100% Guarantee PCNSE Exam Questions 2021

We offers . "Palo Alto Networks Certified Security Engineer (PCNSE)PAN-OS 8.0", also known as PCNSE exam, is a Paloalto Networks Certification. This set of posts, Passing the PCNSE exam with , will help you answer those questions. The covers all the knowledge points of the real exam. 100% real and revised by experts!

Free demo questions for Paloalto Networks PCNSE Exam Dumps Below:

NEW QUESTION 1
If an administrator does not possess a website’s certificate, which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites?

  • A. SSL Forward Proxy
  • B. SSL Inbound Inspection
  • C. TLS Bidirectional proxy
  • D. SSL Outbound Inspection

Answer: A

NEW QUESTION 2
SAML SLO is supported for which two firewall features? (Choose two.)

  • A. GlobalProtect Portal
  • B. CaptivePortal
  • C. WebUI
  • D. CLI

Answer: AB

NEW QUESTION 3
Several offices are connected with VPNs using static IPV4 routes. An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accoumplish this goal?

  • A. Assign an IP address on each tunnel interface at each site
  • B. Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0
  • C. Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces
  • D. Create new VPN zones at each site to terminate each VPN connection

Answer: C

NEW QUESTION 4
Which two methods can be used to mitigate resource exhaustion of an application server? (Choose
two)

  • A. Vulnerability Object
  • B. DoS Protection Profile
  • C. Data Filtering Profile
  • D. Zone Protection Profile

Answer: BD

NEW QUESTION 5
Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs? (Choose two)

  • A. The devices are pre-configured with a virtual wire pair out the first two interfaces.
  • B. The devices are licensed and ready for deployment.
  • C. The management interface has an IP address of 192.168.1.1 and allows SSH and HTTPS connections.
  • D. A default bidirectional rule is configured that allows Untrust zone traffic to go to the Trust zone.
  • E. The interface are pingable.

Answer: BC

NEW QUESTION 6
If the firewall is configured for credential phishing prevention using the “Domain Credential Filter” method, which login will be detected as credential theft?

  • A. Mapping to the IP address of the logged-in user.
  • B. First four letters of the username matching any valid corporate username.
  • C. Using the same user’s corporate username and password.
  • D. Marching any valid corporate username.Explanation:

Answer: A

Explanation: Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/content-inspection-features/credential-phishing-prevention

NEW QUESTION 7
Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.)

  • A. TACACS+
  • B. Kerberos
  • C. PAP
  • D. LDAP
  • E. SAML
  • F. RADIUS

Answer: ADF

NEW QUESTION 8
Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)

  • A. The firewall is in multi-vsys mode.
  • B. The traffic is offloaded.
  • C. The traffic does not match the packet capture filter.
  • D. The firewall’s DP CPU is higher than 50%.

Answer: BC

Explanation: Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/take-packet-captures/disable-hardware-offload

NEW QUESTION 9
Several offices are connected with VPNs using static IPv4 routes. An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accomplish this goal?

  • A. Assign an IP address on each tunnel interface at each site
  • B. Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0
  • C. Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces
  • D. Create new VPN zones at each site to terminate each VPN connection

Answer: C

NEW QUESTION 10
Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

  • A. Create a no-decrypt Decryption Policy rule.
  • B. Configure an EDL to pull IP addresses of known sites resolved from a CRL.
  • C. Create a Dynamic Address Group for untrusted sites
  • D. Create a Security Policy rule with vulnerability Security Profile attached.
  • E. Enable the “Block sessions with untrusted issuers” setting.

Answer: AD

NEW QUESTION 11
An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN- OS® software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web-browsing traffic from any to any zone. What must the administrator configure so that the PAN-OS® software can be upgraded?

  • A. Security policy rule
  • B. CRL
  • C. Service route
  • D. Scheduler

Answer: A

NEW QUESTION 12
An administrator has users accessing network resources through Citrix XenApp 7 x. Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources?

  • A. Client Probing
  • B. Terminal Services agent
  • C. GlobalProtect
  • D. Syslog Monitoring

Answer: B

NEW QUESTION 13
Which Palo Alto Networks VM-Series firewall is valid?

  • A. VM-25
  • B. VM-800
  • C. VM-50
  • D. VM-400

Answer: C

Explanation: Reference: https://www.paloaltonetworks.com/products/secure-the-network/virtualized-next-generation-firewall/vm-series

NEW QUESTION 14
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?

  • A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.
  • B. Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP.
  • C. The firewalls do not use floating IPs in active/active HA.
  • D. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.

Answer: A

NEW QUESTION 15
A company has a pair of Palo Alto Networks firewalls configured as an Acitve/Passive High Availability (HA) pair.
What allows the firewall administrator to determine the last date a failover event occurred?

  • A. From the CLI issue use the show System log
  • B. Apply the filter subtype eq ha to the System log
  • C. Apply the filter subtype eq ha to the configuration log
  • D. Check the status of the High Availability widget on the Dashboard of the GUI

Answer: B

NEW QUESTION 16
A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server.
Which solution in PAN-OS® software would help in this case?

  • A. application override
  • B. Virtual Wire mode
  • C. content inspection
  • D. redistribution of user mappings

Answer: D

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/deploy-user-id-in-a-large-scale-network

NEW QUESTION 17
Which two virtualization platforms officially support the deployment of Palo Alto Networks VM- Series firewalls? (Choose two.)

  • A. Red Hat Enterprise Virtualization (RHEV)
  • B. Kernel Virtualization Module (KVM)
  • C. Boot Strap Virtualization Module (BSVM)
  • D. Microsoft Hyper-V

Answer: BD

Explanation: Reference: https://www.paloaltonetworks.com/products/secure-the-network/virtualized-next-generation-firewall/vm-series

NEW QUESTION 18
Which option is an IPv6 routing protocol?

  • A. RIPv3
  • B. OSPFv3
  • C. OSPv3
  • D. BGP NG

Answer: B

P.S. Passcertsure now are offering 100% pass ensure PCNSE dumps! All PCNSE exam questions have been updated with correct answers: https://www.passcertsure.com/PCNSE-test/ (255 New Questions)