This page was exported from Exams Labs Braindumps [ http://blog.examslabs.com ] Export date:Thu Dec 26 23:06:59 2024 / +0000 GMT ___________________________________________________ Title: Enhance your career with PCNSE PDF Dumps - True Palo Alto Networks Exam Questions [Q135-Q159] --------------------------------------------------- Enhance your career with PCNSE PDF Dumps - True Palo Alto Networks Exam Questions New (2024) Download free PCNSE PDF for Palo Alto Networks Practice Tests QUESTION 135An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group.How should the administrator identify the configuration changes?  review the configuration logs on the Monitor tab  click Preview Changes under Push Scope  use Test Policy Match to review the policies in Panorama  context-switch to the affected firewall and use the configuration audit tool Displays an entry for each configuration change. Each entry includes the date and time, the administrator username, the IP address from where the change was made, the type of client (web interface or CLI), the type of command executed, whether the command succeeded or failed, the configuration path, and the values before and after the change.https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/monitor/monitor- logs/log-typesQUESTION 136You have upgraded Panorama to 10.2 and need to upgrade six Log Collectors. When upgrading Log Collectors to 10.2, you must do what?  Upgrade the Log Collectors one at a time.  Add Panorama Administrators to each Managed Collector.  Add a Global Authentication Profile to each Managed Collector.  Upgrade all the Log Collectors at the same time. You must upgrade all Log Collectors in a collector group at the same time to avoid losing log data https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-panorama/deploy-updates-to-firewalls-log-collectors-and-wildfire-appliances-using-panorama/deploy-an-update-to-log-collectors-when-panorama-is-internet-connectedQUESTION 137Which User-ID method should be configured to map IP addresses to username for users connected through a terminal server?  port mapping  server monitoring  client probing  XFF headers Explanationhttps://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/user-id/map-ip-addresses-to-users/configur e-user-mapping-for-terminal-server-usersQUESTION 138Exhibit:What will be the source address in the ICMP packet?  10.30.0.93  10.46.72.93  10.46.64.94  192.168.93.1 QUESTION 139What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)?  Phase 2 SAs are synchronized over HA2 links.  Phase 1 and Phase 2 SAs are synchronized over HA2 links.  Phase 1 SAs are synchronized over HA1 links.  Phase 1 and Phase 2 SAs are synchronized over HA3 links. From the Palo Alto documentation below, “when a VPN is terminated on a Palo Alto firewall HA pair, not all IPSEC related information is synchronized between the firewalls… This is an expected behavior. IKE phase 1 SA information is NOT synchronized between the HA firewalls.” And from the second link, “Data link (HA2) is used to sync sessions, forwarding tables, IPSec security associations, and ARP tables between firewalls in the HA pair. Data flow on the HA2 link is always unidirectional (except for the HA2 keep-alive). It flows from the active firewall to the passive firewall.”https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAuZCAW&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCS ArticleDetailhttps://help.aryaka.com/display/public/KNOW/Palo+Alto+Networks+NFV+Technical+BriefQUESTION 140A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?  Create V-Wire objects with two V-Wire interfaces and define a range of “0-4096 in the “Tag Allowed” field of the V-Wire object.  Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the Tag Allowed” field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each iinterface/sub interface to a unique zone.  Create Layer 3 subinterfaces that are each assigned tA. single VLAN ID and a common virtual router.The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface tA.unique zone. Do not assign any interface an IP address.  Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface to a unique zone. Explanationhttps://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/configure-interfaces/virtual-wire- Virtual wire interfaces by default allow all untagged traffic. You can, however, use a virtual wire to connect two interfaces and configure either interface to block or allow traffic based on the virtual LAN (VLAN) tags. VLAN tag 0 indicates untagged traffic.You can also create multiple subinterfaces, add them into different zones, and then classify traffic according to a VLAN tag or a combination of a VLAN tag with IP classifiers (address, range, or subnet) to apply granular policy control for specific VLAN tags or for VLAN tags from a specific source IP address, range, or subnet.QUESTION 141How does Panorama prompt VMWare NSX to quarantine an infected VM?  HTTP Server Profile  Syslog Server Profile  Email Server Profile  SNMP Server Profile Explanationhttps://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set-up-the-vm-series-firewall-on-nsx/seQUESTION 142An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator’s home and experiencing issues completing the connection. The following is th output from the command:less mp-log ikemgr.log:What could be the cause of this problem?  The public IP addresse do not match for both the Palo Alto Networks Firewall and the ASA.  The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the ASA.  The shared secerts do not match between the Palo Alto firewall and the ASA  The deed peer detection settings do not match between the Palo Alto Networks Firewall and the ASA QUESTION 143Refer to Exhibit:An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?         QUESTION 144Exhibit:What will be the egress interface if the traffic’s ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image?  ethernet1/7  ethernet1/5  ethernet1/6  ethernet1/3 QUESTION 145Review the screenshot of the Certificates page.An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems.When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings.What is the cause of the unsecured website warnings?  The forward trust certificate has not been signed by the set-singed root CA certificate  The self-signed CA certificate has the same CN as the forward trust and untrust certificates  The forward untrust certificate has not been signed by the self-singed root CA certificate  The forward trust certificate has not been installed in client systems https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-forward- proxyQUESTION 146When backing up and saving configuration files, what is achieved using only the firewall and is notavailable in Panorama?  Load configuration version  Save candidate config  Export device state  Load named configuration snapshot QUESTION 147A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks.How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)?  Define a custom App-ID to ensure that only legitimate application traffic reaches the server.  Add a Vulnerability Protection Profile to block the attack.  Add QoS Profiles to throttle incoming requests.  Add a DoS Protection Profile with defined session count. Explanation/Reference:Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/dos-protection- profilesQUESTION 148A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known What can the administrator configure to establish the VPN connection?  Set up certificate authentication.  Use the Dynamic IP address type.  Enable Passive Mode  Configure the peer address as an FQDN. When the peer device will act as the initiator and none of the peer addresses are known, the administrator can enable Passive Mode to establish the VPN connection. Passive Mode tells the firewall to wait for the peer device to initiate the VPN connection. The other options are incorrect. Option A, setting up certificate authentication, would require the administrator to know the peer device’s certificate. Option C, using the Dynamic IP address type, would require the administrator to know the peer device’s dynamic IP address. Option D, configuring the peer address as an FQDN, would require the administrator to know the peer device’s fully qualified domain name.https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0QUESTION 149To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?  Device>Setup>Services>AutoFocus  Device> Setup>Management >AutoFocus  AutoFocus is enabled by default on the Palo Alto Networks NGFW  Device>Setup>WildFire>AutoFocus  Device>Setup> Management> Logging and Reporting Settings Reference:https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/getting-started/enable-autofocus-threat-inteQUESTION 150When is the content inspection performed in the packet flow process?  after the application has been identified  before session lookup  before the packet forwarding process  after the SSL Proxy re-encrypts the packet QUESTION 151View the GlobalProtect configuration screen capture.What is the purpose of this configuration?  It configures the tunnel address of all internal clients to an IP address range starting at 192.168.10.1.  It forces an internal client to connect to an internal gateway at IP address 192.168.10.1.  It enables a client to perform a reverse DNS lookup on 192.168.10.1 to detect that it is an internal client.  It forces the firewall to perform a dynamic DNS update, which adds the internal gateway’s hostname and IP address to the DNS server. Reference:https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprotect-por the-globalprotect-client-authentication-configurations/define-the-globalprotect-agent-configurations“Select this option to allow the GlobalProtect agent to determine if it is inside the enterprise network. This option applies only to endpoints that are configured to communicate with internal gateways.When the user attempts to log in, the agent does a reverse DNS lookup of an internal host using the specified Hostname to the specified IP Address. The host serves as a reference point that is reachable if the endpoint is inside the enterprise network. If the agent finds the host, the endpoint is inside the network and the agent connects to an internal gateway; if the agent fails to find the internal host, the endpoint is outside the network and the agent establishes a tunnel to one of the external gateways”QUESTION 152An administrator needs to assign a specific DNS server to one firewall within a device group. Where would the administrator go to edit a template variable at the device level?  Variable CSV export under Panorama > templates  PDF Export under Panorama > templates  Manage variables under Panorama > templates  Managed Devices > Device Association ExplanationTo edit a template variable at the device level, you need to go to Manage variables under Panorama > templates. This allows you to override the default value of a variable for a specific device or device group. For example, you can assign a specific DNS server to one firewall within a device group by editing the${dns-primary} variable for that device. References:https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/manage-templates/use-temQUESTION 153What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?  IP Netmask  IP Wildcard Mask  IP Address  IP Range QUESTION 154A user at an external system with the IP address 65.124.57.5 queries the DNS server at 4. 2.2.2 for the IP address of the web server, www,xyz.com. The DNS server returns an address of 172.16.15.1 In order to reach Ire web server, which Security rule and NAT rule must be configured on the firewall?         The addresses used in destination NAT rules always refer to the original IP address in the packet (that is, the pre-translated address). The destination zone in the NAT rule is determined after the route lookup of the destination IP address in the original packet (that is, the pre-NAT destination IP address). The addresses in the security policy also refer to the IP address in the original packet (that is, the pre-NAT address). However, the destination zone is the zone where the end host is physically connected. In other words, the destination zone in the security rule is determined after the route lookup of the post-NAT destination IP address. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mappingQUESTION 155Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS software?  XML API  Port Mapping  Client Probing  Server Monitoring Captive Portal and the other standard user mapping methods might not work for certain types of user access.For example, the standard methods cannot add mappings of users connecting from a third-party VPN solution or users connecting to a 802.1x-enabled wireless network. For such cases, you can use the PAN-OS XML API to capture login events and send them to the PAN-OS integrated User-ID agent Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/user-id-concepts/ group-mapping#id93306080-fd9b-4f1b-96a6-4bfe1c8e69dfQUESTION 156Which command can be used to validate a Captive Portal policy?  eval captive-portal policy <criteria>  request cp-policy-eval <criteria>  test authentication-policy-match <criteria>  debug cp-policy <criteria> https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-cli-quick-start/use-the-cli/test-the- configuration/test-policy-matchesQUESTION 157SSL Forward Proxy decryption is configured but the firewall uses Untrusted-CA to sign the website https //www important-website com certificate End-users are receiving me “security certificate is not trusted is warning Without SSL decryption the web browser shows that the website certificate is trusted and signed by a well-known certificate chain Well-Known-lntermediate and Well-Known-Root- CA.The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:1 End-users must not get the warning for the https://www.very-important-website.com website.2 End-users should get the warning for any other untrusted websiteWhich approach meets the two customer requirements?  Navigate to Device > Certificate Management > Certificates > Device Certificates import Well-Known-lntermediate-CA and Well-Known-Root-CA select the Trusted Root CA checkbox and commit the configuration  Install the Well-Known-lntermediate-CA and Well-Known-Root-CA certificates on all end-user systems m the user and local computer stores  Navigate to Device > Certificate Management – Certificates s Default Trusted Certificate Authorities import Well-Known-intermediate-CA and Well-Known-Root-CA select the Trusted Root CA check box and commit the configuration  Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-certificate-management-certificates/manage-default-trusted-certificate-authoritiesQUESTION 158Exhibit.An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms The network team has reported excessive traffic on the corporate WAN How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?  Any configuration on an M-500 would address the insufficient bandwidth concerns  Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW  Configure log compression and optimization features on all remote firewalls  Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services. QUESTION 159Given the following snippet of a WildFire submission log, did the end user successfully download a file?  No, because the URL generated an alert.  Yes, because both the web-browsing application and the flash file have the ‘alert” action.  Yes, because the final action is set to “allow.”  No, because the action for the wildfire-virus is “reset-both.” Based on the snippet of the WildFire submission log provided, it appears that the end user was able to successfully download a file. The key indicator here is that the final action for the web-browsing application and the flash file is set to “allow.” This means that despite any alerts or other actions taken earlier in the process, the ultimate decision was to allow the file to be downloaded. Loading … The PCNSE Certification Exam is intended for security professionals who are responsible for designing, deploying, configuring, and managing Palo Alto Networks security solutions. Candidates are expected to have a strong understanding of network security concepts, firewall technologies, and the features and functionality of the Palo Alto Networks platform. They should also have experience in implementing security policies, configuring security profiles, and troubleshooting network security issues.   100% Free PCNSE Files For passing the exam Quickly: https://www.examslabs.com/Palo-Alto-Networks/PCNSE-PAN-OS/best-PCNSE-exam-dumps.html --------------------------------------------------- Images: https://blog.examslabs.com/wp-content/plugins/watu/loading.gif https://blog.examslabs.com/wp-content/plugins/watu/loading.gif --------------------------------------------------- --------------------------------------------------- Post date: 2024-11-28 09:30:59 Post date GMT: 2024-11-28 09:30:59 Post modified date: 2024-11-28 09:30:59 Post modified date GMT: 2024-11-28 09:30:59