Most Up-to-date PCNSE7 Samples 2021

NEW QUESTION 1

A network security engineer needs to configure a virtual router using IPv6 addresses. Which two routing options support these addresses? (Choose two)

• A. BGP not sure
• B. OSPFv3
• C. RIP
• D. Static Route

Answer: BD

Explanation:
https://live.paloaltonetworks.com/t5/Management-Articles/Does-PAN-OS-Support-Dynamic-Routing-Protocols-OSPF-or-BGP-with/ta-p/62773

NEW QUESTION 2

A host attached to ethernet1/3 cannot access the internet. The default gateway is attached to ethernet1/4. After troubleshooting. It is determined that traffic cannot pass from the ethernet1/3 to ethernet1/4. What can be the cause of the problem?

• A. DHCP has been set to Auto.
• B. Interface ethernet1/3 is in Layer 2 mode and interface ethernet1/4 is in Layer 3 mode.
• C. Interface ethernet1/3 and ethernet1/4 are in Virtual Wire Mode.
• D. DNS has not been properly configured on the firewall

Answer: B

NEW QUESTION 3

Which three log-forwarding destinations require a server profile to be configured? (Choose three)

• A. SNMP Trap
• B. Email
• C. RADIUS
• D. Kerberos
• E. Panorama
• F. Syslog

Answer: ABF

NEW QUESTION 4

How can a Palo Alto Networks firewall be configured to send syslog messages in a format compatible with non-standard syslog servers?

• A. Enable support for non-standard syslog messages under device management
• B. Check the custom-format check box in the syslog server profile
• C. Select a non-standard syslog server profile
• D. Create a custom log format under the syslog server profile

Answer: D

NEW QUESTION 5

A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Which statement is true about this deployment?

• A. The two devices must share a routable floating IP address
• B. The two devices may be different models within the PA-5000 series
• C. The HA1 IP address from each peer must be on a different subnet
• D. The management port may be used for a backup control connection

Answer: D

NEW QUESTION 6

Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.)
Which two security policy rules will accomplish this configuration? (Choose two.)

• A. Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow
• B. Untrust (Any) to Untrust (10.1.1.1), ssh -Allow
• C. Untrust (Any) to DMZ (10.1.1.1), web-browsing -Allow
• D. Untrust (Any) to DMZ (10.1.1.1), ssh –Allow
• E. Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow

Answer: CD

NEW QUESTION 7

An administrator is configuring an IPSec VPN to a Cisco ASA at the administrator's home and experiencing issues completing the connection. the following is the output from the command:

What could be the cause of this problem?

• A. The dead peer detection settings do not match between the Palo Alto Networks Firewall and the ASA.
• B. The Proxy IDs on the Palo Alto Networks Firewall do not match the setting on the ASA.
• C. The public IP addresses do not match for both the Palo Alto Networks Firewall and the ASA.
• D. The shared secrets do not match between the Palo Alto Networks Firewall and the ASA.

Answer: C

NEW QUESTION 8

Which three settings are defined within the Templates object of Panorama? (Choose three.)

• A. Setup
• B. Virtual Routers
• C. Interfaces
• D. Security
• E. Application Override

Answer: ADE

NEW QUESTION 9

If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?

• A. The settings assigned to the template that is on top of the stack.
• B. The administrator will be promoted to choose the settings for that chosen firewall.
• C. All the settings configured in all templates.
• D. Depending on the firewall location, Panorama decides with settings to send.

Answer: B

NEW QUESTION 10

Which CLI command can be used to export the tcpdump capture?

• A. scp export tcpdump from mgmt.pcap to <username@host:path>
• B. scp extract mgmt-pcap from mgmt.pcap to <username@host:path>
• C. scp export mgmt-pcap from mgmt.pcap to <username@host:path>
• D. download mgmt.-pcap

Answer: C

NEW QUESTION 11

A company hosts a publically accessible web server behind a Palo Alto Networks next generation firewall with the following configuration information.
✑ Users outside the company are in the "Untrust-L3" zone
✑ The web server physically resides in the "Trust-L3" zone.
✑ Web server public IP address: 23.54.6.10
✑ Web server private IP address: 192.168.1.10
Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the web server? (Choose two)

• A. Untrust-L3 for both Source and Destination zone
• B. Destination IP of 192.168.1.10
• C. Untrust-L3 for Source Zone and Trust-L3 for Destination Zone
• D. Destination IP of 23.54.6.10

Answer: CD

NEW QUESTION 12

Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

• A. Master
• B. Universal
• C. Shared
• D. Global

Answer: C

NEW QUESTION 13

Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS 7.0? (Choose two.)

• A. KVM
• B. VMware ESX
• C. VMware NSX
• D. AWS

Answer: AB

NEW QUESTION 14

When a malware-infected host attempts to resolve a known command-and-control server, the traffic matches a security policy with DNS sinhole enabled, generating a traffic log.
What will be the destination IP Address in that log entry?

• A. The IP Address of sinkhole.paloaltonetworks.com
• B. The IP Address of the command-and-control server
• C. The IP Address specified in the sinkhole configuration
• D. The IP Address of one of the external DNS servers identified in the anti-spyware database

Answer: C

Explanation:
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Verify-DNS-Sinkhole-Function-is-Working/ta-p/65864

NEW QUESTION 15

An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router.
Which two options enable the administrator to troubleshoot this issue? (Choose two.)

• A. View Runtime Stats in the virtual router.
• B. View System logs.
• C. Add a redistribution profile to forward as BGP updates.
• D. Perform a traffic pcap at the routing stage.

Answer: AC

NEW QUESTION 16

A network security engineer for a large company has just installed a PA-5060 Firewall to isolate the company’s PCI environment from its production network. The company’s engineers made configuration changes to the switches on both network segments, and connected them to the new firewall.
Soon after the cutover, however, users began to complain about latency and some servicers stopped communicating. There are no security policies that deny traffic between the two networks segments. You suspect that there is an interface misconfiguration on Ethernet 1/1.
Which two commands should be used to troubleshoot the issue? (Choose two)

• A. show interface hardware
• B. show interface management
• C. show interface ethernet1/1
• D. show interface logical

Answer: CD

NEW QUESTION 17

Which two logs on the firewall will contain authentication-related information useful for troubleshooting purpose (Choose two)

• A. ms.log
• B. traffic.log
• C. system.log
• D. dp-monitor.log
• E. authd.log

Answer: CE

NEW QUESTION 18

A company.com wants to enable Application Override. Given the following screenshot:

Which two statements are true if Source and Destination traffic match the Application Override policy? (Choose two)

• A. Traffic that matches "rtp-base" will bypass the App-ID and Content-ID engines.
• B. Traffic will be forced to operate over UDP Port 16384.
• C. Traffic utilizing UDP Port 16384 will now be identified as "rtp-base".
• D. Traffic utilizing UDP Port 16384 will bypass the App-ID and Content-ID engines.

Answer: AC

NEW QUESTION 19

Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs? (Choose two)

• A. The devices are pre-configured with a virtual wire pair out the first two interfaces.
• B. The devices are licensed and ready for deployment.
• C. The management interface has an IP address of 192.168.1.1 and allows SSH and HTTPS connections.
• D. A default bidirectional rule is configured that allows Untrust zone traffic to go to the Trust zone.
• E. The interface are pingable.

Answer: BC

NEW QUESTION 20

Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?

• A. Disable Server Response Inspection
• B. Apply an Application Override
• C. Disable HIP Profile
• D. Add server IP Security Policy exception

Answer: A

NEW QUESTION 21

Given the following table.

Which configuration change on the firewall would cause it to use 10.66.24.88 as the next hop for the 192.168.93.0/30 network?

• A. Configuring the administrative Distance for RIP to be lower than that of OSPF Int.
• B. Configuring the metric for RIP to be higher than that of OSPF Int.
• C. Configuring the administrative Distance for RIP to be higher than that of OSPF Ext.
• D. Configuring the metric for RIP to be lower than that OSPF Ext.

Answer: A

NEW QUESTION 22

Which feature prevents the submission of corporate login information into website forms?

• A. Data filtering
• B. User-ID
• C. File blocking
• D. Credential phishing prevention

Answer: D

NEW QUESTION 23

Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)

• A. Red Hat Enterprise Virtualization (RHEV)
• B. Kernel Virtualization Module (KVM)
• C. Boot Strap Virtualization Module (BSVM)
• D. Microsoft Hyper-V

Answer: BD

NEW QUESTION 24

A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.)

• A. Application Override policy.
• B. Security policy to identify the custom application.
• C. Custom application.
• D. Custom Service object.

Answer: BC

NEW QUESTION 25
......