Paloalto Networks PCNSE Exam Questions and Answers 2021

NEW QUESTION 1
The firewall identifies a popular application as an unknown-tcp.
Which two options are available to identify the application? (Choose two.)

• A. Create a custom application.
• B. Create a custom object for the custom application server to identify the custom application.
• C. Submit an Apple-ID request to Palo Alto Networks.
• D. Create a Security policy to identify the custom application.

Answer: AB

Explanation: Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/app-id/use-application-objects-in-policy/create-a-custom-application

NEW QUESTION 2
Which menu item enables a firewall administrator to see details about traffic that is currently active through the NGFW?

• A. App Scope
• B. ACC
• C. Session Browser
• D. System Logs

Answer: C

NEW QUESTION 3
An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port. Which log entry can the administrator use to verify that sessions are being decrypted?

• A. In the details of the Traffic log entries
• B. Decryption log
• C. Data Filtering log
• D. In the details of the Threat log entries

Answer: A

Explanation: Reference: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption/ta-p/59719

NEW QUESTION 4
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens thousands of bogus UDP connections per second to a single destination IP address and post.
Which option when enabled with the correction threshold would mitigate this attack without dropping legitirnate traffic to other hosts insides the network?

• A. Zone Protection Policy with UDP Flood Protection
• B. QoS Policy to throttle traffic below maximum limit
• C. Security Policy rule to deny trafic to the IP address and port that is under attack
• D. Classified DoS Protection Policy using destination IP only with a Protect action

Answer: D

NEW QUESTION 5
Which feature must you configure to prevent users form accidentally submitting their corporate
credentials to a phishing website?

• A. URL Filtering profile
• B. Zone Protection profile
• C. Anti-Spyware profile
• D. Vulnerability Protection profileExplanation:

Answer: A

Explanation: Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-prevention/prevent-credential-phishing

NEW QUESTION 6
An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors.
How would the administrator establish the chain of trust?

• A. Use custom certificates
• B. Enable LDAP or RADIUS integration
• C. Set up multi-factor authentication
• D. Configure strong password authentication

Answer: A

Explanation: Reference:
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/panorama-overview/plan-your-panorama-deployment

NEW QUESTION 7
A network Administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects> Security Profiles> Anti-Spyware and select default profile.
What should be done next?

• A. Click the simple-critical rule and then click the Action drop-down list.
• B. Click the Exceptions tab and then click show all signatures.
• C. View the default actions displayed in the Action column.
• D. Click the Rules tab and then look for rules with "default" in the Action column.

Answer: B

NEW QUESTION 8
What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)

• A. Rule Usage Hit counter will not be reset
• B. Highlight Unused Rules will highlight all rules.
• C. Highlight Unused Rules will highlight zero rules.
• D. Rule Usage Hit counter will reset.

Answer: AB

NEW QUESTION 9
If an administrator wants to decrypt SMTP traffic and possesses the server’s certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?

• A. TLS Bidirectional Inspection
• B. SSL Inbound Inspection
• C. SSH Forward Proxy
• D. SMTP Inbound DecryptionExplanation:

Answer: B

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/configure-ssl-inbound-inspection

NEW QUESTION 10
Which three authentication factors does PAN-OS® software support for MFA (Choose three.)

• A. Push
• B. Pull
• C. Okta Adaptive
• D. Voice E.SMS

Answer: AD

Explanation: Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-multi-factor-authentication

NEW QUESTION 11
Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?

• A. port mapping
• B. server monitoring
• C. client probing
• D. XFF headers

Answer: A

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/configure-user-mapping-for-terminal-server-users

NEW QUESTION 12
An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware passively monitors behavior without the user’s knowledge.
What is the expected verdict from WildFire?

• A. Gray ware
• B. Malware
• C. Spyware
• D. Phishing

Answer: A

NEW QUESTION 13
Exhibit:

What will be the egress interface if the traffic’s ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image?

• A. ethernet1/7
• B. ethernet1/5
• C. ethernet1/6
• D. ethernet1/3

Answer: D

NEW QUESTION 14
An administrator sees several inbound sessions identified as unknown-tcp in the traffic logs. The administrator determines that these sessions are from external users accessing the company’s proprietary accounting application. The administrator wants to reliably identify this as their accounting application and to scan this traffic for threats. Which option would achieve this result?

• A. Create an Application Override policy and a custom threat signature for the application
• B. Create an Application Override policy
• C. Create a custom App-ID and use the "ordered conditions" check box
• D. Create a custom App ID and enable scanning on the advanced tab

Answer: A

NEW QUESTION 15
Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?

• A. Both SSH keys and SSL certificates must be generated.
• B. No prerequisites are required.
• C. SSH keys must be manually generated.
• D. SSL certificates must be generated.

Answer: B

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/configure-ssh-proxy

NEW QUESTION 16
Which data flow describes redistribution of user mappings?

• A. User-ID agent to firewall
• B. firewall to firewall
• C. Domain Controller to User-ID agent
• D. User-ID agent to Panorama

Answer: B

NEW QUESTION 17
Which is the maximum number of samples that can be submitted to WildFire per day, based on wildfire subscription?

• A. 15,000
• B. 10,000
• C. 75,00
• D. 5,000

Answer: B

NEW QUESTION 18
A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Which statement is true about this deployment?

• A. The two devices must share a routable floating IP address
• B. The two devices may be different models within the PA-5000 series
• C. The HA1 IP address from each peer must be on a different subnet
• D. The management port may be used for a backup control connection

Answer: D