Embark on an odyssey where every challenge is an invitation to learn, made effortless with the PCNSE dumps. Journeying through this realm, the PCNSE dumps illuminate your path with golden nuggets of practice questions. PDFs are the age-old manuscripts, repositories of wisdom, while the VCE format is the bard, singing tales of interactive learning. Together, the study guide and PCNSE dumps sketch the roadmap for your expedition. Such is our belief in this voyage that we present our 100% Pass Guarantee, a promise of safe passage in your quest for knowledge.
[Newest Collection] Unlock success with the free PCNSE PDF QAs, complete with a 100% pass guarantee
Question 1:
Refer to the exhibit.
An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
A. Option A
B. Option B
C. Option C
D. Option D
Correct Answer: A
The Panorama address is wrong. Nothing will get to Panorama. The syslog screen shot is not relavent because they say no traffic logs on Panorama. And the screen shot showing no “Log Forwarding” profile is for a single Sec Policy. Every policy needs log forwarding to show up in Panorama. Only valid if a firewall has only 1 rule. And the last screen shot seems like some random Panorama config screen.
Question 2:
The IT department has received complaints abou VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter.
Which feature can be used to identify, in real time, the applications taking up the most bandwidth?
A. QoS Statistics
B. Applications Report
C. Application Command Center (ACC)
D. QoS Log
Correct Answer: A
Question 3:
A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers. Which option will protect the individual servers?
A. Enable packet buffer protection on the Zone Protection Profile.
B. Apply an Anti-Spyware Profile with DNS sinkholing.
C. Use the DNS App-ID with application-default.
D. Apply a classified DoS Protection Profile.
Correct Answer: D
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/zone-protection- and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection- profiles
To protect critical web or DNS servers on your network, protect the individual servers. To do this, set appropriate flooding and resource protection thresholds in a DoS protection profile, and create a DoS protection policy rule that applies the profile to each server\’s IP address by adding the IP addresses as the rule\’s destination criteria.
Question 4:
Which three methods are supported for split tunneling in the GlobalProtect Gateway? (Choose three.)
A. Video Streaming Application
B. Destination Domain
C. Client Application Process
D. Source Domain
E. URL Category
Correct Answer: BCE
The GlobalProtect Gateway supports three methods for split tunneling23:
Access Route — You can define a list of IP addresses or subnets that are accessible through the VPN tunnel. All other traffic goes directly to the internet. Domain and Application — You can define a list of domains or applications that are
accessible through the VPN tunnel. All other traffic goes directly to the internet. You can also use this method to exclude specific domains or applications from the VPN tunnel. Video Traffic — You can exclude video streaming traffic from the
VPN tunnel based on predefined categories or custom URLs. This method reduces latency and jitter for video streaming applications.
Question 5:
Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?
A. Yes. because the action is set to “allow \’\’
B. No because WildFire categorized a file with the verdict “malicious”
C. Yes because the action is set to “alert”
D. No because WildFire classified the seventy as “high.”
Correct Answer: A
Question 6:
What must be configured to apply tags automatically based on User-ID logs?
A. Log Forwarding profile
B. Device ID
C. Log settings
D. Group mapping
Correct Answer: C
Depending on the type of log you want to use for tagging, create a log forwarding profile or configure the log settings to define how you want the firewall or Panorama to handle logs. For Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, create a log forwarding profile. For User-ID, GlobalProtect, and IP-Tag logs, configure the log settings.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions
Question 7:
The manager of the network security team has asked you to help configure the company\’s Security Profiles according to Palo Alto Networks best practice As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall.
Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice\’?
A. action \’reset-both\’ and packet capture \’extended-capture\’
B. action \’default\’ and packet capture \’single-packet\’
C. action \’reset-both\’ and packet capture \’single-packet\’
D. action \’reset-server\’ and packet capture \’disable\’
Correct Answer: C
https://docs.paloaltonetworks.com/best-practices/10-2/internet-gateway-best- practices/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles
“Enable extended-capture for critical, high, and medium severity events and single-packet capture for low severity events. ” https://docs.paloaltonetworks.com/pan-os/9-1/pan-os- web-interface-help/objects/objects-security-profilesvulnerability-protection
Question 8:
A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server. Which solution in PAN-OS?software would help in this case?
A. application override
B. Virtual Wire mode
C. content inspection
D. redistribution of user mappings
Correct Answer: D
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user- id/deploy-user-id-in-a-large-scale-network
Question 9:
How are IPV6 DNS queries configured to user interface ethernet1/3?
A. Network > Virtual Router > DNS Interface
B. Objects > CustomerObjects > DNS
C. Network > Interface Mgrnt
D. Device > Setup > Services > Service Route Configuration
Correct Answer: D
Question 10:
An engineer is deploying VoIP and needs to ensure that voice traffic is treated with the highest priority on the network. Which QoS priority should be assigned to such an application?
A. Medium
B. Low
C. High
D. Real-time
Correct Answer: D
Real-time priority is typically recommended for applications affected by latency, and is particularly useful in guaranteeing performance and quality of voice and video applications.
Question 11:
Which two actions are required to make Microsoft Active Directory users appear in a firewall traffic log? (Choose two.)
A. Run the User-ID Agent using an Active Directory account that has “event log viewer” permissions
B. Enable User-ID on the zone object for the destination zone
C. Run the User-ID Agent using an Active Directory account that has “domain administrator” permissions
D. Enable User-ID on the zone object for the source zone
E. Configure a RADIUS server profile to point to a domain controller
Correct Answer: AD
Question 12:
Only two Trust to Untrust allow rules have been created in the Security policy
Rule1 allows google-base
Rule2 allows youtube-base
The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server
cannot be found.
Which action will allow youtube.com display in the browser correctly?
A. Add SSL App-ID to Rule1
B. Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID\’s to it
C. Add the DNS App-ID to Rule2
D. Add the Web-browsing App-ID to Rule2
Correct Answer: C
Question 13:
Why would a traffic log list an application as “not-applicable”?
A. The firewall denied the traffic before the application match could be performed.
B. The TCP connection terminated without identifying any application data
C. There was not enough application data after the TCP connection was established
D. The application is not a known Palo Alto Networks App-ID.
Correct Answer: A
According to the documentation, not-applicable means that the Palo Alto device has received data that will be discarded because the port or service that the traffic is coming in on is not allowed, or there is no rule or policy allowing that port or service. This occurs because the traffic was dropped or denied before the application match could be performed.
References: 1 Not-applicable in Traffic Logs -Palo Alto Networks 2 Not-Applicable, Incomplete, Insufficient Data in the Application Field -Palo Alto Networks
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClspCAC
Question 14:
Which three firewall states are valid? (Choose three)
A. Active
B. Functional
C. Pending
D. Passive
E. Suspended
Correct Answer: ADE
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high- availability/ha-firewall-states
Question 15:
An administrator is configuring SSL decryption and needs 10 ensure that all certificates for both SSL Inbound inspection and SSL Forward Proxy are installed properly on the firewall. When certificates are being imported to the firewall for these purposes, which three certificates require a private key? (Choose three.)
A. Forward Untrust certificate
B. Forward Trust certificate
C. Enterprise Root CA certificate
D. End-entity (leaf) certificate
E. Intermediate certificate(s)
Correct Answer: ABD