• Home
  • Articles
  • Updated Dec-2023 Exam PCNSE Dumps - Pass Your Certification Exam [Q35-Q54]

Updated Dec-2023 Exam PCNSE Dumps - Pass Your Certification Exam [Q35-Q54]

Share

Updated Dec-2023 Exam PCNSE Dumps - Pass Your Certification Exam

Latest Real Palo Alto Networks PCNSE Exam Dumps Questions

NEW QUESTION # 35
Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.) Which two security policy rules will accomplish this configuration? (Choose two.)

  • A. Untrust (Any) to Untrust (10.1.1.1), ssh -Allow
  • B. Untrust (Any) to DMZ (10.1.1.1), web-browsing -Allow
  • C. Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow
  • D. Untrust (Any) to DMZ (10.1.1.1), ssh -Allow
  • E. Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow

Answer: B,D

Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destinat


NEW QUESTION # 36
If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method, which login will be detected as credential theft?

  • A. Mapping to the IP address of the logged-in user.
  • B. First four letters of the username matching any valid corporate username.
  • C. Matching any valid corporate username.
  • D. Using the same user's corporate username and password.

Answer: A

Explanation:
Explanation/Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/content-inspection- features/credential-phishing-prevention


NEW QUESTION # 37
What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain'?

  • A. a Security policy with 'known-user" selected in the Source User field
  • B. an Authentication policy with 'unknown' selected in the Source User field
  • C. a Security policy with 'unknown' selected in the Source User field
  • D. an Authentication policy with 'known-user' selected in the Source User field

Answer: C


NEW QUESTION # 38
Refer to the diagram. Users at an internal system want to ssh to the SSH server The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.
In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?

  • A. NAT Rule:
    Source Zone: Trust -
    Source IP: 192.168.15.0/24 -
    Destination Zone: Trust -
    Destination IP: 192.168.15.1 -
    Destination Translation: Static IP / 172.16.15.10
    Security Rule:
    Source Zone: Trust -
    Source IP: 192.168.15.0/24 -
    Destination Zone: Server -
    Destination IP: 172.16.15.10 -
    Application: ssh
  • B. NAT Rule:
    Source Zone: Trust -
    Source IP: Any -
    Destination Zone: Server -
    Destination IP: 172.16.15.10 -
    Source Translation: dynamic-ip-and-port / ethernet1/4
    Security Rule:
    Source Zone: Trust -
    Source IP: Any -
    Destination Zone: Server -
    Destination IP: 172.16.15.10 -
    Application: ssh
  • C. NAT Rule:
    Source Zone: Trust -
    Source IP: Any -
    Destination Zone: Server -
    Destination IP: 172.16.15.10 -
    Source Translation: Static IP / 172.16.15.1
    Security Rule:
    Source Zone: Trust -
    Source IP: Any -
    Destination Zone: Trust -
    Destination IP: 172.16.15.10 -
    Application: ssh
  • D. NAT Rule:
    Source Zone: Trust -
    Source IP: Any -
    Destination Zone: Trust -
    Destination IP: 192.168.15.1 -
    Destination Translation: Static IP /172.16.15.10
    Security Rule:
    Source Zone: Trust -
    Source IP: Any -
    Destination Zone: Server -
    Destination IP: 172.16.15.10 -
    Application: ssh

Answer: B

Explanation:
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhwCAC
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/sou


NEW QUESTION # 39
An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS software?

  • A. Wildfire update package
  • B. User-ID agent
  • C. Application and Threats update package
  • D. Anti virus update package

Answer: C


NEW QUESTION # 40
Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet 1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

  • A. ethernet1/3
  • B. ethernet1/6
  • C. ethernet1/7
  • D. ethernet1/5

Answer: D


NEW QUESTION # 41
Which three fields can be included in a pcap filter? (Choose three)

  • A. Rule number
  • B. Egress interface
  • C. Ingress interface
  • D. Source IP
  • E. Destination IP

Answer: A,D,E

Explanation:
Explanation
(https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Packet-Capture/ta-p/72069)


NEW QUESTION # 42
Which CLI command is used to determine how much disk space is allocated to logs?

  • A. show system info
  • B. show logging-status
  • C. show system logdfo-quota
  • D. debug log-receiver show

Answer: C


NEW QUESTION # 43
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.
Which VPN configuration would adapt to changes when deployed to the future site?

  • A. Preconfigured GlobalProtect client
  • B. Preconfigured PPTP Tunnels
  • C. Preconfigured GlobalProtect satellite
  • D. Preconfigured IPsec tunnels

Answer: C

Explanation:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/large-scale-vpn-lsvpn/configure-the-globalprotect-portal-for-lsvpn/define-the-satellite-configurations.html


NEW QUESTION # 44
Which two subscriptions are available when configuring panorama to push dynamic updates to connected devices? (Choose two.)

  • A. Applications and Threats
  • B. Antivirus
  • C. User-ID
  • D. Content-ID

Answer: A,B

Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device- dynamic-updates


NEW QUESTION # 45
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against
external hosts attempting to exploit a flaw in an operating system on an internal system.
Which Security Profile type will prevent this attack?

  • A. Antivirus
  • B. Anti-Spyware
  • C. URL Filtering
  • D. Vulnerability Protection

Answer: D

Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/objects/
objects-security-profiles-vulnerability-protection


NEW QUESTION # 46
Which Panorama administrator types require the configuration of at least one access domain? (Choose two)

  • A. Template Admin
  • B. Dynamic
  • C. Custom Panorama Admin
  • D. Device Group
  • E. Role Based

Answer: A,D

Explanation:
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0


NEW QUESTION # 47
An administrator just submitted a newly found piece of spyware for WildFire analysis.
The spyware monitors behavior without the user's knowledge.
What is the expected verdict from WildFire?

  • A. Grayware
  • B. Phishing
  • C. Spyware
  • D. Malware

Answer: A


NEW QUESTION # 48
During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.
Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

  • A. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.
  • B. Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.
  • C. Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.
  • D. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust

Answer: A

Explanation:
Explanation
Generate a CA certificate for Forward Trust (step 2) a self-signed CA for Forward Untrust (step
4)https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


NEW QUESTION # 49
A user at an internal system queries the DNS server for their web server with a private IP of 10 250 241 131 in the. The DNS server returns an address of the web server's public address, 200.1.1.10.
In order to reach the web server, which security rule and U-Turn NAT rule must be configured on the firewall?

  • A.
  • B.
  • C.
  • D.

Answer: A


NEW QUESTION # 50
An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.

Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)

  • A. Monitor Fail Hold Up Time
  • B. Hello Interval
  • C. Heartbeat Interval
  • D. Promotion Hold Time

Answer: C

Explanation:
Explanation
The heartbeat interval determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping). The default value is 1000 milliseconds (1 second). The heartbeat interval is used to detect failures and trigger failover in an HA pair1. The other options are not correct. The hello interval determines the frequency at which the HA peers exchange messages in the form of an HA packet. The default value is
3000 milliseconds (3 seconds). The hello interval is used to establish and maintain HA connectivity2. The promotion hold time determines the amount of time that a passive firewall waits before it becomes active after detecting a failure on the active firewall. The default value is 5000 milliseconds (5 seconds)3. The monitor fail hold up time determines the amount of time that a firewall waits before it declares a monitor failure after detecting a link down event on an interface. The default value is 2000 milliseconds (2 seconds)4. References:
1: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers 2:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers 3:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers 4:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers


NEW QUESTION # 51
Where is information about packet buffer protection logged?

  • A. Alert entries are in the Alarms log. Entries for dropped traffic, discarded sessions, and blocked IP address are in the Threat log
  • B. Alert entries are in the System log. Entries for dropped traffic, discarded sessions and blocked IP addresses are in the Threat log
  • C. All entries are in the Alarms log
  • D. All entries are in the System log

Answer: C

Explanation:


NEW QUESTION # 52
How does Panorama prompt VMWare NSX to quarantine an infected VM?

  • A. SNMP Server Profile
  • B. Email Server Profile
  • C. HTTP Server Profile
  • D. Syslog Server Profile

Answer: C

Explanation:
https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set-up-the-vm-series-firewall-on-nsx/set-up-the-vm-series-firewall-on-vmware-nsx/dynamically-quarantine-infected-guests.html#id8e9a242e-e038-4ba2-b0ea-eaaf53690be0


NEW QUESTION # 53
Refer to the exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?

  • A. Configure log compression and optimization features on all remote firewalls.
  • B. Any configuration on an M-500 would address the insufficient bandwidth concerns.
  • C. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW.
  • D. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.

Answer: A


NEW QUESTION # 54
......

PCNSE Dumps To Pass PCNSE PAN-OS Exam in One Day: https://freedownload.prep4sures.top/PCNSE-real-sheets.html

Related Articles

more
Palo Alto Networks PCNSE Certification Practice Exam