Renewal PCNSE Questions 2021

NEW QUESTION 1
Which two subscriptions are available when configuring panorama to push dynamic updates to connected devices? (Choose two.)

• A. Content-ID
• B. User-ID
• C. Applications and Threats
• D. Antivirus

Answer: CD

Explanation:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/device/device-dynamic-updates

NEW QUESTION 2
Which operation will impact the performance of the management plane?

• A. WildFire Submissions
• B. DoS Protection
• C. decrypting SSL Sessions
• D. Generating a SaaS Application Report.

Answer: C

NEW QUESTION 3
Which User-ID method maps IP address to usernames for users connecting through a web proxy that has already authenticated the user?

• A. Client Probing
• B. Port mapping
• C. Server monitoring
• D. Syslog listening

Answer: D

NEW QUESTION 4
The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?

• A. 5-tuple matchSource IP Address, Destination IP Address, Source Port, Destination Port, Protocol
• B. 7-tuple matchSource IP Address, Destination IP Address, Source Port, Destination Port ,Source User, URL Category and Source Security Zone.
• C. 6-tuple matchSource IP Address, Destination IP Address, Source Port, Destination Port, Protocol and Source Security Zone
• D. 9-tuple matchSource IP Address, Destination IP Address, Source Port, Destination Port, Source User, Source Security Zone, Destination Security Zone, Application and URL Category

Answer: A

NEW QUESTION 5
A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?

• A. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN I
• B. Repeat forevery additional VLANand use a VLAN ID of 0 for untagged traffi
• C. Assign each interface/subinterface to a unique zone.
• D. Create V-Wire objects with two V-Wire sub interface and assign only a single VLAN ID to the "Tag Allowed field one of the V-Wire object Repeat for every additional VLAN and use a VIAN ID of 0 for untagged traffi
• E. Assign each interface/subinterfaceto a unique zone.
• F. Create V-Wire objects with two V-Wire interfaces and define a range “0- 4096" in the 'Tag Allowed filed of the V-Wire object.
• G. Create Layer 3 sub interfaces that are each assigned to a single VLAN ID and a common virtual route
• H. The physical Layer 3interface would handle untagged traffi
• I. Assign each interface /subinterface to a unique zon
• J. Do not assign any interface anIP address

Answer: C

NEW QUESTION 6
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.
Which priority is correct for the passive firewall?

• A. 99
• B. 1
• C. 255

Answer: D

Explanation:
Reference:
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/71/pan-os/pan-os/section_5.pdf (page 9)

NEW QUESTION 7
Which logs enable a firewall administrator to determine whether a session was decrypted?

• A. Correlated Event
• B. Traffic
• C. Decryption
• D. Security Policy

Answer: B

NEW QUESTION 8
Exhibit:

What will be the egress interface if the traffic’s ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image?

• A. ethernet1/7
• B. ethernet1/5
• C. ethernet1/6
• D. ethernet1/3

Answer: D

NEW QUESTION 9
Which two virtualization platforms officially support the deployment of Palo Alto Networks VM- Series firewalls? (Choose two.)

• A. Red Hat Enterprise Virtualization (RHEV)
• B. Kernel Virtualization Module (KVM)
• C. Boot Strap Virtualization Module (BSVM)
• D. Microsoft Hyper-V

Answer: BD

Explanation:
Reference: https://www.paloaltonetworks.com/products/secure-the-network/virtualized-next-generation-firewall/vm-series

NEW QUESTION 10
A network security engineer has been asked to analyze Wildfire activity. However, the Wildfire Submissions item is not visible form the Monitor tab.
What could cause this condition?

• A. The firewall does not have an active WildFire subscription.
• B. The engineer's account does not have permission to view WildFire Submissions.
• C. A policy is blocking WildFire Submission traffic.
• D. Though WildFire is working, there are currently no WildFire Submissions log entries.

Answer: B

NEW QUESTION 11
Which three settings are defined within the Templates object of Panorama? (Choose three.)

• A. Setup
• B. Virtual Routers
• C. Interfaces
• D. Security
• E. Application Override

Answer: ADE

NEW QUESTION 12
Which feature can provide NGFWs with User-ID mapping information?

• A. Web Captcha
• B. Native 802.1q authentication
• C. GlobalProtect
• D. Native 802.1x authentication

Answer: C

NEW QUESTION 13
The IT department has received complaints abou VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter.
Which feature can be used to identify, in real time, the applications taking up the most bandwidth?

• A. QoS Statistics
• B. Applications Report
• C. Application Command Center (ACC)
• D. QoS Log

Answer: A

NEW QUESTION 14
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.
Which VPN configuration would adapt to changes when deployed to the future site?

• A. Preconfigured GlobalProtect satellite
• B. Preconfigured GlobalProtect client
• C. Preconfigured IPsec tunnels
• D. Preconfigured PPTP Tunnels

Answer: A

NEW QUESTION 15
A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled.
Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?

• A. Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole
• B. File Blocking profiles applied to outbound security policies with action set to alert
• C. Vulnerability Protection profiles applied to outbound security policies with action set to block
• D. Antivirus profiles applied to outbound security policies with action set to alert

Answer: A

NEW QUESTION 16
A network security engineer needs to configure a virtual router using IPv6 addresses. Which two routing options support these addresses? (Choose two)

• A. BGP not sure
• B. OSPFv3
• C. RIP
• D. Static Route

Answer: BD

Explanation:
https://live.paloaltonetworks.com/t5/Management-Articles/Does-PAN-OS-Support-Dynamic-Routing-Protocols-OSPF-or-BGP-with/ta-p/62773

NEW QUESTION 17
An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?

• A. Enable and configure the Packet Buffer protection thresholds.Enable Packet Buffer Protection per ingress zone.
• B. Enable and then configure Packet Buffer thresholdsEnable Interface Buffer protection.
• C. Create and Apply Zone Protection Profiles in all ingress zones.Enable Packet Buffer Protection per ingress zone.
• D. Configure and apply Zone Protection Profiles for all egress zones.Enable Packet Buffer Protection pre egress zone.
• E. Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits.Enable Zone Buffer Protection per zone.

Answer: A

NEW QUESTION 18
An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port. Which log entry can the administrator use to verify that sessions are being decrypted?

• A. In the details of the Traffic log entries
• B. Decryption log
• C. Data Filtering log
• D. In the details of the Threat log entries

Answer: A

Explanation:
Reference: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption/ta-p/59719

NEW QUESTION 19
Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.)

• A. TACACS+
• B. Kerberos
• C. PAP
• D. LDAP
• E. SAML
• F. RADIUS

Answer: ADF

NEW QUESTION 20
The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to 10.1.1.100 on TCP Port 8080.

Which NAT and security rules must be configured on the firewall? (Choose two)

• A. A security policy with a source of any from untrust-I3 Zone to a destination of 10.1.1.100 in dmz-I3 zone using web-browsing application
• B. A NAT rule with a source of any from untrust-I3 zone to a destination of 10.1.1.100 in dmz-zone using service-http service.
• C. A NAT rule with a source of any from untrust-I3 zone to a destination of 1.1.1.100 in untrust-I3 zone using service-http service.
• D. A security policy with a source of any from untrust-I3 zone to a destination of 1.1.100 in dmz-I3 zone using web-browsing application.

Answer: BD

NEW QUESTION 21
A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a firewall
Which part of files needs to be imported back into the replacement firewall that is using Panorama?

• A. Device state and license files
• B. Configuration and serial number files
• C. Configuration and statistics files
• D. Configuration and Large Scale VPN (LSVPN) setups file

Answer: A

NEW QUESTION 22
Only two Trust to Untrust allow rules have been created in the Security policy Rule1 allows google-base
Rule2 allows youtube-base
The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found.
Which action will allow youtube.com display in the browser correctly?

• A. Add SSL App-ID to Rule1
• B. Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to it
• C. Add the DNS App-ID to Rule2
• D. Add the Web-browsing App-ID to Rule2

Answer: C

NEW QUESTION 23
Which protection feature is available only in a Zone Protection Profile?

• A. SYN Flood Protection using SYN Flood Cookies
• B. ICMP Flood Protection
• C. Port Scan Protection
• D. UDP Flood Protections

Answer: A

NEW QUESTION 24
Which processing order will be enabled when a Panorama administrator selects the setting “Objects defined in ancestors will take higher precedence?”

• A. Descendant objects will take precedence over other descendant objects.
• B. Descendant objects will take precedence over ancestor objects.
• C. Ancestor objects will have precedence over descendant objects.
• D. Ancestor objects will have precedence over other ancestor objects.

Answer: C

Explanation:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/device/device-setup-management

NEW QUESTION 25
When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

• A. Load named configuration snapshot
• B. Load configuration version
• C. Save candidate config
• D. Export device state

Answer: A

NEW QUESTION 26
VPN traffic intended for an administrator’s Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?

• A. Zone Protection
• B. Replay
• C. Web Application
• D. DoS Protection

Answer: A

NEW QUESTION 27
DRAG DROP
When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action.
Answer options may be used more than once or not at all.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 28
Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.)
Which two security policy rules will accomplish this configuration? (Choose two.)

• A. Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow
• B. Untrust (Any) to Untrust (10.1.1.1), ssh -Allow
• C. Untrust (Any) to DMZ (10.1.1.1), web-browsing -Allow
• D. Untrust (Any) to DMZ (10.1.1.1), ssh –Allow
• E. Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow

Answer: CD

NEW QUESTION 29
Which GlobalProtect Client connect method requires the distribution and use of machine certificates?

• A. User-logon (Always on)
• B. At-boot
• C. On-demand
• D. Pre-logon

Answer: D

NEW QUESTION 30
An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS software?

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

Dependencies : Before upgrade, make sure the firewall is running a version of app + threat (content version) that meets the minimum requirement of the new PAN-OS Upgrade. Reference: https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS- Upgrade/ta-p/111045

NEW QUESTION 31
......