Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ecus65

Paloalto Networks PCNSE - Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0

Paloalto Networks PCNSE Premium Access     Download Demo    
Page: 1 / 12
Total 374 questions

A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)

A.

Move the policy with action decrypt to the top of the decryption policy rulebase.

B.

Temporarily disable SSL decryption for all websites to troubleshoot the issue.

C.

Create a policy-based “No Decrypt” rule in the decryption policy to exclude specific traffic from decryption.

D.

Investigate decryption logs of the specific traffic to determine reasons for failure.

E.

Disable SSL handshake logging.

After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall After troubleshooting the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports

What can the engineer do to solve the VoIP traffic issue?

A.

Disable ALG under H.323 application

B.

Increase the TCP timeout under H.323 application

C.

Increase the TCP timeout under SIP application

D.

Disable ALG under SIP application

If a URL is in multiple custom URL categories with different actions, which action will take priority?

A.

Allow

B.

Override

C.

Block

D.

Alert

A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access only for hosts that have antivirus or anti-spyware enabled?

A.

Create a HIP object with Anti-Malware enabled and Real Time Protection set to yes. * Create a HIP Profile that matches the HIP object criteria. Enable GlobalProtect Portal Agent to collect HIP Data Collection. Create a Security policy that matches source HIP profile. Enable GlobalProtect Gateway Agent for HIP Notification.

B.

Create Security Profiles for Antivirus and Anti-Spyware.Create Security Profile Group that includes the Antivirus and Anti-Spyware profiles. Enable GlobalProtect Portal Agent to collect HIP Data Collection. Create a Security policy that matches source device object. Enable GlobalProtect Gateway Agent for HIP Notification.

C.

Create a HIP object with Anti-Malware enabled and Real Time Protection set to yes. Create a HIP Profile that matches the HIP object criteria. Enable GlobalProtect Gateway Agent to collect HIP Data Collection. Create a Security policy that matches source device object. Enable GlobalProtect Portal Agent for HIP Notification.

D.

Create Security Profiles for Antivirus and Anti-Spyware.Create Security Profile Group that includes the Antivirus and Anti-Spyware profile. Enable GlobalProtect Gateway Agent to collect HIP Data Collection. Create a Security policy that has the Profile Setting. Profile Type selected to Group. Enable GlobalProtect Portal Agent for HIP Notification.

A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories

Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?

A.

Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select Use Domain Credential Filter Commit

B.

Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select use IP User Mapping Commit

C.

Choose the URL categories on Site Access column and set action to block Click the User credential Detection tab and select IP User Mapping Commit

D.

Choose the URL categories in the User Credential Submission column and set action to block Select the URL filtering settings and enable Domain Credential Filter Commit

Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.)

A.

Check dependencies

B.

Schedules

C.

Verify

D.

Revert content

E.

Install

An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 sub-interface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.

Without changing the existing access to the management interface, how can the engineer fulfill this request?

A.

Specify the subinterface as a management interface in Setup > Device > Interfaces.

B.

Add the network segment's IP range to the Permitted IP Addresses list.

C.

Enable HTTPS in an Interface Management profile on the subinterface.

D.

Configure a service route for HTTP to use the subinterface.

A threat intelligence team has requested more than a dozen Short signatures to be deployed on all perimeter Palo Alto Networks firewalls. How does the firewall engineer fulfill this request with the least time to implement?

A.

Use Expedition to create custom vulnerability signatures, deploy them to Panorama using API and push them to the firewalls.

B.

Create custom vulnerability signatures manually on one firewall export them, and then import them to the rest of the firewalls

C.

Use Panorama IPs Signature Converter to create custom vulnerability signatures, and push them to the firewalls.

D.

Create custom vulnerability signatures manually in Panorama, and push them to the firewalls

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?

A.

A service route to the LDAP server

B.

A Master Device

C.

Authentication Portal

D.

A User-ID agent on the LDAP server

Which sessions does Packet Buffer Protection apply to when used on ingress zones to protect against single-session DoS attacks?

A.

New sessions and is global

B.

New sessions and is not global

C.

Existing sessions and is not global

D.

Existing sessions and is global