[December-2021]Download PCNSE VCE Dumps from Braindump2go[Q390-Q421]

December/2021 Latest Braindump2go PCNSE Exam Dumps with PDF and VCE Free Updated Today! Following are some new PCNSE Real Exam Questions!

Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

A. Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN, ICMP, ICMPv6, UDP, and other IP flood attacks.
B. Add a WildFire subscription to activate DoS and zone protection features.
C. Replace the hardware firewall, because DoS and zone protection are not available with VM-Series systems.
D. Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection.

Answer: A
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/zone-protection-and-dos-protection.html

An administrator receives the following error message:
“IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id type IPv4 address protocol 0 port 0.”
How should the administrator identify the root cause of this error message?

A. Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure.
B. Check whether the VPN peer on one end is set up correctly using policy-based VPN.
C. In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate.
D. In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.

Answer: B
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/vpns/set-up-site-to-site-vpn/interpret-vpn-error-messages.html

The following objects and policies are defined in a device group hierarchy.

Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group
What objects and policies will the Dallas-FW receive if “Share Unused Address and Service Objects” is enabled in Panorama?

A. Address Objects
– Shared Address1
– Branch Address1
– Shared Policy1
– Branch Policy1
B. Address Objects
– Shared Address1
– Shared Address2
– Branch Address1
– Shared Policy1
– Shared Policy2
– Branch Policy1
C. Address Objects
– Shared Address1
– Shared Address2
– Branch Address1
– DC Address1
– Shared Policy1
– Shared Policy2
– Branch Policy1
D. Address Objects
– Shared Address1
– Shared Address2
– Branch Address1
– Shared Policy1
– Branch Policy1

Answer: C

An administrator has purchased WildFire subscriptions for 90 firewalls globally.
What should the administrator consider with regards to the WildFire infrastructure?

A. To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally.
B. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.
C. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.
D. The WildFire Global Cloud only provides bare metal analysis.

Answer: C
Reference: https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html

What are three reasons for excluding a site from SSL decryption? (Choose three.)

A. the website is not present in English
B. unsupported ciphers
C. certificate pinning
D. unsupported browser version
E. mutual authentication

Answer: BCE
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/decryption-exclusions/exclude-a-server-from-decryption

When setting up a security profile, which three items can you use? (Choose three.)

A. Wildfire analysis
B. anti-ransomware
C. antivirus
D. URL filtering
E. decryption profile

Answer: ACD
Reference: https://manualzz.com/doc/10741747/pan%E2%80%90os-administrator%E2%80%99s-guide-policy

What are three types of Decryption Policy rules? (Choose three.)

A. SSL Inbound Inspection
B. SSH Proxy
C. SSL Forward Proxy
D. Decryption Broker
E. Decryption Mirror

Answer: ABC
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption/decryption-overview.html#:~:text=The%20firewall%20provides%20three%20types,to%20control%20tunneled%20SSH%20traffic

Which two features require another license on the NGFW? (Choose two.)

A. SSL Inbound Inspection
B. SSL Forward Proxy
C. Decryption Mirror
D. Decryption Broker

Answer: CD
Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-decryption-port-mirroring.html

A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an Interface Management profile to secure management access? (Choose three.)

A. Permitted IP Addresses
C. https
D. User-ID

Answer: BCE
Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/use-interface-management-profiles-to-restrict-access.html

A customer is replacing its legacy remote-access VPN solution. Prisma Access has been selected as the replacement. During onboarding, the following options and licenses were selected and enabled:
– Prisma Access for Remote Networks: 300Mbps
– Prisma Access for Mobile Users: 1500 Users
– Cortex Data Lake: 2TB
– Trusted Zones: trust
– Untrusted Zones: untrust
– Parent Device Group: shared
The customer wants to forward to a Splunk SIEM the logs that are generated by users that are connected to Prisma Access for Mobile Users. Which two settings must the customer configure? (Choose two.)

A. Configure Panorama Collector group device log forwarding to send logs to the Splunk syslog server.
B. Configure Cortex Data Lake log forwarding and add the Splunk syslog server.
C. Configure a log forwarding profile and select the Panorama/Cortex Data Lake checkbox. Apply the Log
Forwarding profile to all of the security policy rules in Mobile_User_Device_Group.
D. Configure a Log Forwarding profile, select the syslog checkbox, and add the Splunk syslog server. Apply the Log Forwarding profile to all of the security policy rules in the Mobile_User_Device_Group.

Answer: BC
Reference: https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html

A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system.
Where is the best place to validate if the firewall is blocking the user’s TAR file?

A. Threat log
B. Data Filtering log
C. WildFire Submissions log
D. URL Filtering log

Answer: B
Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZ1CAK

Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)

A. inherit address-objects from templates
B. define a common standard template configuration for firewalls
C. standardize server profiles and authentication configuration across all stacks
D. standardize log-forwarding profiles for security polices across all stacks

Answer: AB
Reference: https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/templates-and-template-stacks

An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted information Security to look for more controls that can secure access to critical assets. For users that need to access these systems, Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.
What should the enterprise do to use PAN-OS MFA?

A. Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns.
B. Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy.
C. Configure a Captive Portal authentication policy that uses an authentication sequence.
D. Configure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile.

Answer: B
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-multi-factor-authentication.html#id1eeb304d-b2f4-46a3-a3b8-3d84c69fb214_idc4b47dbd-9777-4ec8-be70-c16ca0ea1756

An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama. The enterprise already uses GlobalProtect with SAML authentication to obtain IP-to-user mapping information.
However, Information Security wants to use this information in Prisma Access for policy enforcement based on group mapping. Information Security uses on-premises Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD.
How can policies based on group mapping be learned and enforced in Prisma Access?

A. Configure Prisma Access to learn group mapping via SAML assertion.
B. Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access.
C. Assign a master device in Panorama through which Prisma Access learns groups.
D. Create a group mapping configuration that references an LDAP profile that points to on-premises domain controllers.

Answer: C
Reference: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/retrieve-user-id-information.html#id823f5b30-2c1d-4c87-9ae6-a06573455af7

What happens to traffic traversing SD-WAN fabric that doesn’t match any SD-WAN policies?

A. Traffic is dropped because there is no matching SD-WAN policy to direct traffic.
B. Traffic matches a catch-all policy that is created through the SD-WAN plugin.
C. Traffic matches implied policy rules and is redistributed round robin across SD-WAN links.
D. Traffic is forwarded to the first physical interface participating in SD-WAN based on lowest interface number (i.e., Eth1/1 over Eth1/3).

Answer: C
Reference: https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/configure-sd-wan/distribute-unmatched-sessions.html

A remote administrator needs firewall access on an untrusted interface. Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two.)

A. certificate authority (CA) certificate
B. server certificate
C. client certificate
D. certificate profile

Answer: CD
Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-administrator-authentication-to-the-web-interface.html

An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama. All 84 firewalls have an active WildFire subscription. On each firewall, WildFire logs are available.
This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?

A. WildFire logs
B. System logs
C. Threat logs
D. Traffic logs

Answer: A
Reference: https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/manage-log-collection/configure-log-forwarding-to-panorama.html

A company wants to use their Active Directory groups to simplify their Security policy creation from Panorama.
Which configuration is necessary to retrieve groups from Panorama?

A. Configure an LDAP Server profile and enable the User-ID service on the management interface.
B. Configure a group mapping profile to retrieve the groups in the target template.
C. Configure a Data Redistribution Agent to receive IP User Mappings from User-ID agents.
D. Configure a master device within the device groups.

Answer: D
Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG

How can packet buffer protection be configured?

A. at zone level to protect firewall resources and ingress zones, but not at the device level
B. at the interface level to protect firewall resources
C. at the device level (globally) to protect firewall resources and ingress zones, but not at the zone level
D. at the device level (globally) and, if enabled globally, at the zone level

Answer: D
Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/zone-protection-and-dos-protection/configure-zone-protection-to-increase-network-security/configure-packet-buffer-protection

An existing NGFW customer requires direct internet access offload locally at each site, and IPSec connectivity to all branches over public internet. One requirement is that no new SD-WAN hardware be introduced to the environment.
What is the best solution for the customer?

A. Configure a remote network on PAN-OS
B. Upgrade to a PAN-OS SD-WAN subscription
C. Configure policy-based forwarding
D. Deploy Prisma SD-WAN with Prisma Access

Answer: B
Reference: https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/about-sd-wan.html

A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business application uptime requirements.
What is the correct setting?

A. Change the HA timer profile to “user-defined” and manually set the timers.
B. Change the HA timer profile to “fast”.
C. Change the HA timer profile to “aggressive” or customize the settings in advanced profile.
D. Change the HA timer profile to “quick” and customize in advanced profile.

Answer: C
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/high-availability/set-up-activepassive-ha/configure-activepassive-ha.html

What is the function of a service route?

A. The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source interface and source IP address.
B. The service packets enter the firewall on the port assigned from the external service. The server sends its response to the configured destination interface and destination IP address.
C. The service route is the method required to use the firewall’s management plane to provide services to applications.
D. Service routes provide access to external services, such as DNS servers, external authentication servers or Palo Alto Networks services like the Customer Support Portal.

Answer: A
Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/service-routes.html

Which of the following commands would you use to check the total number of the sessions that are currently going through SSL Decryption processing?

A. show session all filter ssl-decryption yes total-count yes
B. show session all ssl-decrypt yes count yes
C. show session all filter ssl-decrypt yes count yes
D. show session filter ssl-decryption yes total-count yes

Answer: C
Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF2CAK

Refer to the image. An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the Global template NTP servers. The administrator needs to change the IP address to a preferable server for this template stack but cannot impact other template stacks.
How can the issue be corrected?

A. Override the value on the NYCFW template.
B. Override a template value using a template stack variable.
C. Override the value on the Global template.
D. Enable “objects defined in ancestors will take higher precedence” under Panorama settings.

Answer: A
Reference: https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/templates-and-template-stacks

While troubleshooting an SSL Forward Proxy decryption issue, which PAN-OS CLI command would you use to check the details of the end entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?

A. show system setting ssl-decrypt certs
B. show system setting ssl-decrypt certificate
C. debug dataplane show ssl-decrypt ssl-stats
D. show system setting ssl-decrypt certificate-cache

Answer: B
Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF2CAK

Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process?

A. removing the Panorama serial number from the ZTP service
B. performing a factory reset of the firewall
C. performing a local firewall commit
D. removing the firewall as a managed device in Panorama

Answer: C
Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail? id=kA14u0000001UiOCAU&lang=en_US%E2%80%A9&refURL=http%3A%2F% 2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

In URL filtering, which component matches URL patterns?

A. live URL feeds on the management plane
B. security processing on the data plane
C. single-pass pattern matching on the data plane
D. signature matching on the data plane

Answer: C
Reference: https://www.firewall.cx/networking-topics/firewalls/palo-alto-firewalls/1152-palo-alto-firewall-single-pass-parallel-processing-hardware-architecture.html

In a template, you can configure which two objects? (Choose two.)

A. Monitor profile
B. application group
C. SD-WAN path quality profile
D. IPsec tunnel

Answer: BC

An organization’s administrator has the funds available to purchase more firewalls to increase the organization’s security posture.
The partner SE recommends placing the firewalls as close as possible to the resources that they protect.
Is the SE’s advice correct, and why or why not?

A. No. Firewalls provide new defense and resilience to prevent attackers at every stage of the cyberattack lifecycle, independent of placement.
B. Yes. Firewalls are session-based, so they do not scale to millions of CPS.
C. No. Placing firewalls in front of perimeter DDoS devices provides greater protection for sensitive devices inside the network.
D. Yes. Zone Protection profiles can be tailored to the resources that they protect via the configuration of specific device types and operating systems.

Answer: D
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/zone-protection-and-dos-protection.html

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy.
Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?

A. Preview Changes
B. Policy Optimizer
C. Managed Devices Health
D. Test Policy Match

Answer: D
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/test-policy-rule-traffic-matches.html

What is a key step in implementing WildFire best practices?

A. Configure the firewall to retrieve content updates every minute.
B. Ensure that a Threat Prevention subscription is active.
C. In a mission-critical network, increase the WildFire size limits to the maximum value.
D. n a security-first network, set the WildFire size limits to the minimum value.

Answer: B
Reference: https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire-deployment-best-practices/wildfire-best-practices

What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)?

A. Phase 2 SAs are synchronized over HA2 links.
B. Phase 1 and Phase 2 SAs are synchronized over HA2 links.
C. Phase 1 SAs are synchronized over HA1 links.
D. Phase 1 and Phase 2 SAs are synchronized over HA3 links.

Answer: A
Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAuZCAW&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Resources From:

1.2021 Latest Braindump2go PCNSE Exam Dumps (PDF & VCE) Free Share:

2.2021 Latest Braindump2go PCNSE PDF and PCNSE VCE Dumps Free Share:

3.2021 Free Braindump2go PCNSE Exam Questions Download:

Free Resources from Braindump2go,We Devoted to Helping You 100% Pass All Exams!

Braindump2go Testking Pass4sure Actualtests Others
$99.99 $124.99 $125.99 $189 $29.99/$49.99
Real Questions
Error Correction
Printable PDF
Premium VCE
VCE Simulator
One Time Purchase
Instant Download
Unlimited Install
100% Pass Guarantee
100% Money Back