Exam Code : PCNSE
Exam Name : Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10
Vendor Name :
"Palo-Alto"
PCNSE Dumps PCNSE Braindumps PCNSE Real Questions PCNSE Practice Test
PCNSE Actual Questions
Palo Alto Networks Certified Security Engineer (PCNSE)
PAN-OS 10
https://killexams.com/pass4sure/exam-detail/PCNSE
Which CLI command is used to determine how much disk space is allocated to logs?
show logging-status
show system info
debug log-receiver show
show system logdfo-quota
Question: 49
Which Panorama feature protects logs against data loss if a Panorama server fails?
Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.
Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.
Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.
Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group
Question: 50
A network security engineer wants to prevent resource-consumption issues on the firewall. Which strategy is consistent with decryption best practices to ensure consistent performance?
Use RSA in a Decryption profile tor higher-priority and higher-risk traffic, and use less processor-intensive
decryption methods for lower-risk traffic
Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for tower-risk traffic
Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that are less processor-intensive
Use Decryption profiles to drop traffic that uses processor-intensive ciphers
Question: 51
Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.)
inherit address-objects from templates
define a common standard template configuration for firewalls
standardize server profiles and authentication configuration across all stacks
standardize log-forwarding profiles for security polices across all stacks
Question: 52
In the screenshot above which two pieces ot information can be determined from the ACC configuration shown? (Choose two)
The Network Activity tab will display all applications, including FTP.
Threats with a severity of "high" are always listed at the top of the Threat Name list
Insecure-credentials, brute-force and protocol-anomaly are all a part of the vulnerability Threat Type
The ACC has been filtered to only show the FTP application
Question: 53
A company is using wireless controllers to authenticate users. Which source should be used for User-ID mappings?
Syslog
XFF headers
server monitoring
client probing
Question: 54
Which statement regarding HA timer settings is true?
Use the Recommended profile for typical failover timer settings
Use the Moderate profile for typical failover timer settings
Use the Aggressive profile for slower failover timer settings.
Use the Critical profile for faster failover timer settings.
An administrator is seeing one of the firewalls in a HA active/passive pair moved to ‘suspended" state due to Non- functional loop.
Which three actions will help the administrator troubleshool this issue? (Choose three.)
Use the CLI command show high-availability flap-statistics
Check the HA Link Monitoring interface cables.
Check the High Availability > Link and Path Monitoring settings.
Check High Availability > Active/Passive Settings > Passive Link State
Check the High Availability > HA Communications > Packet Forwarding settings.
Question: 56
An administrator has 750 firewalls. The administrator’s central-management Panorama instance deploys dynamic updates to the firewalls. The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.
If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear, what is the root cause?
Panorama does not have valid licenses to push the dynamic updates.
Panorama has no connection to Palo Alto Networks update servers.
No service route is configured on the firewalls to Palo Alto Networks update servers.
Locally-defined dynamic update settings take precedence over the settings that Panorama pushed.
Question: 57
A client wants to detect the use of weak and manufacturer-default passwords for loT devices. Which option will help the customer?
Configure a Data Filtering profile with alert mode.
Configure an Antivirus profile with alert mode.
Configure a Vulnerability Protection profile with alert mode
Configure an Anti-Spyware profile with alert mode.
Question: 58
An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes?
review the configuration logs on the Monitor tab
click Preview Changes under Push Scope
use Test Policy Match to review the policies in Panorama
context-switch to the affected firewall and use the configuration audit tool
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/panorama-web-interface/panorama-commit- operations.html
Question: 59
A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between peers. Where can the administrator find the corresponding logs after running a test command to initiate the VPN?
Configuration logs
System logs
Traffic logs
Tunnel Inspection logs
Question: 60
An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Path Monitoring has been enabled with a Failure Condition of "any." A path group is configured with Failure Condition of "all" and contains a destination IP of 8.8.8.8 and 4.2.2.2 with a Ping Interval of 500ms and a Ping count of 3.
Which scenario will cause the Active firewall to fail over?
IP address 8.8.8.8 is unreachable for 1 second.
IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 1 second.
IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 2 seconds
IP address 4.2.2.2 is unreachable for 2 seconds.
Question: 61
Where is information about packet buffer protection logged?
Alert entries are in the Alarms log. Entries for dropped traffic, discarded sessions, and blocked IP address are in the Threat log
All entries are in the System log
Alert entries are in the System log. Entries for dropped traffic, discarded sessions and blocked IP addresses are in the Threat log
All entries are in the Alarms log
Graphical user interface, text, application
Description automatically generated
Question: 62
The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate and set them as such.
The admin has not yet installed the root certificate onto client systems What effect would this have on decryption functionality?
Decryption will function and there will be no effect to end users
Decryption will not function because self-signed root certificates are not supported
Decryption will not function until the certificate is installed on client systems
Decryption will function but users will see certificate warnings for each SSL site they visit
Question: 63
A firewall administrator notices that many Host Sweep scan attacks are being allowed through the firewall sourced from the outside zone.
What should the firewall administrator do to mitigate this type of attack?
Create a DOS Protection profile with SYN Flood protection enabled and apply it to all rules allowing traffic from the outside zone
Enable packet buffer protection in the outside zone.
Create a Security rule to deny all ICMP traffic from the outside zone.
Create a Zone Protection profile, enable reconnaissance protection, set action to Block, and apply it to the outside zone.
Question: 64
An engineer is tasked with configuring a Zone Protection profile on the untrust zone. Which three settings can be configured on a Zone Protection profile? (Choose three.)
Ethernet SGT Protection
Protocol Protection
DoS Protection
Reconnaissance Protection
Resource Protection
Protocol Protection: is used to protect against known protocol vulnerabilities, such as buffer overflows and malformed packets.
DoS Protection: is used to protect against denial-of-service (DoS) attacks, such as SYN floods and ICMP floods.
Reconnaissance Protection: is used to protect against reconnaissance attacks, such as port scans and ping sweeps.
Question: 65
A firewall should be advertising the static route 10.2.0.0/24 Into OSPF. The configuration on the neighbor is correct, but the route is not in the neighbor’s routing table.
Which two configurations should you check on the firewall? (Choose two.)
In the OSFP configuration, ensure that the correct redistribution profile is selected in the OSPF Export Rules section.
Within the redistribution profile ensure that Redist is selected.
Ensure that the OSPF neighbor state Is "2-Way."
In the redistribution profile check that the source type is set to "ospf."
Question: 66
Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?
Yes. because the action is set to "allow ”
No because WildFire categorized a file with the verdict "malicious"
Yes because the action is set to "alert"
No because WildFire classified the seventy as "high."
Answer: C
Question: 67 DRAG DROP
Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.
Explanation:
Step 1. In either the NGFW or in Panorama, on the Operations/Support tab, download the technical support file. Step 2. Log in to the Customer Support Portal (CSP) and navigate to Tools > Best Practice Assessment.
Step 3. Upload or drag and drop the technical support file.
Step 4. Map the zone type and area of the architecture to each zone. Step 5. Follow the steps to download the BPA report bundle.
Question: 68
You have upgraded Panorama to 10.2 and need to upgrade six Log Collectors.
When upgrading Log Collectors to 10.2, you must do what?
Upgrade the Log Collectors one at a time.
Add Panorama Administrators to each Managed Collector.
Add a Global Authentication Profile to each Managed Collector.
Upgrade all the Log Collectors at the same time.
Question: 69
How would an administrator configure a Bidirectional Forwarding Detection profile for BGP after enabling the Advance Routing Engine run on PAN-OS 10.2?
create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD profile under Network > Virtual Router > BGP > BFD
create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD profile under Network > Virtual Router > BGP > General > Global BFD Profile
create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the BFD profile under Network > Routing > Logical Routers > BGP > General > Global BFD Profile
create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD profile under Network > Routing > Logical Routers > BGP > BFD