Winter Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ecus65

Paloalto Networks PCNSE - Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0

Paloalto Networks PCNSE Premium Access     Download Demo    
Page: 2 / 12
Total 374 questions

Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?

A.

Resource Protection

B.

TCP Port Scan Protection

C.

Packet Based Attack Protection

D.

Packet Buffer Protection

An engineer configures a destination NAT policy to allow inbound access to an internal server in the DMZ. The NAT policy is configured with the following values:

- Source zone: Outside and source IP address 1.2.2.2

- Destination zone: Outside and destination IP address 2.2.2.1

The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone.

Which destination IP address and zone should the engineer use to configure the security policy?

A.

Destination Zone Outside. Destination IP address 2.2.2.1

B.

Destination Zone DMZ, Destination IP address 10.10.10.1

C.

Destination Zone DMZ, Destination IP address 2.2.2.1

D.

Destination Zone Outside. Destination IP address 10.10.10.1

A company wants to deploy IPv6 on its network which requires that all company Palo Alto Networks firewalls process IPv6 traffic and to be configured with IPv6 addresses. Which consideration should the engineers take into account when planning to enable IPv6?

A.

Device > Setup Settings Do not enable on each interface

B.

Network > Zone Settings Do not enable on each interface

C.

Network > Zone Settings Enable on each interface

D.

Device > Setup Settings Enable on each interface

A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)

A.

Route added with next hop set to "none" and using the interface of the virtual systems that need to communicate

B.

External zones with the virtual systems added

C.

Route added with next hop next-vr by using the VR configured in the virtual system

D.

Layer 3 zones for the virtual systems that need to communicate

An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.

Which three settings can be configured in this template? (Choose three.)

A.

Log Forwarding profile

B.

SSL decryption exclusion

C.

Email scheduler

D.

Login banner

E.

Dynamic updates

An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?

A.

show chassis status slot s1

B.

show s/stem state filter ethernet1/1

C.

show s/stem state filter sw.dev interface config

D.

show s/stem state filter-pretty sys.sl*

After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.

The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.

The engineer reviews the following CLI output for ethernet1/1.

Which setting should be modified on ethernet1/1 to remedy this problem?

A.

Lower the interface MTU value below 1500.

B.

Enable the Ignore IPv4 Don't Fragment (DF) setting.

C.

Change the subnet mask from /23 to /24.

D.

Adjust the TCP maximum segment size (MSS) value.

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?

A.

A self-signed Certificate Authority certificate generated by the firewall

B.

A Machine Certificate for the firewall signed by the organization's PKI

C.

A web server certificate signed by the organization's PKI

D.

A subordinate Certificate Authority certificate signed by the organization's PKI

An administrator is attempting to create policies tor deployment of a device group and template stack. When creating the policies, the zone drop down list does not include the required zone.

What must the administrator do to correct this issue?

A.

Specify the target device as the master device in the device group

B.

Enable "Share Unused Address and Service Objects with Devices" in Panorama settings

C.

Add the template as a reference template in the device group

D.

Add a firewall to both the device group and the template

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

A.

Export device state

B.

Load configuration version

C.

Load named configuration snapshot

D.

Save candidate config