Actual4dump PCNSE Dumps PDF - 100% Passing Guarantee
PCNSE Braindumps Real Exam Updated on Jun 17, 2022 with 444 Questions
NEW QUESTION 243
A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server. Which solution in PAN-OS software would help in this case?
- A. Application override
- B. Virtual Wire mode
- C. Content inspection
- D. Redistribution of user mappings
Answer: D
NEW QUESTION 244
An administrator has a PA-820 firewall with an active Threat Prevention subscription The administrator is considering adding a WildFire subscription How does adding the WildFire subscription improve the security posture of the organization1?
- A. After 24 hours WildFire signatures are included in the antivirus update
- B. WildFire and Threat Prevention combine to minimize the attack surface
- C. Protection against unknown malware can be provided in near real-time
- D. WildFire and Threat Prevention combine to provide the utmost security posture for the firewall
Answer: B
NEW QUESTION 245
Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?
- A. Both SSH keys and SSL certificates must be generated.
- B. SSL certificates must be generated.
- C. SSH keys must be manually generated.
- D. No prerequisites are required.
Answer: D
Explanation:
Explanation/Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/decryption/configure-ssh-proxy
NEW QUESTION 246
An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third-party, deep-level packet inspection appliance.
Which interface type and license feature are necessary to meet the requirement?
- A. Decryption Mirror interface with the Threat Analysis license
- B. Decryption Mirror interface with the associated Decryption Port Mirror license
- C. Tap interface with the Decryption Port Mirror license
- D. Virtual Wire interface with the Decryption Port Export license
Answer: B
Explanation:
Reference:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/decryption-mirroring
"Before you can enable Decryption Mirroring, you must obtain and install a Decryption Port Mirror license. The license is free of charge and can be activated through the support portal as described in the following procedure. After you install the Decryption Port Mirror license and reboot the firewall, you can enable decryption port mirroring. "
NEW QUESTION 247
If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method, which login will be detected as credential theft?
- A. Using the same user's corporate username and password.
- B. Marching any valid corporate username.
- C. Mapping to the IP address of the logged-in user.
- D. First four letters of the username matching any valid corporate username.
Answer: C
Explanation:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-
os/newfeaturesguide/content-inspection-features/credential- phishing-prevention
NEW QUESTION 248
Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS® software?
- A. Port Mapping
- B. Server Monitoring
- C. Client Probing
- D. XML API
Answer: D
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/user-id-concepts/user-mapping/xml-api.html
NEW QUESTION 249
An administrator needs to upgrade an NGFW to the most current version of PAN-OS software. The following is occurring:
* Firewall has internet connectivity through e 1/1.
* Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.
* Service route is configured, sourcing update traffic from e1/1.
* A communication error appears in the System logs when updates are performed.
* Download does not complete.
What must be configured to enable the firewall to download the current version of PAN-OS software?
- A. Static route pointing application PaloAlto-updates to the update servers
- B. Security policy rule allowing PaloAlto-updates as the application
- C. Scheduler for timed downloads of PAN-OS software
- D. DNS settings for the firewall to use for resolution
Answer: D
Explanation:
Explanation/Reference:
NEW QUESTION 250
An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed
Which Panorama tool can help this organization?
- A. Application Groups
- B. Config Audit
- C. Test Policy Match
- D. Policy Optimizer
Answer: D
Explanation:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/policy-optimizer
his new feature identifies port-based rules so you can convert them to application-based rules that allow the traffic or add applications to existing rules without compromising application availability. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/policy-optimizer.html
NEW QUESTION 251
How does Panorama handle incoming logs when it reaches the maximum storage capacity?
- A. Panorama discards incoming logs when storage capacity full.
- B. Panorama stops accepting logs until licenses for additional storage space are applied
- C. Panorama stops accepting logs until a reboot to clean storage space.
- D. Panorama automatically deletes older logs to create space for new ones.
Answer: D
Explanation:
(https://www.paloaltonetworks.com/documentation/60/panorama/panorama_adminguide/se t-up-panorama/determine-panorama-log-storage-requirements)
NEW QUESTION 252
A Security policy rule is configured with a Vulnerability Protection Profile and an action of 'Deny".
Which action will this cause configuration on the matched traffic?
- A. The configuration will allow the matched session unless a vulnerability signature is detected. The
"Deny" action will supersede theper-severity defined actions defined in the associated Vulnerability Protection Profile. - B. The configuration is invalid. The Profile Settings section will be grayed out when the Action is set to "Deny".
- C. The configuration is valid. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect ifthe Security policy rule action is set to "Deny."
- D. The configuration is invalid. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit.
Answer: A
NEW QUESTION 253
In the following image from Panorama, why are some values shown in red?
- A. sg2 session count is the lowest compared to the other managed devices.
- B. uk3 has a logging rate that deviates from the seven-day calculated baseline.
- C. us3 has a logging rate that deviates from the administrator-configured thresholds.
- D. sg2 has misconfigured session thresholds.
Answer: B
NEW QUESTION 254
An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory What must be configured in order to select users and groups for those rules from Panorama?
- A. The Security rules must be targeted to a firewall in the device group and have Group Mapping configured
- B. A master device with Group Mapping configured must be set in the device group where the Security rules are configured
- C. User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings
- D. A User-ID Certificate profile must be configured on Panorama
Answer: A
NEW QUESTION 255
An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS software?
- A. Wildfire update package
- B. User-ID agent
- C. Application and Threats update package
- D. Anti virus update package
Answer: C
Explanation:
Explanation
Explanation : Dependencies : Before upgrade, make sure the firewall is running a version of app + threat (content version) that meets the minimum requirement of the new PAN-OS Upgrade.
: https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045
NEW QUESTION 256
What are two benefits of nested device groups in Panorama? (Choose two.)
- A. Requires configuring both function and location for every device
- B. All device groups inherit settings form the Shared group
- C. Overwrites local firewall configuration
- D. Reuse of the existing Security policy rules and objects
Answer: A,B
Explanation:
https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy#
NEW QUESTION 257
Refer to the exhibit.
Which certificates can be used as a Forwarded Trust certificate?
- A. Domain Sub-CA
- B. Domain-Root-Cert
- C. Forward_Trust
- D. Certificate from Default Trust Certificate Authorities
Answer: A
NEW QUESTION 258
A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule.
Given the following zone information:
DMZ zone: DMZ-L3
Public zone: Untrust-L3
Guest zone: Guest-L3
Web server zone: Trust-L3
Public IP address (Untrust-L3): 1.1.1.1
Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?
- A. Untrust-L3
- B. Guest-L3
- C. Trust-L3
- D. DMZ-L3
Answer: A
Explanation:
Create the NAT policy.
1. Select Policies > NAT and click Add.
2. Enter a descriptive Name for the policy.
3. On the Original Packet tab, select the zone you created for your internal network in the Source Zone section (click Add and then select the zone) and the zone you created for the external network from the Destination Zone drop down.
4. On the Translated Packet tab, select Dynamic IP And Port from the Translation Type drop- down in the Source Address Translation section of the screen and then click Add. Select the address object you just created.
5. Click OK to save the NAT policy.
https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/getting-started/configure-nat- policies
NEW QUESTION 259
Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS® software?
- A. Port Mapping
- B. Server Monitoring
- C. Client Probing
- D. XML API
Answer: D
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/user-id-concepts/user-mapping/xml-api.html
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/user-id-concepts/user-mapping/server-monitoring.html
NEW QUESTION 260
An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)


- A. Exhibit D
- B. Exhibit A
- C. Exhibit B
- D. Exhibit C
Answer: A,B
Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/web-interface-basics/commit-changes.h
NEW QUESTION 261
Based on the following image,
what is the correct path of root, intermediate, and end-user certificate?
- A. Palo Alto Networks > Symantec > VeriSign
- B. VeriSign > Symantec > Palo Alto Networks
- C. VeriSign > Palo Alto Networks > Symantec
- D. Symantec > VeriSign > Palo Alto Networks
Answer: D
NEW QUESTION 262
An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image.
Which configuration change should the administrator make?
A:
B:
C:
D:
E:
- A. Option B
- B. Option E
- C. Option D
- D. Option C
- E. Option A
Answer: A
NEW QUESTION 263
Which two statements are true for the DNS Security service? (Choose two.)
- A. It removes the 100K limit for DNS entries for the downloaded DNS updates
- B. It functions like PAN-DB and requires activation through the app portal
- C. It eliminates the need for dynamic DNS updates
- D. It is automatically enabled and configured
Answer: B,C
Explanation:
https://docs.paloaltonetworks.com/dns-security.html
NEW QUESTION 264
Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?
- A. port mapping
- B. XFF headers
- C. client probing
- D. server monitoring
Answer: A
Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-m
NEW QUESTION 265
An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware passively monitors behavior without the user's knowledge.
What is the expected verdict from WildFire?
- A. Gray ware
- B. Spyware
- C. Phishing
- D. Malware
Answer: A
Explanation:
Explanation
Wildfire verdictions are as follow 4-Phishing
https://www.paloaltonetworks.com/documentation/80/wildfire
/wf_admin/wildfire-overview/wildfire-concepts/verdicts
NEW QUESTION 266
During the packet flow process, which two processes are performed in application identification? (Choose two.)
- A. Application changed from content inspection
- B. Application override policy match
- C. Session application identified.
- D. Pattern based application identification
Answer: B,D
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
http://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309
NEW QUESTION 267
......
PCNSE Dumps With 100% Verified Q&As - Pass Guarantee or Full Refund: https://www.actual4dump.com/Palo-Alto-Networks/PCNSE-actualtests-dumps.html
Latest PCNSE PDF Dumps & Real Tests Free Updated Today: https://drive.google.com/open?id=1dXv2ddPC-jwslIyXQfYuATlX0GKPSjte