PCNSE7 Exam - Palo Alto Networks Certified Network Security Engineer

NEW QUESTION 1
Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?

• A. Master
• B. Universal
• C. Shared
• D. Global

Answer: C

NEW QUESTION 2
An administrator has left a firewall to use the default port for all management services. Which three functions are performed by the dataplane? (Choose three.)

• A. WildFire updates
• B. NAT
• C. NTP
• D. antivirus
• E. File blocking

Answer: ABC

NEW QUESTION 3

What will be the source address in the ICMP packet?

• A. 10.30.0.93
• B. 10.46.72.93
• C. 10.46.64.94
• D. 192.168.93.1

Answer: C

NEW QUESTION 4
To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?

• A. Device>Setup>Services>AutoFocus
• B. Device> Setup>Management >AutoFocus
• C. AutoFocus is enabled by default on the Palo Alto Networks NGFW
• D. Device>Setup>WildFire>AutoFocus
• E. Device>Setup> Management> Logging and Reporting Settings

Answer: B

NEW QUESTION 5
In a virtual router, which object contains all potential routes?

• A. MIB
• B. RIB
• C. SIP
• D. FIB

Answer: B

NEW QUESTION 6
Which Captive Portal mode must be configured to support MFA authentication?

• A. NTLM
• B. Redirect
• C. Single Sign-On
• D. Transparent

Answer: B

NEW QUESTION 7
Which tool provides an administrator the ability to see trends in traffic over periods of time, such as threats detected in the last 30 days?

• A. Session Browser
• B. Application Command Center
• C. TCP Dump
• D. Packet Capture

Answer: B

NEW QUESTION 8
Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?

• A. Configure a Decryption Profile and select SSL/TLS services.
• B. Set up SSL/TLS under Polices > Service/URL Category>Service.
• C. Set up Security policy rule to allow SSL communication.
• D. Configure an SSL/TLS Profile.

Answer: D

NEW QUESTION 9
Which event will happen if an administrator uses an Application Override Policy?

• A. Threat-ID processing time is decreased.
• B. The Palo Alto Networks NGFW stops App-ID processing at Layer 4.
• C. The application name assigned to the traffic by the security rule is written to the Traffic log.
• D. App-ID processing time is increased.

Answer: B

NEW QUESTION 10
An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator's home and experiencing issues completing the connection. The following is th output from the command:
less mp-log ikemgr.log:

What could be the cause of this problem?

• A. The public IP addresse do not match for both the Palo Alto Networks Firewall and the ASA.
• B. The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the ASA.
• C. The shared secerts do not match between the Palo Alto firewall and the ASA
• D. The deed peer detection settings do not match between the Palo Alto Networks Firewall and the ASA

Answer: B

NEW QUESTION 11
If the firewall is configured for credential phishing prevention using the “Domain Credential Filter” method, which login will be detected as credential theft?

• A. Mapping to the IP address of the logged-in user.
• B. First four letters of the username matching any valid corporate username.
• C. Using the same user’s corporate username and password.
• D. Marching any valid corporate username.

Answer: A

NEW QUESTION 12
Which CLI command displays the current management plan memory utilization?

• A. > show system info
• B. > show system resources
• C. > debug management-server show
• D. > show running resource-monitor

Answer: B

Explanation: https://live.paloaltonetworks.com/t5/Management-Articles/Show-System-Resource-Command-Displays-CPU-Utilization-of-9999/ta-p/58149

NEW QUESTION 13
Which command can be used to validate a Captive Portal policy?

• A. eval captive-portal policy <criteria>
• B. request cp-policy-eval <criteria>
• C. test cp-policy-match <criteria>
• D. debug cp-policy <criteria>

Answer: C

NEW QUESTION 14
Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS® version, and serial number?

• A. debug system details
• B. show session info
• C. show system info
• D. show system details

Answer: C

NEW QUESTION 15
Which PAN-OS® policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data?

• A. Security policy
• B. Decryption policy
• C. Authentication policy
• D. Application Override policy

Answer: C

NEW QUESTION 16
Which three types of software will receive a Grayware verdict from WildFire? (Choose Three)

• A. Browser Toolbar
• B. Trojans
• C. Ransomeware
• D. Potentially unwanted programs
• E. Adware.

Answer: ADE

Explanation: https://www.paloaltonetworks.com/documentation/translated/70/newfeaturesguide/wildfire-features/wildfire-grayware-verdict

NEW QUESTION 17
Which two methods can be used to mitigate resource exhaustion of an application server? (Choose two)

• A. Vulnerability Object
• B. DoS Protection Profile
• C. Data Filtering Profile
• D. Zone Protection Profile

Answer: BD

NEW QUESTION 18
Server Message Block (SMB), a common file-sharing application, is slow when passing through a Palo Alto Networks firewall. The Network Security Administrator created an application override policy, assigning all SMB traffic to a custom application, to resolve the slowness issue.
Why does this configuration resolve the issue?

• A. Layer 7 processing has been disabled for SMB traffic.
• B. Layer 4 processing has been disabled for the SMB traffic.
• C. Zone protection is no longer being applied.
• D. Security policy assignment is being done more efficiently.

Answer: A