Verified PCNSE Dumps Questions 2021

NEW QUESTION 1
A session in the Traffic log is reporting the application as “incomplete.” What does “incomplete” mean?

• A. The three-way TCP handshake was observed, but the application could not be identified.
• B. The three-way TCP handshake did not complete.
• C. The traffic is coming across UDP, and the application could not be identified.
• D. Data was received but was instantly discarded because of a Deny policy was applied before App-ID could be applied.

Answer: B

NEW QUESTION 2
The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to 10.1.1.100 on TCP Port 8080.

Which NAT and security rules must be configured on the firewall? (Choose two)

• A. A security policy with a source of any from untrust-I3 Zone to a destination of 10.1.1.100 in dmz-I3 zone using web-browsing application
• B. A NAT rule with a source of any from untrust-I3 zone to a destination of 10.1.1.100 in dmz-zone using service-http service.
• C. A NAT rule with a source of any from untrust-I3 zone to a destination of 1.1.1.100 in untrust-I3 zone using service-http service.
• D. A security policy with a source of any from untrust-I3 zone to a destination of 1.1.100 in dmz-I3 zone using web-browsing application.

Answer: BD

NEW QUESTION 3
Which protection feature is available only in a Zone Protection Profile?

• A. SYN Flood Protection using SYN Flood Cookies
• B. ICMP Flood Protection
• C. Port Scan Protection
• D. UDP Flood Protections

Answer: A

NEW QUESTION 4
If an administrator does not possess a website’s certificate, which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites?

• A. SSL Forward Proxy
• B. SSL Inbound Inspection
• C. TLS Bidirectional proxy
• D. SSL Outbound Inspection

Answer: A

NEW QUESTION 5
If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?

• A. The settings assigned to the template that is on top of the stack.
• B. The administrator will be promoted to choose the settings for that chosen firewall.
• C. All the settings configured in all templates.
• D. Depending on the firewall location, Panorama decides with settings to send.

Answer: B

Explanation: Reference:
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/manage-firewalls/manage-templates-and-template-stacks/configure-a-template-stack

NEW QUESTION 6
Click the Exhibit button below,

A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address. He makes an HTTPS connection to 172.16.10.20.
Which is the next hop IP address for the HTTPS traffic from Will's PC?

• A. 172.20.30.1
• B. 172.20.40.1
• C. 172.20.20.1
• D. 172.20.10.1

Answer: C

NEW QUESTION 7
Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a “No Decrypt” action? (Choose two.)

• A. Block sessions with expired certificates
• B. Block sessions with client authentication
• C. Block sessions with unsupported cipher suites
• D. Block sessions with untrusted issuers
• E. Block credential phishing

Answer: ABC

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/create-a-decryption-profile

NEW QUESTION 8
A company.com wants to enable Application Override. Given the following screenshot:

Which two statements are true if Source and Destination traffic match the Application Override policy? (Choose two)

• A. Traffic that matches "rtp-base" will bypass the App-ID and Content-ID engines.
• B. Traffic will be forced to operate over UDP Port 16384.
• C. Traffic utilizing UDP Port 16384 will now be identified as "rtp-base".
• D. Traffic utilizing UDP Port 16384 will bypass the App-ID and Content-ID engines.

Answer: AC

NEW QUESTION 9
What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an active/passive High Availability (HA) pair? (Choose two.)

• A. The firewalls must have the same set of licenses.
• B. The management interfaces must to be on the same network.
• C. The peer HA1 IP address must be the same on both firewalls.
• D. HA1 should be connected to HA1. Either directly or with an intermediate Layer 2 device.

Answer: AD

NEW QUESTION 10
Which three split tunnel methods are supported by a globalProtect gateway? (Choose three.)

• A. video streaming application
• B. Client Application Process
• C. Destination Domain
• D. Source Domain
• E. Destination user/group
• F. URL Category

Answer: ABC

NEW QUESTION 11
Which event will happen if an administrator uses an Application Override Policy?

• A. Threat-ID processing time is decreased.
• B. The Palo Alto Networks NGFW stops App-ID processing at Layer 4.
• C. The application name assigned to the traffic by the security rule is written to the Traffic log.
• D. App-ID processing time is increased.Explanation:

Answer: B

Explanation: Reference: https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-How-to-Create-an-Application-Override/ta-p/65513

NEW QUESTION 12
Given the following table.

Which configuration change on the firewall would cause it to use 10.66.24.88 as the next hop for the 192.168.93.0/30 network?

• A. Configuring the administrative Distance for RIP to be lower than that of OSPF Int.
• B. Configuring the metric for RIP to be higher than that of OSPF Int.
• C. Configuring the administrative Distance for RIP to be higher than that of OSPF Ext.
• D. Configuring the metric for RIP to be lower than that OSPF Ext.

Answer: A

NEW QUESTION 13
A network Administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects> Security Profiles> Anti-Spyware and select default profile.
What should be done next?

• A. Click the simple-critical rule and then click the Action drop-down list.
• B. Click the Exceptions tab and then click show all signatures.
• C. View the default actions displayed in the Action column.
• D. Click the Rules tab and then look for rules with "default" in the Action column.

Answer: B

NEW QUESTION 14
A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server.
What can be done to simplify the NAT policy?

• A. Configure ECMP to handle matching NAT traffic
• B. Configure a NAT Policy rule with Dynamic IP and Port
• C. Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi-directional option
• D. Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bi- directional option

Answer: C

Explanation: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-configuration-examples

NEW QUESTION 15
Which CLI command displays the current management plan memory utilization?

• A. > show system info
• B. > show system resources
• C. > debug management-server show
• D. > show running resource-monitor

Answer: B

Explanation: https://live.paloaltonetworks.comHYPERLINK "https://live.paloaltonetworks.com/t5/Management- Articles/Show-System-Resource-Command-Displays-CPU-Utilization-of-9999/ta-p/58149"/t5/Management-Articles/Show-System-Resource-Command-Displays-CPU-Utilization-of- 9999/ta-p/58149

NEW QUESTION 16
A company hosts a publically accessible web server behind a Palo Alto Networks next generation firewall with the following configuration information.
Users outside the company are in the "Untrust-L3" zone The web server physically resides in the "Trust-L3" zone. Web server public IP address: 23.54.6.10
Web server private IP address: 192.168.1.10
Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the web server? (Choose two)

• A. Untrust-L3 for both Source and Destination zone
• B. Destination IP of 192.168.1.10
• C. Untrust-L3 for Source Zone and Trust-L3 for Destination Zone
• D. Destination IP of 23.54.6.10

Answer: CD

NEW QUESTION 17
An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?

• A. Security policy rule allowing SSL to the target server
• B. Firewall connectivity to a CRL
• C. Root certificate imported into the firewall with “Trust” enabled
• D. Importation of a certificate from an HSM

Answer: A

Explanation: Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/decryption/configure-ssl-inbound-inspection

NEW QUESTION 18
How does Panorama prompt VMWare NSX to quarantine an infected VM?

• A. HTTP Server Profile
• B. Syslog Server Profile
• C. Email Server Profile
• D. SNMP Server Profile

Answer: A

NEW QUESTION 19
The IT department has received complaints abou VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter.
Which feature can be used to identify, in real time, the applications taking up the most bandwidth?

• A. QoS Statistics
• B. Applications Report
• C. Application Command Center (ACC)
• D. QoS Log

Answer: A