Realistic PCNSE7 Exam Questions and Answers 2021

We offers . "Palo Alto Networks Certified Network Security Engineer", also known as PCNSE7 exam, is a Paloalto Networks Certification. This set of posts, Passing the PCNSE7 exam with , will help you answer those questions. The covers all the knowledge points of the real exam. 100% real and revised by experts!

Also have PCNSE7 free dumps questions for you:

A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at The company has decided to configure a destination NAT Policy rule.
Given the following zone information:
•DMZ zone: DMZ-L3
•Public zone: Untrust-L3
•Guest zone: Guest-L3
•Web server zone: Trust-L3
•Public IP address (Untrust-L3):
•Private IP address (Trust-L3):
What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?

  • A. Untrust-L3
  • B. DMZ-L3
  • C. Guest-L3
  • D. Trust-L3

Answer: A

A logging infrastructure may need to handle more than 10,000 logs per second. Which two options support a dedicated log collector function? (Choose two)

  • A. Panorama virtual appliance on ESX(i) only
  • B. M-500
  • C. M-100 with Panorama installed
  • D. M-100

Answer: BC

Explanation: (

Which method will dynamically register tags on the Palo Alto Networks NGFW?

  • A. Restful API or the VMWare API on the firewall or on the User-ID agent or the read-only domain controller (RODC)
  • B. Restful API or the VMware API on the firewall or on the User-ID agent
  • C. XML-API or the VMware API on the firewall or on the User-ID agent or the CLI
  • D. XML API or the VM Monitoring agent on the NGFW or on the User-ID agent

Answer: D

How does Panorama handle incoming logs when it reaches the maximum storage capacity?

  • A. Panorama discards incoming logs when storage capacity full.
  • B. Panorama stops accepting logs until licenses for additional storage space are applied
  • C. Panorama stops accepting logs until a reboot to clean storage space.
  • D. Panorama automatically deletes older logs to create space for new ones.

Answer: D

Explanation: (

A host attached to ethernet1/3 cannot access the internet. The default gateway is attached to ethernet1/4. After troubleshooting. It is determined that traffic cannot pass from the ethernet1/3 to ethernet1/4. What can be the cause of the problem?

  • A. DHCP has been set to Auto.
  • B. Interface ethernet1/3 is in Layer 2 mode and interface ethernet1/4 is in Layer 3 mode.
  • C. Interface ethernet1/3 and ethernet1/4 are in Virtual Wire Mode.
  • D. DNS has not been properly configured on the firewall

Answer: B

Click the Exhibit button
PCNSE7 dumps exhibit
An administrator has noticed a large increase in bittorrent activity. The administrator wants to determine where the traffic is going on the company.
What would be the administrator's next step?

  • A. Right-Click on the bittorrent link and select Value from the context menu
  • B. Create a global filter for bittorrent traffic and then view Traffic logs.
  • C. Create local filter for bittorrent traffic and then view Traffic logs.
  • D. Click on the bittorrent application link to view network activity

Answer: D

Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?

  • A. Deny application facebook-chat before allowing application facebook
  • B. Deny application facebook on top
  • C. Allow application facebook on top
  • D. Allow application facebook before denying application facebook-chat

Answer: A

Decrypted packets from the website will appear as which application and service within the Traffic log?

  • A. web-browsing and 443
  • B. SSL and 80
  • C. SSL and 443
  • D. web-browsing and 80

Answer: B

Which two options are required on an M-100 appliance to configure it as a Log Collector? (Choose two)

  • A. From the Panorama tab of the Panorama GUI select Log Collector mode and then commit changes
  • B. Enter the command request system system-mode logger then enter Y to confirm the change to Log Collector mode.
  • C. From the Device tab of the Panorama GUI select Log Collector mode and then commit changes.
  • D. Enter the command logger-mode enable the enter Y to confirm the change to Log Collector mode.
  • E. Log in the Panorama CLI of the dedicated Log Collector

Answer: BE

Explanation: (

The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to on TCP Port 8080.
PCNSE7 dumps exhibit
Which NAT and security rules must be configured on the firewall? (Choose two)

  • A. A security policy with a source of any from untrust-I3 Zone to a destination of in dmz-I3 zone using web-browsing application
  • B. A NAT rule with a source of any from untrust-I3 zone to a destination of in dmz-zone using service-http service.
  • C. A NAT rule with a source of any from untrust-I3 zone to a destination of in untrust-I3 zone using service-http service.
  • D. A security policy with a source of any from untrust-I3 zone to a destination of 1.1.100 in dmz-I3 zone using web-browsing application.

Answer: BD

How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?

  • A. Use the debug dataplane packet-diag set capture stage firewall file command.
  • B. Enable all four stages of traffic capture (TX, RX, DROP, Firewall).
  • C. Use the debug dataplane packet-diag set capture stage management file command.
  • D. Use the topdump command.

Answer: A

NEW QUESTION 12 has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.
Which method should use to immediately address this traffic on a Palo Alto Networks device?

  • A. Create a custom Application without signatures, then create an Application Override policy that includes the source, Destination, Destination Port/Protocol and Custom Application of the traffic.
  • B. Wait until an official Application signature is provided from Palo Alto Networks.
  • C. Modify the session timer settings on the closest referanced application to meet the needs of the in-house application
  • D. Create a Custom Application with signatures matching unique identifiers of the in-house application traffic

Answer: D

PAN-OS 7.0 introduced an automated correlation engine that analyzes log patterns and generates correlation events visible in the new Application Command Center (ACC).
Which license must the firewall have to obtain new correlation objectives?

  • A. Application Center
  • B. URL Filtering
  • C. GlobalProtect
  • D. Threat Prevention

Answer: D

A wants to enable Application Override. Given the following screenshot:
PCNSE7 dumps exhibit
Which two statements are true if Source and Destination traffic match the Application Override policy? (Choose two)

  • A. Traffic that matches "rtp-base" will bypass the App-ID and Content-ID engines.
  • B. Traffic will be forced to operate over UDP Port 16384.
  • C. Traffic utilizing UDP Port 16384 will now be identified as "rtp-base".
  • D. Traffic utilizing UDP Port 16384 will bypass the App-ID and Content-ID engines.

Answer: AC

How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

  • A. Configure the option for “Threshold”.
  • B. Disable automatic updates during weekdays.
  • C. Automatically “download only” and then install Applications and Threats later, after the administrator approves the update.
  • D. Automatically “download and install” but with the “disable new applications” option used.

Answer: C

Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)

  • A. Red Hat Enterprise Virtualization (RHEV)
  • B. Kernel Virtualization Module (KVM)
  • C. Boot Strap Virtualization Module (BSVM)
  • D. Microsoft Hyper-V

Answer: BD

Which feature prevents the submission of corporate login information into website forms?

  • A. Data filtering
  • B. User-ID
  • C. File blocking
  • D. Credential phishing prevention

Answer: D

Which field is optional when creating a new Security Policy rule?

  • A. Name
  • B. Description
  • C. Source Zone
  • D. Destination Zone
  • E. Action

Answer: B

Which Palo Alto Networks VM-Series firewall is supported for VMware NSX?

  • A. VM-100
  • B. VM-200
  • C. VM-1000-HV
  • D. VM-300

Answer: C

A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects.
How would an administrator configure the interface to 1Gbps?

  • A. set deviceconfig interface speed-duplex 1Gbps-full-duplex
  • B. set deviceconfig system speed-duplex 1Gbps-duplex
  • C. set deviceconfig system speed-duplex 1Gbps-full-duplex
  • D. set deviceconfig Interface speed-duplex 1Gbps-half-duplex

Answer: B

Thanks for reading the newest PCNSE7 exam dumps! We recommend you to try the PREMIUM 2passeasy PCNSE7 dumps in VCE and PDF here: (176 Q&As Dumps)