New 2021 Latest Questions PCNSE Dumps - Use Updated Palo Alto Networks Exam [Q138-Q156]

Share

New 2021 Latest Questions PCNSE Dumps - Use Updated Palo Alto Networks Exam

Latest PCNSE Exam Dumps Palo Alto Networks Exam from Training Expert VCEDumps


For more info visit:

Palo Alto Networks PCNSE Exam Reference


Who should take the PCNSE exam

The Palo Alto PCNSE Exam is an internationally recognized validation that identifies persons who earn it as possessing skilled in Palo Alto Networks Certified Network Security Engineer Certification. If candidates want significant improvement in career growth needs enhanced knowledge, skills, and talents. The Palo Alto Networks Certified Network Security Engineer certification provides proof of this advanced knowledge and skill. If a candidate has knowledge of associated technologies and skills that are required to pass the Palo Alto PCNSE Exam then he should take this exam.

This exam is for:

  • Students trying to obtain the PCNSE
  • Students trying to learn the Palo Alto Firewall
  • Networking engineers searching to learn Palo Alto

 

NEW QUESTION 138
A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.)

  • A. Application Override policy.
  • B. Custom application.
  • C. Custom Service object.
  • D. Security policy to identify the custom application.

Answer: A,B

Explanation:
Explanation
Unlike the App-ID engine, which inspects application packet contents for unique signature elements, the Application Override policy's matching conditions are limited to header-based data only. Traffic matched by an Application Override policy is identified by the App-ID entered in the Application entry box.Choices are limited to applications currently in the App-ID database.Because this traffic bypasses all Layer 7 inspection, the resulting security is that of a Layer-4 firewall. Thus, this traffic should be trusted without the need for Content-ID inspection. The resulting application assignment can be used in other firewall functions such as Security policy and QoS.Use CasesThree primary uses cases for Application Override Policy are:
To identify "Unknown" App-IDs with a different or custom application signature To re-identify an existing application signature To bypass the Signature Match Engine (within the SP3 architecture) to improve processing timesA discussion of typical uses of application override and specific implementation examples is here:https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-How-to-Create-an-Application- Ov

 

NEW QUESTION 139
An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama.
All 84 firewalls have an active WildFire subscription On each firewall WildFire logs are available.
This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?

  • A. Traffic logs
  • B. System logs
  • C. WridFire logs
  • D. Threat logs

Answer: C

 

NEW QUESTION 140
Which interface configuration will accept specific VLAN IDs?

  • A. Subinterface
  • B. Tab Mode
  • C. Access Interface
  • D. Trunk Interface

Answer: A

 

NEW QUESTION 141
TRUE or FALSE: Many customers purchase Palo Alto Networks NGFWs (Next Generation Firewalls) just to gain previously unavailable levels of visibility into their traffic flows.

  • A. FALSE
  • B. TRUE

Answer: B

 

NEW QUESTION 142
Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.) Which two security policy rules will accomplish this configuration? (Choose two.)

  • A. Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow
  • B. Untrust (Any) to DMZ (10.1.1.1), ssh -Allow
  • C. Untrust (Any) to DMZ (10.1.1.1), web-browsing -Allow
  • D. Untrust (Any) to Untrust (10.1.1.1), ssh -Allow
  • E. Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow

Answer: B,C

Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destinat

 

NEW QUESTION 143
An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make?
A)

B)

C)

D)

E)

  • A. Option B
  • B. Option C
  • C. Option E
  • D. Option A
  • E. Option D

Answer: E

 

NEW QUESTION 144
A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies.
Which CLI command syntax will display the rule that matches the test?

  • A. test security -policy- match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number
  • B. show security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number>
  • C. show security-policy-match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number> test security-policy-match source
  • D. test security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number>

Answer: A

Explanation:
test security-policy-match source <source IP> destination <destination IP> protocol <protocol number>
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Test-Which-Security-Policy- Applies-to-a-Traffic-Flow/ta-p/53693

 

NEW QUESTION 145
Which URL Filtering Security Profile action togs the URL Filtering category to the URL Filtering log?

  • A. Default
  • B. Alert
  • C. Allow
  • D. Log

Answer: B

 

NEW QUESTION 146
VPN traffic intended for an administrator's Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor.
When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

  • A. Web Application
  • B. Replay
  • C. Zone Protection
  • D. DoS Protection

Answer: C

 

NEW QUESTION 147
Which processing order will be enabled when a Panorama administrator selects the setting "Objects defined in ancestors will take higher precedence?"

  • A. Descendant objects will take precedence over ancestor objects.
  • B. Descendant objects will take precedence over other descendant objects.
  • C. Ancestor objects will have precedence over other ancestor objects.
  • D. Ancestor objects will have precedence over descendant objects.

Answer: D

Explanation:
Reference:
https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/device/device-setup-management

 

NEW QUESTION 148
A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers.
Which option will protect the individual servers?

  • A. Enable packet buffer protection on the Zone Protection Profile.
  • B. Apply an Anti-Spyware Profile with DNS sinkholing.
  • C. Apply a classified DoS Protection Profile.
  • D. Use the DNS App-ID with application-default.

Answer: C

Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/do To protect critical web or DNS servers on your network, protect the individual servers. To do this, set appropriate flooding and resource protection thresholds in a DoS protection profile, and create a DoS protection policy rule that applies the profile to each server's IP address by adding the IP addresses as the rule's destination criteria.

 

NEW QUESTION 149
What are two benefits of nested device groups in Panorama? (Choose two.)

  • A. Reuse of the existing Security policy rules and objects
  • B. Requires configuring both function and location for every device
  • C. All device groups inherit settings from the Shared group
  • D. Overwrites local firewall configuration

Answer: A,C

 

NEW QUESTION 150
Which three options are supported in HA Lite? (Choose three.)

  • A. Configuration synchronization
  • B. Synchronization of IPsec security associations
  • C. Session synchronization
  • D. Virtual link
  • E. Active/passive deployment

Answer: A,B,E

Explanation:
Reference:
https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-high-availability

 

NEW QUESTION 151
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against
external hosts attempting to exploit a flaw in an operating system on an internal system.
Which Security Profile type will prevent this attack?

  • A. Vulnerability Protection
  • B. URL Filtering
  • C. Anti-Spyware
  • D. Antivirus

Answer: A

Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/objects/
objects-security-profiles-vulnerability-protection

 

NEW QUESTION 152
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?

  • A. Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP.
  • B. The firewalls do not use floating IPs in active/active HA.
  • C. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.
  • D. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.

Answer: C

Explanation:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high-availability/floating-ip-address-and-virtual-mac-address

 

NEW QUESTION 153
An administrator wants to upgrade an NGFW from PAN-OS® 7.1.2 to PAN-OS® 8.0.2. The firewall is not a part of an HA pair.
What needs to be updated first?

  • A. WildFire
  • B. XML Agent
  • C. Applications and Threats
  • D. PAN-OS® Upgrade Agent

Answer: A

 

NEW QUESTION 154
What are the differences between using a service versus using an application for Security Policy match?

  • A. There are no differences between "service" or "application". Use of an "application" simplifies configuration by allowing use of a friendly application name instead of port numbers.
  • B. Use of a "service" enables the firewall to take immediate action with the first observed packet based on port numbers. Use of an "application" allows the firewall to take immediate action if the port being used is a member of the application standard port list.
  • C. Use of a "service" enables the firewall to take action after enough packets allow for App-ID identification
  • D. Use of a "service" enables the firewall to take immediate action with the first observed packet based on port numbers. Use of an "application" allows the firewall to take action after enough packets allow for App-ID identification regardless of the ports being used

Answer: B

 

NEW QUESTION 155
Which three firewall states are valid? (Choose three.)

  • A. Pending
  • B. Suspended
  • C. Functional
  • D. Active
  • E. Passive

Answer: B,D,E

Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high-availability/ha- firewall-states

 

NEW QUESTION 156
......


Sample Questions

Which configuration must be made on the firewall before it can read User-ID-to-IP-address mapping tables from external sources?

  • C. Captive Portal
  • B. Server Monitoring
  • A. Group Mapping Settings
  • D. User-ID Agents

For an external device to consume a local User-ID-to-IP-address mapping table, which data is used for authentication between the devices?

  • C. administrators account information on the source device with the User-ID role set
  • A. the source device’s Data Redistribution Collector Name and Pre-Shared Key
  • D. certificates added to the User-ID agent configuration
  • B. User-ID agent’s Server Monitor Account information

User-ID-to IP-address mapping tables can be read by which product or service?

  • D. Prisma Cloud
  • B. Panorama Log Collector
  • C. AutoFocus
  • A. Cortex XDR

 

Updated Test Engine to Practice PCNSE Dumps & Practice Exam: https://www.vcedumps.com/PCNSE-examcollection.html

Pass Palo Alto Networks PCNSE PDF Dumps Recently Updated 363 Questions: https://drive.google.com/open?id=1r1E-n1G635y6cXYv-RG7sSJKdUzX8Rn_