Paloalto-Networks PCNSE7 Vce 2021

NEW QUESTION 1

Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three.)

• A. .dll
• B. .exe
• C. .src
• D. .apk
• E. .pdf
• F. .jar

Answer: DEF

NEW QUESTION 2

Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?

• A. Deny application facebook-chat before allowing application facebook
• B. Deny application facebook on top
• C. Allow application facebook on top
• D. Allow application facebook before denying application facebook-chat

Answer: A

NEW QUESTION 3

Refer to exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring platforms?

• A. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.
• B. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW.
• C. Configure log compression and optimization features on all remote firewalls.
• D. Any configuration on an M-500 would address the insufficient bandwidth concerns.

Answer: C

NEW QUESTION 4

A session in the Traffic log is reporting the application as “incomplete.” What does “incomplete” mean?

• A. The three-way TCP handshake was observed, but the application could not be identified.
• B. The three-way TCP handshake did not complete.
• C. The traffic is coming across USP, and the application could not be identified.
• D. Data was received but was instantly discarded because of a Deny policy was applied before App-ID could be applied.

Answer: C

NEW QUESTION 5

Several offices are connected with VPNs using static IPV4 routes. An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accoumplish this goal?

• A. Assign an IP address on each tunnel interface at each site
• B. Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0
• C. Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces
• D. Create new VPN zones at each site to terminate each VPN connection

Answer: C

NEW QUESTION 6

A company hosts a publicly accessible web server behind a Palo Alto Networks next- generation firewall with the following configuration information:
* Users outside the company are in the "Untrust-L3" zone.
* The web server physically resides in the "Trust-L3" zone.
* Web server public IP address: 23.54.6.10
* Web server private IP address: 192.168.1.10
Which two items must the NAT policy contain to allow users in the Untrust-L3 zone to access the web server? (Choose two.)

• A. Destination IPof 23.54.6.10
• B. UntrustL3 for both Source and Destination Zone
• C. Destination IP of 192.168.1.10
• D. UntrustL3 for Source Zone and Trust-L3 for Destination Zone

Answer: AB

NEW QUESTION 7

A network security engineer needs to configure a virtual router using IPv6 addresses. Which two routing options support these addresses? (Choose two)

• A. BGP not sure
• B. OSPFv3
• C. RIP
• D. Static Route

Answer: BD

Explanation:
https://live.paloaltonetworks.com/t5/Management-Articles/Does-PAN-OS-Support-Dynamic-Routing-Protocols-OSPF-or-BGP-with/ta-p/62773

NEW QUESTION 8

Only two Trust to Untrust allow rules have been created in the Security policy Rule1 allows google-base
Rule2 allows youtube-base
The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found.
Which action will allow youtube.com display in the browser correctly?

• A. Add SSL App-ID to Rule1
• B. Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to it
• C. Add the DNS App-ID to Rule2
• D. Add the Web-browsing App-ID to Rule2

Answer: C

NEW QUESTION 9

Several offices are connected with VPNs using static IPv4 routes. An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accomplish this goal?

• A. Assign an IP address on each tunnel interface at each site
• B. Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0
• C. Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces
• D. Create new VPN zones at each site to terminate each VPN connection

Answer: C

NEW QUESTION 10

Click the Exhibit button below,


A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address. He makes an HTTPS connection to 172.16.10.20.
Which is the next hop IP address for the HTTPS traffic from Will's PC?

• A. 172.20.30.1
• B. 172.20.40.1
• C. 172.20.20.1
• D. 172.20.10.1

Answer: C

NEW QUESTION 11

If an administrator does not possess a website’s certificate, which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites?

• A. SSL Forward Proxy
• B. SSL Inbound Inspection
• C. TLS Bidirectional proxy
• D. SSL Outbound Inspection

Answer: B

NEW QUESTION 12

Which setting allow a DOS protection profile to limit the maximum concurrent sessions from a source IP address?

• A. Set the type to Aggregate, clear the session’s box and set the Maximum concurrent Sessions to 4000.
• B. Set the type to Classified, clear the session’s box and set the Maximum concurrent Sessions to 4000.
• C. Set the type Classified, check the Sessions box and set the Maximum concurrent Sessions to 4000.
• D. Set the type to aggregate, check the Sessions box and set the Maximum concurrent Sessions to 4000.

Answer: C

NEW QUESTION 13

How does Panorama handle incoming logs when it reaches the maximum storage capacity?

• A. Panorama discards incoming logs when storage capacity full.
• B. Panorama stops accepting logs until licenses for additional storage space are applied
• C. Panorama stops accepting logs until a reboot to clean storage space.
• D. Panorama automatically deletes older logs to create space for new ones.

Answer: D

Explanation:
(https://www.paloaltonetworks.com/documentation/60/panorama/panorama_adminguide/set-up-panorama/determine-panorama-log-storage-requirements)

NEW QUESTION 14

An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator's home and experiencing issues completing the connection. The following is th output from the command:
less mp-log ikemgr.log:

What could be the cause of this problem?

• A. The public IP addresse do not match for both the Palo Alto Networks Firewall and the ASA.
• B. The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the ASA.
• C. The shared secerts do not match between the Palo Alto firewall and the ASA
• D. The deed peer detection settings do not match between the Palo Alto Networks Firewall and the ASA

Answer: B

NEW QUESTION 15

A company.com wants to enable Application Override. Given the following screenshot:

Which two statements are true if Source and Destination traffic match the Application Override policy? (Choose two)

• A. Traffic that matches "rtp-base" will bypass the App-ID and Content-ID engines.
• B. Traffic will be forced to operate over UDP Port 16384.
• C. Traffic utilizing UDP Port 16384 will now be identified as "rtp-base".
• D. Traffic utilizing UDP Port 16384 will bypass the App-ID and Content-ID engines.

Answer: AC

NEW QUESTION 16

A Network Administrator wants to deploy a Large Scale VPN solution. The Network Administrator has chosen a GlobalProtect Satellite solution. This configuration needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations.
How should this be accomplished?

• A. Create a Template with the appropriate IKE Gateway settings
• B. Create a Template with the appropriate IPSec tunnel settings
• C. Create a Device Group with the appropriate IKE Gateway settings
• D. Create a Device Group with the appropriate IPSec tunnel settings

Answer: B

NEW QUESTION 17

An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make?
A)

B)

C)

D)

E)

• A. Option A
• B. Option B
• C. Option C
• D. Option D
• E. Option E

Answer: B

NEW QUESTION 18

If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?

• A. The settings assigned to the template that is on top of the stack.
• B. The administrator will be promoted to choose the settings for that chosen firewall.
• C. All the settings configured in all templates.
• D. Depending on the firewall location, Panorama decides with settings to send.

Answer: B

NEW QUESTION 19

A company is upgrading its existing Palo Alto Networks firewall from version 7.0.1 to 7.0.4.
Which three methods can the firewall administrator use to install PAN-OS 7.0.4 across the enterprise?( Choose three)

• A. Download PAN-OS 7.0.4 files from the support site and install them on each firewall after manually uploading.
• B. Download PAN-OS 7.0.4 to a USB drive and the firewall will automatically update after the USB drive is inserted in the firewall.
• C. Push the PAN-OS 7.0.4 updates from the support site to install on each firewall.
• D. Push the PAN-OS 7.0.4 update from one firewall to all of the other remaining after updating one firewall.
• E. Download and install PAN-OS 7.0.4 directly on each firewall.
• F. Download and push PAN-OS 7.0.4 from Panorama to each firewall.

Answer: ACF

NEW QUESTION 20

Refer to the exhibit.

An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
A)

B)

C)

D)

• A. Option A
• B. Option B
• C. Option C
• D. Option D

Answer: D

NEW QUESTION 21

YouTube videos are consuming too much bandwidth on the network, causing delays in mission-critical traffic. The administrator wants to throttle YouTube traffic. The following interfaces and zones are in use on the firewall:
* ethernet1/1, Zone: Untrust (Internet-facing)
* ethernet1/2, Zone: Trust (client-facing)
A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface Ethernet1/1 has a QoS profile called Outbound, and interface Ethernet1/2 has a QoS profile called Inbound.
Which setting for class 6 with throttle YouTube traffic?

• A. Outbound profile with Guaranteed Ingress
• B. Outbound profile with Maximum Ingress
• C. Inbound profile with Guaranteed Egress
• D. Inbound profile with Maximum Egress

Answer: D

NEW QUESTION 22

During the packet flow process, which two processes are performed in application identification? (Choose two.)

• A. Pattern based application identification
• B. Application override policy match
• C. Application changed from content inspection
• D. Session application identified.

Answer: BD

NEW QUESTION 23

A Security policy rule is configured with a Vulnerability Protection Profile and an action of ‘Deny”.
Which action will this cause configuration on the matched traffic?

• A. The configuration is invali
• B. The Profile Settings section will be grayed out when the Action is set to “Deny”.
• C. The configuration will allow the matched session unless a vulnerability is detecte
• D. The “Deny” action will supersede the per-severity defined actions defined in the associated Vulnerability Protection Profile.
• E. The configuration is invali
• F. It will cause the firewall to skip this Security policy rul
• G. A warning will be displayed during a commit.
• H. The configuration is vali
• I. It will cause the firewall to deny the matched session
• J. Any configured Security Profiles have no effect if the Security policy rule action is set to “Deny.”

Answer: B

NEW QUESTION 24
......