PCNSE Exam Questions

Total 271 Questions

Last Updated Exam : 16-Dec-2024

Topic 1 : Main Questions pool

Which CLI command can be used to export the tcpdumpcapture?


A.

scp export tcpdump from mgmt.pcap to <username@host:path>


B.

scp extract mgmt-pcap from mgmt.pcap to <username@host:path>


C.

scp export mgmt-pcap from mgmt.pcap to <username@host:path>


D.

download mgmt.-pcap





C.
  

scp export mgmt-pcap from mgmt.pcap to <username@host:path>



Reference:
https://live.paloaltonetworks.com/t5/Management-Articles/How-To-Packet-Capture-tcpdump-On-Management-Interface/55415

Anadministrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual
authentication between Panorama and the managed firewalls and Log Collectors.
How would the administrator establish the chain of trust?


A.

Use custom certificates


B.

Enable LDAP or RADIUS integration


C.

Set up multi-factor authentication


D.

Configure strong password authentication





A.
  

Use custom certificates



Reference:
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/panorama-overview/plan-your

Which CLI command is used to simulate traffic goingthrough the firewall and determine which Security
policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?


A.

check


B.

find


C.

test


D.

sim





C.
  

test



http://www.shanekillen.com/2014/02/palo-alto-useful-cli-commands.html

A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers. Which option will protect theindividual servers?


A.

Enable packet buffer protection on the Zone Protection Profile.


B.

Apply an Anti-Spyware Profile with DNS sinkholing.


C.

Use the DNS App-ID with application-default.


D.

Apply a classified DoS Protection Profile.





A.
  

Enable packet buffer protection on the Zone Protection Profile.



Which feature can provide NGFWs with User-ID mapping information?


A.

GlobalProtect


B.

WebCaptcha


C.

Native 802.1q authentication


D.

Native 802.1x authentication





A.
  

GlobalProtect



Refer to exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security
management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo AltoNetworks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?


A.

Forward logs from firewalls only to Panorama and have Panorama forward logs to other external
services.


B.

Forward logs from external sources to Panorama for correlation, and from Panorama send them to the
NGFW.


C.

Configure log compression and optimization features on all remote firewalls.


D.

Any configuration on an M-500 would address the insufficient bandwidth concerns





A.
  

Forward logs from firewalls only to Panorama and have Panorama forward logs to other external
services.



Refer to the exhibit.

A web server in the DMZ is being mapped to a public address through DNAT.
Which Security policy rule will allow traffic to flow to the web server?


A.

Untrust (any) to Untrust (10. 1.1. 100), web browsing – Allow


B.

Untrust (any) to Untrust (1. 1. 1. 100), web browsing – Allow


C.

Untrust (any) to DMZ (1. 1. 1. 100), web browsing – Allow


D.

Untrust (any) to DMZ (10. 1. 1. 100), web browsing – Allow





B.
  

Untrust (any) to Untrust (1. 1. 1. 100), web browsing – Allow



QUESTIONNO: 85
A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP
port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be
configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust
to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to
allow cleartext web- browsingtraffic to this server on tcp/443.
A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl;
service: application-default; action: allow
B. Rule #1: application: web-browsing; service: service-https;action: allow Rule #2: application: ssl; service:
application-default; action: allow
C. Rule # 1: application: ssl; service: application-default; action: allow
Rule #2: application: web-browsing; service: application-default; action: allow
D. Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl; service:
application-default; action: allow

Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?


A.

port mapping


B.

server monitoring


C.

client probing


D.

XFF headers





A.
  

port mapping



Reference:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/configure-user-mapping-for-terminal-serverusers

When is the content inspection performed in the packet flow process?


A.

after the application has been identified


B.

before session lookup


C.

before the packet forwarding process


D.

after the SSL Proxy re-encrypts the packet





A.
  

after the application has been identified



Reference:
https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta-p/56081

A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone andto assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?


A.

Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for
every additional VLANand use a VLAN ID of0 for untagged traffic. Assign each interface/subinterface
to a unique zone.


B.

Create V-Wire objects with two V-Wire sub interface and assign only a single VLAN ID to the "Tag
Allowed field one of the V-Wire object Repeat for every additional VLAN and usea VIAN ID of 0 for
untagged traffic. Assign each interface/subinterfaceto a unique zone.


C.

Create V-Wire objects with two V-Wire interfaces and define a range “0- 4096" in the 'Tag Allowed
filed of the V-Wire object


D.

Create Layer 3 sub interfaces that are each assigned to a single VLAN ID and a common virtual router.
The physical Layer 3interface would handle untagged traffic. Assign each interface /subinterface to a
unique zone. Do not assign any interface anIP address





C.
  

Create V-Wire objects with two V-Wire interfaces and define a range “0- 4096" in the 'Tag Allowed
filed of the V-Wire object




Page 6 out of 28 Pages
Previous