High value PCNSE Braindumps 2021

NEW QUESTION 1
Which option enables a Palo Alto Networks NGFW administrator to schedule Application and Threat updates while applying only new content-IDs to traffic?

• A. Select download-and-install.
• B. Select download-and-install, with "Disable new apps in content update" selected.
• C. Select download-only.
• D. Select disable application updates and select "Install only Threat updates"

Answer: C

NEW QUESTION 2
Which three log-forwarding destinations require a server profile to be configured? (Choose three)

• A. SNMP Trap
• B. Email
• C. RADIUS
• D. Kerberos
• E. Panorama
• F. Syslog

Answer: ABF

NEW QUESTION 3
An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same NGFW. The update contains an application that matches the same traffic signatures as the custom application. Which application should be used to identify traffic traversing the NGFW?

• A. Custom application
• B. System logs show an application error and neither signature is used.
• C. Downloaded application
• D. Custom and downloaded application signature files are merged and both are used

Answer: A

NEW QUESTION 4
Support for which authentication method was added in PAN-OS 8.0?

• A. RADIUS
• B. LDAP
• C. Diameter
• D. TACACS+

Answer: D

Explanation: https://www.paloaltonetworks.com/resources/datasheets/whats-new-in-pan-os-7-1

NEW QUESTION 5
A VPN connection is set up between Site-A and Site-B, but no traffic is passing in the system log of Site-A, there is an event logged as like-nego-p1-fail-psk.
What action will bring the VPN up and allow traffic to start passing between the sites?

• A. Change the Site-B IKE Gateway profile version to match Site-A,
• B. Change the Site-A IKE Gateway profile exchange mode to aggressive mode.
• C. Enable NAT Traversal on the Site-A IKE Gateway profile.
• D. Change the pre-shared key of Site-B to match the pre-shared key of Site-A

Answer: D

NEW QUESTION 6
Which data flow describes redistribution of user mappings?

• A. User-ID agent to firewall
• B. firewall to firewall
• C. Domain Controller to User-ID agent
• D. User-ID agent to Panorama

Answer: B

NEW QUESTION 7
The company's Panorama server (IP 10.10.10.5) is not able to manage a firewall that was recently deployed. The firewall's dedicated management port is being used to connect to the management network.
Which two commands may be used to troubleshoot this issue from the CLI of the new firewall? (Choose two)

• A. test panoramas-connect 10.10.10.5
• B. show panoramas-status
• C. show arp all I match 10.10.10.5
• D. topdump filter "host 10.10.10.5
• E. debug dataplane packet-diag set capture on

Answer: BD

NEW QUESTION 8
Which three authentication services can administrator use to authenticate admins into the Palo Alto
Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.)

• A. Kerberos
• B. PAP
• C. SAML
• D. TACACS+ E.RADIUS F.LDAP

Answer: D

NEW QUESTION 9
Which CLI command can be used to export the tcpdump capture?

• A. scp export tcpdump from mgmt.pcap to <username@host:path>
• B. scp extract mgmt-pcap from mgmt.pcap to <username@host:path>
• C. scp export mgmt-pcap from mgmt.pcap to <username@host:path>
• D. download mgmt.-pcapExplanation:

Answer: C

Explanation: Reference: https://live.paloaltonetworks.com/t5/Management-Articles/How-To-Packet-Capture-tcpdump-On-Management-Interface/ta-p/55415

NEW QUESTION 10
Which feature must you configure to prevent users form accidentally submitting their corporate
credentials to a phishing website?

• A. URL Filtering profile
• B. Zone Protection profile
• C. Anti-Spyware profile
• D. Vulnerability Protection profileExplanation:

Answer: A

Explanation: Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/prevent-credential-phishing

NEW QUESTION 11
A company hosts a publicly accessible web server behind a Palo Alto Networks next-generation firewall with the following configuration information:
* Users outside the company are in the "Untrust-L3" zone.
* The web server physically resides in the "Trust-L3" zone.
* Web server public IP address: 23.54.6.10
* Web server private IP address: 192.168.1.10
Which two items must the NAT policy contain to allow users in the Untrust-L3 zone to access the web server? (Choose two.)

• A. Destination IPof 23.54.6.10
• B. UntrustL3 for both Source and Destination Zone
• C. Destination IP of 192.168.1.10
• D. UntrustL3 for Source Zone and Trust-L3 for Destination Zone

Answer: AB

NEW QUESTION 12
Which method does an administrator use to integrate all non-native MFA platforms in PAN-OS® software?

• A. Okta
• B. DUO
• C. RADIUS
• D. PingID

Answer: C

NEW QUESTION 13
A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report?

• A. Blocked Activity
• B. Bandwidth Activity
• C. Threat Activity
• D. Network Activity

Answer: D

NEW QUESTION 14
Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)

• A. The firewall is in multi-vsys mode.
• B. The traffic is offloaded.
• C. The traffic does not match the packet capture filter.
• D. The firewall’s DP CPU is higher than 50%.

Answer: BC

Explanation: Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/take-packet-captures/disable-hardware-offload

NEW QUESTION 15
An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications. QoS natively integrates with which feature to provide service quality?

• A. Port Inspection
• B. Certificate revocation
• C. Content-ID
• D. App-ID

Answer: D

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/quality-of-service/qos-for-applications-and-users

NEW QUESTION 16
Which URL Filtering Security Profile action togs the URL Filtering category to the URL Filtering log?

• A. Log
• B. Alert
• C. Allow
• D. Default

Answer: B

NEW QUESTION 17
Exhibit:

What will be the egress interface if the traffic’s ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image?

• A. ethernet1/7
• B. ethernet1/5
• C. ethernet1/6
• D. ethernet1/3

Answer: D

NEW QUESTION 18
In an enterprise deployment, a network security engineer wants to assign to a group of administrators without creating local administrator accounts on the firewall.
Which authentication method must be used?

• A. LDAP
• B. Kerberos
• C. Certification based authentication
• D. RADIUS with Vendor-Specific Attributes

Answer: D

NEW QUESTION 19
Which administrative authentication method supports authorization by an external service?

• A. Certificates
• B. LDAP
• C. RADIUS
• D. SSH keys

Answer: C