.The PCNSE dumps contain actual exam questions and answers, ensuring that you pass the exam on your first attempt. If you want more PCNSE exam questions with verified answers for the actual exam, you can get our full version to study.

Try free PCNSE practice exam to test yourself.

Page 1 of 4

1. You need to allow users to access the office-suite applications of their choice.

How should you configure the firewall to allow access to any office-suite application?

Create an Application Group and add Office 365, Evernote Google Docs and Libre Office

Create an Application Group and add business-systems to it.

Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory.

Create an Application Filter and name it Office Programs then filter on the business-systems category.

2. What is the best description of the HA4 Keep-Alive Threshold (ms)?

the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.

The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.

The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.

3. An engineer needs to see how many existing SSL decryption sessions are traversing a firewall

What command should be used?

show dataplane pool statistics I match proxy

debug dataplane pool statistics I match proxy

debug sessions I match proxy

show sessions all

4. An engineer needs to redistribute User-ID mappings from multiple data centers.

Which data flow best describes redistribution of user mappings?

Domain Controller to User-ID agent

User-ID agent to Panorama

User-ID agent to firewall

firewall to firewall

5. DRAG DROP

Place the steps in the WildFire process workflow in their correct order.

6. An engineer is tasked with enabling SSL decryption across the environment.

What are three valid parameters of an SSL Decryption policy? (Choose three.)

URL categories

source users

source and destination IP addresses

App-ID

GlobalProtect HIP

7. An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0."

What is the cause of the issue?

IPSec crypto profile mismatch

IPSec protocol mismatch

mismatched Proxy-IDs

bad local and peer identification IP addresses in the IKE gateway

8. Which CLI command is used to determine how much disk space is allocated to logs?

show logging-status

show system info

debug log-receiver show

show system logdfo-quota

9. A user at an internal system queries the DNS server for their web server with a private IP of 10 250 241 131 in the. The DNS server returns an address of the web server's public

address, 200.1.1.10.

In order to reach the web server, which security rule and U-Turn NAT rule must be configured on the firewall?

Option A

Option B

Option C

Option D

10. During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.

Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.

Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.

Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust

Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.

Page 2 of 4

11. A prospect is eager to conduct a Security Lifecycle Review (SLR) with the aid of the Palo Alto Networks NGFW.

Which interface type is best suited to provide the raw data for an SLR from the network in a way that is minimally invasive?

Layer 3

Virtual Wire

Tap

Layer 2

12. Which three items are import considerations during SD-WAN configuration planning? (Choose three.)

link requirements

the name of the ISP

IP Addresses

branch and hub locations

13. An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet gateway and wants to be sure of the functions that are supported on the vwire interface

What are three supported functions on the VWire interface? (Choose three)

NAT

QoS

IPSec

OSPF

SSL Decryption

14. An organization wishes to roll out decryption but gets some resistance from engineering leadership regarding the guest network.

What is a common obstacle for decrypting traffic from guest devices?

Guest devices may not trust the CA certificate used for the forward untrust certificate.

Guests may use operating systems that can't be decrypted.

The organization has no legal authority to decrypt their traffic.

Guest devices may not trust the CA certificate used for the forward trust certificate.

15. An administrator discovers that a file blocked by the WildFire inline ML feature on the firewall is a false-positive action.

How can the administrator create an exception for this particular file?

Add partial hash and filename in the file section of the WildFire inline ML tab of the Antivirus profile.

Set the WildFire inline ML action to allow for that protocol on the Antivirus profile.

Add the related Threat ID in the Signature exceptions tab of the Antivirus profile.

Disable the WildFire profile on the related Security policy.

16. What can an engineer use with GlobalProtect to distribute user-specific client certificates to each GlobalProtect user?

Certificate profile

SSL/TLS Service profile

OCSP Responder

SCEP

17. Which statement regarding HA timer settings is true?

Use the Recommended profile for typical failover timer settings

Use the Moderate profile for typical failover timer settings

Use the Aggressive profile for slower failover timer settings.

Use the Critical profile for faster failover timer settings.

18. A network security engineer must implement Quality of Service policies to ensure specific levels of delivery guarantees for various applications in the environment They want to ensure that they know as much as they can about QoS before deploying.

Which statement about the QoS feature is correct?

QoS is only supported on firewalls that have a single virtual system configured

QoS can be used in conjunction with SSL decryption

QoS is only supported on hardware firewalls

QoS can be used on firewalls with multiple virtual systems configured

19. Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)

inherit address-objects from templates

define a common standard template configuration for firewalls

standardize server profiles and authentication configuration across all stacks

standardize log-forwarding profiles for security polices across all stacks

20. When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo Alto Networks best practices

What should you recommend?

Enable SSL decryption for known malicious source IP addresses

Enable SSL decryption for source users and known malicious URL categories

Enable SSL decryption for malicious source users

Enable SSL decryption for known malicious destination IP addresses

Page 3 of 4

21. An engineer is planning an SSL decryption implementation

Which of the following statements is a best practice for SSL decryption?

Use the same Forward Trust certificate on all firewalls in the network.

Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate.

Obtain an enterprise CA-signed certificate for the Forward Trust certificate.

Use an enterprise CA-signed certificate for the Forward Untrust certificate.

22. Refer to the image.

An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the Global template NTP servers. The administrator needs to change the IP address to a preferable server for this template stack but cannot impact other template stacks.

How can the issue be corrected?

Override the value on the NYCFW template.

Override a template value using a template stack variable.

Override the value on the Global template.

Enable "objects defined in ancestors will take higher precedence" under Panorama settings.

23. An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring Is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."

Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?

Non-functional

Passive

Active-Secondary

Active

24. An administrator analyzes the following portion of a VPN system log and notices the following issue "Received local id 10 10 1 4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24 type IPv4 address protocol 0 port 0."

What is the cause of the issue?

IPSec crypto profile mismatch

IPSec protocol mismatch

mismatched Proxy-IDs

bad local and peer identification IP addresses in the IKE gateway

25. An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory

What must be configured in order to select users and groups for those rules from Panorama?

The Security rules must be targeted to a firewall in the device group and have Group Mapping configured

A master device with Group Mapping configured must be set in the device group where the Security rules are configured

User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings

A User-ID Certificate profile must be configured on Panorama

26. Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection

Create a zone protection profile with flood protection configured to defend an entire egress zone against SY

ICMP ICMPv6, UD

and other IP flood attacks

Add a WildFire subscription to activate DoS and zone protection features

Replace the hardware firewall because DoS and zone protection are not available with VM-Series systems

27. How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?

Use the debug dataplane packet-diag set capture stage firewall file command.

Enable all four stages of traffic capture (TX, RX, DROP, Firewall).

Use the debug dataplane packet-diag set capture stage management file command.

Use the tcpdump command.

28. 1.An enterprise information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems However a recent phisning campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets For users that need to access these systems Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What should the enterprise do to use PAN-OS MFA1?

Configure a Captive Porta1 authentication policy that uses an authentication profile that references a RADIUS profile

Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy

Configure a Captive Portal authentication policy that uses an authentication sequence

Use a Credential Phishing agent to detect prevent and mitigate credential phishing campaigns

29. Which GlobalProtect component must be configured to enable Clientless VPN?

GlobalProtect satellite

GlobalProtect app

GlobalProtect portal

GlobalProtect gateway

30. A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.

Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?

Syslog listener

agentless User-ID with redistribution

standalone User-ID agent

captive portal

Page 4 of 4

31. A client wants to detect the use of weak and manufacturer-default passwords for loT devices.

Which option will help the customer?

Configure a Data Filtering profile with alert mode.

Configure an Antivirus profile with alert mode.

Configure a Vulnerability Protection profile with alert mode

Configure an Anti-Spyware profile with alert mode.

32. The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an active/passive HA pair. The HA Passive Link State is set to "Auto" under Device > High Availability > General > Active/Passive Settings. The AE interface is configured with LACP enabled and is up only on the active firewall.

Why is the AE interface showing down on the passive firewall?

It does not perform pre-negotiation LACP unless "Enable in HA Passive State" is selected under the High Availability Options on the LACP tab of the AE Interface.

It does not participate in LACP negotiation unless Fast Failover is selected under the Enable LACP selection on the LACP tab of the AE Interface.

It participates in LACP negotiation when Fast is selected for Transmission Rate under the Enable LACP selection on the LACP tab of the AE Interface.

It performs pre-negotiation of LACP when the mode Passive is selected under the Enable LACP selection on the LACP tab of the AE Interface.

33. Which two statements correctly describe Session 380280? (Choose two.)

The session went through SSL decryption processing.

The session has ended with the end-reason unknown.

The application has been identified as web-browsing.

The session did not go through SSL decryption processing.

34. A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system.

Where is the best place to validate if the firewall is blocking the user's TAR file?

URL Filtering log

Data Filtering log

Threat log

WildFire Submissions log

35. An administrator has configured the Palo Alto Networks NGFW’s management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.

Which configuration setting or step will allow the firewall to get automatic application signature updates?

A scheduler will need to be configured for application signatures.

A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers.

A Threat Prevention license will need to be installed.

A service route will need to be configured.

36. When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?

Certificate profile

Path Quality profile

SD-WAN Interface profile

Traffic Distribution profile

37. With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?

Incomplete

unknown-tcp

Insufficient-data

not-applicable

38. An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications QoS natively integrates with which feature to provide service quality?

certificate revocation

Content-ID

App-ID

port inspection