Paloalto Networks PCNSE Braindumps 2021

NEW QUESTION 1
A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)?

• A. Define a custom App-ID to ensure that only legitimate application traffic reaches the server.
• B. Add a Vulnerability Protection Profile to block the attack.
• C. Add QoS Profiles to throttle incoming requests.
• D. Add a DoS Protection Profile with defined session count.Explanation:

Answer: D

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/dos-protection-profiles

NEW QUESTION 2
What must be used in Security Policy Rule that contain addresses where NAT policy applies?

• A. Pre-NAT addresse and Pre-NAT zones
• B. Post-NAT addresse and Post-Nat zones
• C. Pre-NAT addresse and Post-Nat zones
• D. Post-Nat addresses and Pre-NAT zones

Answer: C

NEW QUESTION 3
When is the content inspection performed in the packet flow process?

• A. after the application has been identified
• B. before session lookup
• C. before the packet forwarding process
• D. after the SSL Proxy re-encrypts the packet

Answer: A

Explanation: Reference:
https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta- p/56081

NEW QUESTION 4
The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong?

• A. A Certificate Profile that contains the client certificate needs to be selected.
• B. The source address supports only files hosted with an ftp://<address/file>.
• C. External Dynamic Lists do not support SSL connections.
• D. A Certificate Profile that contains the CA certificate needs to be selected.

Answer: D

NEW QUESTION 5
SAML SLO is supported for which two firewall features? (Choose two.)

• A. GlobalProtect Portal
• B. CaptivePortal
• C. WebUI
• D. CLI

Answer: AB

NEW QUESTION 6
Which authentication source requires the installation of Palo Alto Networks software, other than PAN-OS 7x, to obtain a username-to-IP-address mapping?

• A. Microsoft Active Directory
• B. Microsoft Terminal Services
• C. Aerohive Wireless Access Point
• D. Palo Alto Networks Captive Portal

Answer: B

NEW QUESTION 7
Which two features does PAN-OS® software use to identify applications? (Choose two)

• A. port number
• B. session number
• C. transaction characteristics
• D. application layer payload

Answer: CD

NEW QUESTION 8
A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Which statement is true about this deployment?

• A. The two devices must share a routable floating IP address
• B. The two devices may be different models within the PA-5000 series
• C. The HA1 IP address from each peer must be on a different subnet
• D. The management port may be used for a backup control connection

Answer: D

NEW QUESTION 9
A logging infrastructure may need to handle more than 10,000 logs per second. Which two options support a dedicated log collector function? (Choose two)

• A. Panorama virtual appliance on ESX(i) only
• B. M-500
• C. M-100 with Panorama installed
• D. M-100

Answer: BC

Explanation: (httpHYPERLINK "https://live.paloaltonetworks.com/t5/Management-Articles/Panorama-Sizing-and- Design-Guide/ta-p/72181"s://live.paloaltonetworks.com/t5/Management-Articles/Panorama-Sizing- and-Design-Guide/ta-p/72181)

NEW QUESTION 10
A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.
Which two mandatory options are used to configure a VLAN interface? (Choose two.)

• A. Virtual router
• B. Security zone
• C. ARP entries
• D. Netflow Profile

Answer: AB

Explanation: Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/network/network-interfaces/pa-7000-series- layer-2-interface#idd2bcaacc-54b9-4ec9-a1dd- 8064499f5b9d

NEW QUESTION 11
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

• A. Configure the option for “Threshold”.
• B. Disable automatic updates during weekdays.
• C. Automatically “download only” and then install Applications and Threats later, after the administrator approves the update.
• D. Automatically “download and install” but with the “disable new applications” option used.

Answer: A

NEW QUESTION 12
Which logs enable a firewall administrator to determine whether a session was decrypted?

• A. Correlated Event
• B. Traffic
• C. Decryption
• D. Security Policy

Answer: B

NEW QUESTION 13
An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port. Which log entry can the administrator use to verify that sessions are being decrypted?

• A. In the details of the Traffic log entries
• B. Decryption log
• C. Data Filtering log
• D. In the details of the Threat log entries

Answer: A

Explanation: Reference: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption/ta-p/59719

NEW QUESTION 14
A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.)

• A. Application Override policy.
• B. Security policy to identify the custom application.
• C. Custom application.
• D. Custom Service object.

Answer: BD

NEW QUESTION 15
What are three valid method of user mapping? (Choose three)

• A. Syslog
• B. XML API
• C. 802.1X
• D. WildFire
• E. Server Monitoring

Answer: ABE

NEW QUESTION 16
A network security engineer has been asked to analyze Wildfire activity. However, the Wildfire Submissions item is not visible form the Monitor tab.
What could cause this condition?

• A. The firewall does not have an active WildFire subscription.
• B. The engineer's account does not have permission to view WildFire Submissions.
• C. A policy is blocking WildFire Submission traffic.
• D. Though WildFire is working, there are currently no WildFire Submissions log entries.

Answer: B

NEW QUESTION 17
Click the Exhibit button

An administrator has noticed a large increase in bittorrent activity. The administrator wants to determine where the traffic is going on the company.
What would be the administrator's next step?

• A. Right-Click on the bittorrent link and select Value from the context menu
• B. Create a global filter for bittorrent traffic and then view Traffic logs.
• C. Create local filter for bittorrent traffic and then view Traffic logs.
• D. Click on the bittorrent application link to view network activity

Answer: D

NEW QUESTION 18
An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the Policies tab. Which profile is the cause of the missing Policies tab?

• A. Admin Role
• B. WebUI
• C. Authentication
• D. Authorization

Answer: A

NEW QUESTION 19
A company has a policy that denies all applications it classifies as bad and permits only application it classifies as good. The firewall administrator created the following security policy on the company's
firewall.

Which interface configuration will accept specific VLAN IDs?
Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two)

• A. A report can be created that identifies unclassified traffic on the network.
• B. Different security profiles can be applied to traffic matching rules 2 and 3.
• C. Rule 2 and 3 apply to traffic on different ports.
• D. Separate Log Forwarding profiles can be applied to rules 2 and 3.

Answer: BD