• Home
  • Blogs
  • 2024 New PCNSE Dumps - Real Palo Alto Networks Exam Questions [Q49-Q72]

2024 New PCNSE Dumps - Real Palo Alto Networks Exam Questions [Q49-Q72]

Share

2024 New PCNSE Dumps - Real Palo Alto Networks Exam Questions

Dependable PCNSE Exam Dumps to Become Palo Alto Networks Certified

NEW QUESTION # 49
A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall. Which method shows the global counters associated with the traffic after configuring the appropriate packet filters?

  • A. From the CLI, issue the show counter interface command for the ingress interface.
  • B. From the CLI, issue the show counter global filter packet-filter yes command.
  • C. From the GUI, select show global counters under the monitor tab.
  • D. From the CLI, issue the show counter global filter pcap yes command.

Answer: B

Explanation:
You can check global counters for a specific source and destination IP addresses by setting a packet filter. We recommend that you use the global counter command with a packet filter to get specific traffic outputs. These outputs will help isolate the issue between two peers.
Use the following CLI command to show when traffic is passing through the Palo Alto Networks firewall from that source to destination.
> show counter global filter packet-filter yes delta yes
Global counters:
Elapsed time since last sampling: 20.220 seconds
name value rate severity category aspect description
-------------------------------------------------------------------------------- pkt_recv 6387398 4 info packet pktproc Packets received pkt_recv_zero 370391 0 info packet pktproc Packets received from QoS 0 Etc.
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-check-global-counters-for-a- specific-source-and/ta-p/65794


NEW QUESTION # 50
An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make?
A:

B:

C:

D:

E:

  • A. Option C
  • B. Option A
  • C. Option E
  • D. Option B
  • E. Option D

Answer: D


NEW QUESTION # 51
Match each GlobalProtect component to the purpose of that component

Answer:

Explanation:


NEW QUESTION # 52
Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.)

  • A. RADIUS
  • B. Kerberos
  • C. PAP
  • D. TACACS+
  • E. LDAP
  • F. SAML

Answer: B,E,F

Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/firewall-administration/manage-firewall-administrat


NEW QUESTION # 53
Which three authentication services can administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.)

  • A. RADIUS
  • B. Kerberos
  • C. PAP
  • D. TACACS+
  • E. LDAP
  • F. SAML

Answer: B,E,F

Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/firewall-administration/manage-firewall-administrat The administrative accounts are defined on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML server. PAN-OS maps the attributes to administrator roles, access domains, user groups, and virtual systems that you define on the firewall. For details, see:
Configure SAML AuthenticationConfigure TACACS+ AuthenticationConfigure RADIUS Authentication


NEW QUESTION # 54
An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator's home and experiencing issues completing the connection. The following is th output from the command:
less mp-log ikemgr.log:

What could be the cause of this problem?

  • A. The shared secerts do not match between the Palo Alto firewall and the ASA
  • B. The public IP addresse do not match for both the Palo Alto Networks Firewall and the ASA.
  • C. The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the ASA.
  • D. The deed peer detection settings do not match between the Palo Alto Networks Firewall and the ASA

Answer: C


NEW QUESTION # 55
Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)

  • A. Fingerprint
  • B. SMS
  • C. User certificate
  • D. One-time password
  • E. Voice

Answer: B,C,D

Explanation:
Explanation
The firewall can use three multi-factor authentication methods to authenticate access to the firewall: SMS, user certificate, and one-time password. These methods can be used in combination with other authentication factors, such as username and password, to provide stronger security for accessing the firewall web interface or CLI. The firewall can integrate with various MFA vendors that support these methods through RADIUS or SAML protocols5. Voice and fingerprint are not supported by the firewall as MFA methods. References: MFA Vendor Support, PCNSE Study Guide (page 48)


NEW QUESTION # 56
An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama. All
84 firewalls have an active WildFire subscription. On each firewall, WildFire logs are available.
This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?

  • A. Threat logs
  • B. WildFire logs
  • C. System logs
  • D. Traffic logs

Answer: B

Explanation:
Reference: https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/manage-log- collection/configure-log-forwarding-to-panorama.html


NEW QUESTION # 57
Which feature prevents the submission of corporate login information into website forms?

  • A. Data filtering
  • B. User-ID
  • C. Credential phishing prevention
  • D. File blocking

Answer: C

Explanation:
Reference:
https://www.paloaltonetworks.com/cyberpedia/how-the-next-generation-security-platform-contributes-to-gdpr-co
"Credential phishing prevention works by scanning username and password submissions to websites and comparing those submissions against valid corporate credentials. You can choose what websites you want to either allow, alert on, or block corporate credential submissions to based on the URL category of the website.
Alternatively, you can present a page that warns users against submitting credentials to sites classified in certain URL categories. This gives you the opportunity to educate users against reusing corporate credentials, even on legitimate, non-phishing sites. In the event that corporate credentials are compromised, this feature allows you to identify the user who submitted credentials so that you can remediate."


NEW QUESTION # 58
Place the steps in the WildFire process workflow in their correct order.

Answer:

Explanation:

Explanation
Timeline Description automatically generated

https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire-overview/about-wildfire.html


NEW QUESTION # 59
Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet 1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

  • A. ethernet1/5
  • B. ethernet1/3
  • C. ethernet1/6
  • D. ethernet1/7

Answer: B

Explanation:
Explanation
PBF is to e1/5, but the current time is not in time schedule. the normal routing will go to e1/3


NEW QUESTION # 60
Refer to the exhibit.

An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panoram a. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
A)

B)

C)

D)

  • A. Option C
  • B. Option D
  • C. Option A
  • D. Option B

Answer: B

Explanation:
https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/manage-log-collection/configure-log-forwarding-to-panorama.html#


NEW QUESTION # 61
The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate and set them as such The admin has not yet installed the root certificate onto client systems What effect would this have on decryption functionality?

  • A. Decryption will not function because self-signed root certificates are not supported
  • B. Decryption will function and there will be no effect to end users
  • C. Decryption will function but users will see certificate warnings for each SSL site they visit
  • D. Decryption will not function until the certificate is installed on client systems

Answer: C

Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0


NEW QUESTION # 62
In the following image from Panorama, why are some values shown in red?

  • A. sg2 has misconfigured session thresholds.
  • B. us3 has a logging rate that deviates from the administrator-configured thresholds.
  • C. uk3 has a logging rate that deviates from the seven-day calculated baseline.
  • D. sg2 session count is the lowest compared to the other managed devices.

Answer: C


NEW QUESTION # 63
An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls.
The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration Which two solutions can the administrator use to scale this configuration? (Choose two.)

  • A. virtual systems
  • B. collector groups
  • C. variables
  • D. template stacks

Answer: C,D

Explanation:
Explanation
https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/panorama-overview/centralized-firewall-con
https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/manage-templates-and-tem


NEW QUESTION # 64
Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.

Answer:

Explanation:

Explanation
Step 1. In either the NGFW or in Panorama, on the Operations/Support tab, download the technical support file.
Step 2. Log in to the Customer Support Portal (CSP) and navigate to Tools > Best Practice Assessment.
Step 3. Upload or drag and drop the technical support file.
Step 4. Map the zone type and area of the architecture to each zone.
Step 5.Follow the steps to download the BPA report bundle.


NEW QUESTION # 65
In an existing deployment, an administrator with numerous firewalls and Panorama does not see any WildFire logs in Panorama. Each firewall has an active WildFire subscription On each firewall. WildFire togs are available.
This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?

  • A. Traffic togs
  • B. System logs
  • C. Threat logs
  • D. WildFire logs

Answer: C

Explanation:
Explanation
Access to the WildFire logs from Panorama requires the following: a WildFire subscription, a File Blocking profile that is attached to a Security rule, and Threat log forwarding to Panorama.
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/monitor-network-activity/use-case-respond-t


NEW QUESTION # 66
Place the steps in the WildFire process workflow in their correct order.

Answer:

Explanation:


NEW QUESTION # 67
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

  • A. Disable automatic updates during weekdays.
  • B. Automatically "download only" and then install Applications and Threats later, after the administrator approves the update.
  • C. Automatically "download and install" but with the "disable new applications" option used.
  • D. Configure the option for "Threshold".

Answer: D

Explanation:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/threat-prevention/best-practices-for-application-and-threat-content-updates#


NEW QUESTION # 68
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two)

  • A. GlobafProtect agent
  • B. User-ID Windows-based agent
  • C. XML API
  • D. log forwarding auto-tagging

Answer: B,D

Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/register-ip-addresses-and-tags-dynamically.
You can enable the dynamic registration process using any of the following options:
User-ID agent for Windows*
VM Information Sources
Panorama Plugin
VMware Service Manager
XML API*
Auto-Tag*
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnse-study-guide.p Usernames can also be tagged and untagged using the auto-tagging feature in a Log Forwarding Profile. You also can program another utility to invoke PAN-OS XML API commands to tag or untag usernames.


NEW QUESTION # 69
Which event will happen if an administrator uses an Application Override Policy?

  • A. The application name assigned to the traffic by the security rule is written to the Traffic log.
  • B. App-ID processing time is increased.
  • C. Threat-ID processing time is decreased.
  • D. The Palo Alto Networks NGFW stops App-ID processing at Layer 4.

Answer: D

Explanation:
Reference:
https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-How-to-Create-an-Application-Override
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/app-id/manage-custom-or-unknown- applications#


NEW QUESTION # 70
The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to 10.1.1.100 on TCP Port 8080.
Which NAT and security rules must be configured on the firewall? (Choose two)

  • A. A security policy with a source of any from untrust-I3 zone to a destination of 1.1.100 in dmz-I3 zone using web-browsing application.
  • B. A security policy with a source of any from untrust-I3 Zone to a destination of 10.1.1.100 in dmz- I3 zone using web-browsing application
  • C. A NAT rule with a source of any from untrust-I3 zone to a destination of 1.1.1.100 in untrust-I3 zone using service-http service.
  • D. A NAT rule with a source of any from untrust-I3 zone to a destination of 10.1.1.100 in dmz-zone using service-http service.

Answer: A,C


NEW QUESTION # 71
Which CLI command displays the current management plane memory utilization?

  • A. > show running resource-monitor
  • B. > show system info
  • C. > debug management-server show
  • D. > show system resources

Answer: D

Explanation:
Explanation
https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Interpret-show-system-resources/ta-p/59364
"The command show system resources gives a snapshot of Management Plane (MP) resource utilization including memory and CPU. This is similar to the 'top' command in Linux."https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Interpret-show-system-resources/ta-p/593


NEW QUESTION # 72
......

Get Ready with PCNSE Exam Dumps (2024): https://www.lead1pass.com/Palo-Alto-Networks/PCNSE-practice-exam-dumps.html

Realistic PCNSE Dumps are Available for Instant Access: https://drive.google.com/open?id=1TQN6mVvkk4OB7uJ5rBfvdNTZxECbxCUs

Related Blogs

more
Palo Alto Networks PCNSE Certification Practice Exam