Leading PCNSE Guidance 2021

NEW QUESTION 1
Which GlobalProtect Client connect method requires the distribution and use of machine certificates?

• A. User-logon (Always on)
• B. At-boot
• C. On-demand
• D. Pre-logon

Answer: D

NEW QUESTION 2
Which feature prevents the submission of corporate login information into website forms?

• A. Data filtering
• B. User-ID
• C. File blocking
• D. Credential phishing prevention

Answer: D

Explanation:
Reference: https://www.paloaltonetworks.com/cyberpedia/how-the-next-generation-security-platform-contributes-to-gdpr-compliance

NEW QUESTION 3
Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?

• A. Deny application facebook-chat before allowing application facebook
• B. Deny application facebook on top
• C. Allow application facebook on top
• D. Allow application facebook before denying application facebook-chat

Answer: A

Explanation:
Reference: https://live.paloaltonetworks.com/t5/Configuration-Articles/Failed-to-Block-Facebook-Chat-Consistently/ta-p/115673

NEW QUESTION 4
A distributed log collection deployment has dedicated log Collectors. A developer needs a device to send logs to Panorama instead of sending logs to the Collector Group.
What should be done first?

• A. Remove the cable from the management interface, reload the log Collector and then re-connect that cable
• B. Contact Palo Alto Networks Support team to enter kernel mode commands to allow adjustments
• C. remove the device from the Collector Group
• D. Revert to a previous configuration

Answer: C

NEW QUESTION 5
How does Panorama prompt VMWare NSX to quarantine an infected VM?

• A. HTTP Server Profile
• B. Syslog Server Profile
• C. Email Server Profile
• D. SNMP Server Profile

Answer: A

NEW QUESTION 6
Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

• A. Master
• B. Universal
• C. Shared
• D. Global

Answer: C

NEW QUESTION 7
Which three options are supported in HA Lite? (Choose three.)

• A. Virtual link
• B. Active/passive deployment
• C. Synchronization of IPsec security associations
• D. Configuration synchronization
• E. Session synchronization

Answer: BCD

Explanation:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-high-availability/ha-lite

NEW QUESTION 8
An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware passively monitors behavior without the user’s knowledge.
What is the expected verdict from WildFire?

• A. Gray ware
• B. Malware
• C. Spyware
• D. Phishing

Answer: A

NEW QUESTION 9
Which method will dynamically register tags on the Palo Alto Networks NGFW?

• A. Restful API or the VMWare API on the firewall or on the User-ID agent or the read-only domain controller (RODC)
• B. Restful API or the VMware API on the firewall or on the User-ID agent
• C. XML-API or the VMware API on the firewall or on the User-ID agent or the CLI
• D. XML API or the VM Monitoring agent on the NGFW or on the User-ID agent

Answer: D

Explanation:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/register-ip-addresses-and-tags-dynamically

NEW QUESTION 10
Which is not a valid reason for receiving a decrypt-cert-validation error?

• A. Unsupported HSM
• B. Unknown certificate status
• C. Client authentication
• D. Untrusted issuer

Answer: A

NEW QUESTION 11
An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port. Which log entry can the administrator use to verify that sessions are being decrypted?

• A. In the details of the Traffic log entries
• B. Decryption log
• C. Data Filtering log
• D. In the details of the Threat log entries

Answer: A

Explanation:
Reference: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption/ta-p/59719

NEW QUESTION 12
The IT department has received complaints abou VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter.
Which feature can be used to identify, in real time, the applications taking up the most bandwidth?

• A. QoS Statistics
• B. Applications Report
• C. Application Command Center (ACC)
• D. QoS Log

Answer: A

NEW QUESTION 13
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)

• A. CRL
• B. CRT
• C. OCSP
• D. Cert-Validation-Profile
• E. SSL/TLS Service Profile

Answer: AC

NEW QUESTION 14
Which administrative authentication method supports authorization by an external service?

• A. Certificates
• B. LDAP
• C. RADIUS
• D. SSH keys

Answer: C

NEW QUESTION 15
Click the Exhibit button below,

A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address. He makes an HTTPS connection to 172.16.10.20.
Which is the next hop IP address for the HTTPS traffic from Will's PC?

• A. 172.20.30.1
• B. 172.20.40.1
• C. 172.20.20.1
• D. 172.20.10.1

Answer: C

NEW QUESTION 16
Which option is part of the content inspection process?

• A. Packet forwarding process
• B. SSL Proxy re-encrypt
• C. IPsec tunnel encryption
• D. Packet egress process

Answer: A

NEW QUESTION 17
After pushing a security policy from Panorama to a PA-3020 firwall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in Panorama’s traffic logs. What could be the problem?

• A. A Server Profile has not been configured for logging to this Panorama device.
• B. Panorama is not licensed to receive logs from this particular firewall.
• C. The firewall is not licensed for logging to this Panorama device.
• D. None of the firwwall's policies have been assigned a Log Forwarding profile

Answer: D

NEW QUESTION 18
Which four NGFW multi-factor authentication factors are supported by PAN-OSS? (Choose four.)

• A. User logon
• B. Short message service
• C. Push
• D. SSH keyE.One-Time Password F.Voice

Answer: BCEF

NEW QUESTION 19
Which Panorama administrator types require the configuration of at least one access domain? (Choose two)

• A. Dynamic
• B. Custom Panorama Admin
• C. Role Based
• D. Device Group E.Template Admin

Answer: DE

NEW QUESTION 20
A network security engineer needs to configure a virtual router using IPv6 addresses. Which two routing options support these addresses? (Choose two)

• A. BGP not sure
• B. OSPFv3
• C. RIP
• D. Static Route

Answer: BD

Explanation:
https://live.paloaltonetworks.com/t5/Management-Articles/Does-PAN-OS-Support-Dynamic-Routing-Protocols-OSPF-or-BGP-with/ta-p/62773

NEW QUESTION 21
A company has a policy that denies all applications it classifies as bad and permits only application it classifies as good. The firewall administrator created the following security policy on the company's
firewall.

Which interface configuration will accept specific VLAN IDs?
Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two)

• A. A report can be created that identifies unclassified traffic on the network.
• B. Different security profiles can be applied to traffic matching rules 2 and 3.
• C. Rule 2 and 3 apply to traffic on different ports.
• D. Separate Log Forwarding profiles can be applied to rules 2 and 3.

Answer: BD

NEW QUESTION 22
A user’s traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user’s traffic matches when it goes to http://www.company.com.
How can the firewall be configured automatically disable the PBF rule if the next hop goes down?

• A. Create and add a Monitor Profile with an action of Wait Recover in the PBF rule in question:.
• B. Create and add a Monitor Profile with an action of Fail Over in the PBF rule in question:.
• C. Enable and configure a Link Monitoring Profile for the external interface of the firewall.
• D. Configure path monitoring for the next hop gateway on the default route in the virtual router.

Answer: C

NEW QUESTION 23
Which feature can provide NGFWs with User-ID mapping information?

• A. GlobalProtect
• B. Web Captcha
• C. Native 802.1q authentication
• D. Native 802.1x authentication

Answer: A

NEW QUESTION 24
Which two settings can be configured only locally on the firewall and not pushed from a Panorama template or template stack? (Choose two)

• A. HA1 IP Address
• B. Network Interface Type
• C. Master Key
• D. Zone Protection Profile

Answer: AB

NEW QUESTION 25
Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

• A. Create a no-decrypt Decryption Policy rule.
• B. Configure an EDL to pull IP addresses of known sites resolved from a CRL.
• C. Create a Dynamic Address Group for untrusted sites
• D. Create a Security Policy rule with vulnerability Security Profile attached.
• E. Enable the “Block sessions with untrusted issuers” setting.

Answer: AD

NEW QUESTION 26
......