Practical PCNSE Exam Questions 2021

NEW QUESTION 1
Which three options are available when creating a security profile? (Choose three)

• A. Anti-Malware
• B. File Blocking
• C. Url Filtering
• D. IDS/ISP
• E. Threat Prevention
• F. Antivirus

Answer: ABF

NEW QUESTION 2
Based on the image, what caused the commit warning?

• A. The CA certificate for FWDtrust has not been imported into the firewall.
• B. The FWDtrust certificate has not been flagged as Trusted Root CA.
• C. SSL Forward Proxy requires a public certificate to be imported into the firewall.
• D. The FWDtrust certificate does not have a certificate chain.

Answer: D

NEW QUESTION 3
A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server.
Which solution in PAN-OS® software would help in this case?

• A. application override
• B. Virtual Wire mode
• C. content inspection
• D. redistribution of user mappings

Answer: D

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/deploy-user-id-in-a-large-scale-network

NEW QUESTION 4
How are IPV6 DNS queries configured to user interface ethernet1/3?

• A. Network > Virtual Router > DNS Interface
• B. Objects > CustomerObjects > DNS
• C. Network > Interface Mgrnt
• D. Device > Setup > Services > Service Route Configuration

Answer: D

NEW QUESTION 5
The firewall identifies a popular application as an unknown-tcp.
Which two options are available to identify the application? (Choose two.)

• A. Create a custom application.
• B. Create a custom object for the custom application server to identify the custom application.
• C. Submit an Apple-ID request to Palo Alto Networks.
• D. Create a Security policy to identify the custom application.

Answer: AB

Explanation: Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/app-id/use-application-objects-in-policy/create-a-custom-application

NEW QUESTION 6
A network design change requires an existing firewall to start accessing Palo Alto Updates from a data plane interface address instead of the management interface.
Which configuration setting needs to be modified?

• A. Service route
• B. Default route
• C. Management profile
• D. Authentication profile

Answer: A

NEW QUESTION 7
After pushing a security policy from Panorama to a PA-3020 firwall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in Panorama’s traffic logs. What could be the problem?

• A. A Server Profile has not been configured for logging to this Panorama device.
• B. Panorama is not licensed to receive logs from this particular firewall.
• C. The firewall is not licensed for logging to this Panorama device.
• D. None of the firwwall's policies have been assigned a Log Forwarding profile

Answer: D

NEW QUESTION 8
A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers. Which option will protect the individual servers?

• A. Enable packet buffer protection on the Zone Protection Profile.
• B. Apply an Anti-Spyware Profile with DNS sinkholing.
• C. Use the DNS App-ID with application-default.
• D. Apply a classified DoS Protection Profile.

Answer: A

NEW QUESTION 9
Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?

• A. Configure a Decryption Profile and select SSL/TLS services.
• B. Set up SSL/TLS under Polices > Service/URL Category>Service.
• C. Set up Security policy rule to allow SSL communication.
• D. Configure an SSL/TLS Profile.

Answer: D

Explanation: Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-certificate-management-ssltls-service-profile

NEW QUESTION 10
Refer to the exhibit.

Which will be the egress interface if the traffic’s ingress interface is ethernet 1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

• A. ethernet1/6
• B. ethernet1/3
• C. ethernet1/7
• D. ethernet1/5

Answer: D

NEW QUESTION 11
An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?

• A. Enable and configure the Packet Buffer protection thresholds.Enable Packet Buffer Protection per ingress zone.
• B. Enable and then configure Packet Buffer thresholdsEnable Interface Buffer protection.
• C. Create and Apply Zone Protection Profiles in all ingress zones.Enable Packet Buffer Protection per ingress zone.
• D. Configure and apply Zone Protection Profiles for all egress zones.Enable Packet Buffer Protection pre egress zone.
• E. Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits.Enable Zone Buffer Protection per zone.

Answer: A

NEW QUESTION 12
Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.)
Which two security policy rules will accomplish this configuration? (Choose two.)

• A. Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow
• B. Untrust (Any) to Untrust (10.1.1.1), ssh -Allow
• C. Untrust (Any) to DMZ (10.1.1.1), web-browsing -Allow
• D. Untrust (Any) to DMZ (10.1.1.1), ssh –Allow
• E. Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow

Answer: CD

NEW QUESTION 13
Which feature prevents the submission of corporate login information into website forms?

• A. Data filtering
• B. User-ID
• C. File blocking
• D. Credential phishing prevention

Answer: D

Explanation: Reference: https://www.paloaltonetworks.com/cyberpedia/how-the-next-generation-security-platform-contributes-to-gdpr-compliance

NEW QUESTION 14
Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.)

• A. Verify AutoFocus status using CLI.
• B. Check the WebUI Dashboard AutoFocus widget.
• C. Check for WildFire forwarding logs.
• D. Check the license
• E. Verify AutoFocus is enabled below Device Management tab.

Answer: BD

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/getting-started/enable-autofocus-threat-intelligence

NEW QUESTION 15
Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

• A. Master
• B. Universal
• C. Shared
• D. Global

Answer: C

NEW QUESTION 16
YouTube videos are consuming too much bandwidth on the network, causing delays in mission- critical traffic. The administrator wants to throttle YouTube traffic. The following interfaces and zones are in use on the firewall:
* ethernet1/1, Zone: Untrust (Internet-facing)
* ethernet1/2, Zone: Trust (client-facing)
A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface Ethernet1/1 has a QoS profile called Outbound, and interface Ethernet1/2 has a QoS profile called Inbound.
Which setting for class 6 with throttle YouTube traffic?

• A. Outbound profile with Guaranteed Ingress
• B. Outbound profile with Maximum Ingress
• C. Inbound profile with Guaranteed Egress
• D. Inbound profile with Maximum Egress

Answer: D

NEW QUESTION 17
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)

• A. CRL
• B. CRT
• C. OCSP
• D. Cert-Validation-Profile
• E. SSL/TLS Service Profile

Answer: AC

NEW QUESTION 18
For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose two )

• A. equal-cost multipath
• B. ingress processing errors
• C. rule match with action "allow"
• D. rule match with action "deny"

Answer: BD

NEW QUESTION 19
What is the purpose of the firewall decryption broker?

• A. Decrypt SSL traffic a then send it as cleartext to a security chain of inspection tools
• B. Force decryption of previously unknown cipher suites
• C. Inspection traffic within IPsec tunnel
• D. Reduce SSL traffic to a weaker cipher before sending it to a security chain of inspection tools

Answer: A