PCNSE7 Exam - Palo Alto Networks Certified Network Security Engineer

NEW QUESTION 1
Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.
Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?

• A. Create a custom Application without signatures, then create an Application Override policy that includes the source, Destination, Destination Port/Protocol and Custom Application of the traffic.
• B. Wait until an official Application signature is provided from Palo Alto Networks.
• C. Modify the session timer settings on the closest referanced application to meet the needs of the in-house application
• D. Create a Custom Application with signatures matching unique identifiers of the in-house application traffic

Answer: D

NEW QUESTION 2
A Security policy rule is configured with a Vulnerability Protection Profile and an action of ‘Deny”.
Which action will this cause configuration on the matched traffic?

• A. The configuration is invali
• B. The Profile Settings section will be grayed out when the Action is set to “Deny”.
• C. The configuration will allow the matched session unless a vulnerability is detecte
• D. The “Deny” action will supersede the per-severity defined actions defined in the associated Vulnerability Protection Profile.
• E. The configuration is invali
• F. It will cause the firewall to skip this Security policy rul
• G. A warning will be displayed during a commit.
• H. The configuration is vali
• I. It will cause the firewall to deny the matched session
• J. Any configured Security Profiles have no effect if the Security policy rule action is set to “Deny.”

Answer: B

NEW QUESTION 3
How are IPV6 DNS queries configured to user interface ethernet1/3?

• A. Network > Virtual Router > DNS Interface
• B. Objects > CustomerObjects > DNS
• C. Network > Interface Mgrnt
• D. Device > Setup > Services > Service Route Configuration

Answer: D

NEW QUESTION 4
A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled.
Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?

• A. Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole
• B. File Blocking profiles applied to outbound security policies with action set to alert
• C. Vulnerability Protection profiles applied to outbound security policies with action set to block
• D. Antivirus profiles applied to outbound security policies with action set to alert

Answer: A

NEW QUESTION 5
Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?

• A. Disable Server Response Inspection
• B. Apply an Application Override
• C. Disable HIP Profile
• D. Add server IP Security Policy exception

Answer: A

NEW QUESTION 6
A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects.
How would an administrator configure the interface to 1Gbps?

• A. set deviceconfig interface speed-duplex 1Gbps-full-duplex
• B. set deviceconfig system speed-duplex 1Gbps-duplex
• C. set deviceconfig system speed-duplex 1Gbps-full-duplex
• D. set deviceconfig Interface speed-duplex 1Gbps-half-duplex

Answer: B

NEW QUESTION 7
Only two Trust to Untrust allow rules have been created in the Security policy Rule1 allows google-base
Rule2 allows youtube-base
The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found.
Which action will allow youtube.com display in the browser correctly?

• A. Add SSL App-ID to Rule1
• B. Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to it
• C. Add the DNS App-ID to Rule2
• D. Add the Web-browsing App-ID to Rule2

Answer: C

NEW QUESTION 8
A network engineer has revived a report of problems reaching 98.139.183.24 through vr1 on the firewall. The routing table on this firewall is extensive and complex.
Which CLI command will help identify the issue?

• A. test routing fib virtual-router vr1
• B. show routing route type static destination 98.139.183.24
• C. test routing fib-lookup ip 98.139.183.24 virtual-router vr1
• D. show routing interface

Answer: C

NEW QUESTION 9
Which three function are found on the dataplane of a PA-5050? (Choose three)

• A. Protocol Decoder
• B. Dynamic routing
• C. Management
• D. Network Processing
• E. Signature Match

Answer: BDE

NEW QUESTION 10
Which three authentication services can administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.)

• A. Kerberos
• B. PAP
• C. SAML
• D. TACACS+
• E. RADIUS
• F. LDAP

Answer: ACF

NEW QUESTION 11
A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server.
Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.

• A. application: web-browsing; service: application-default
• B. application: web-browsing; service: service-https
• C. application: ssl; service: any
• D. application: web-browsing; service: (custom with destination TCP port 8080)

Answer: A

NEW QUESTION 12
An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required. Which interface type would support this business requirement?

• A. Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ
• B. Layer 3 or Aggregate Ethernet interfaces, but configuring EIGRP on subinterfaces only
• C. Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel (with the GlobalProtect License to support LSVPN and EIGRP protocols)
• D. Layer 3 interfaces, but configuring EIGRP on the attached virtual router

Answer: B

NEW QUESTION 13
Which three steps will reduce the CPU utilization on the management plane? (Choose three.)

• A. Disable SNMP on the management interface.
• B. Application override of SSL application.
• C. Disable logging at session start in Security policies.
• D. Disable predefined reports.
• E. Reduce the traffic being decrypted by the firewall.

Answer: CDE

NEW QUESTION 14
PAN-OS 7.0 introduced an automated correlation engine that analyzes log patterns and generates correlation events visible in the new Application Command Center (ACC).
Which license must the firewall have to obtain new correlation objectives?

• A. Application Center
• B. URL Filtering
• C. GlobalProtect
• D. Threat Prevention

Answer: D

NEW QUESTION 15
Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS 7.0? (Choose two.)

• A. KVM
• B. VMware ESX
• C. VMware NSX
• D. AWS

Answer: AB

NEW QUESTION 16
Which option is part of the content inspection process?

• A. Packet forwarding process
• B. SSL Proxy re-encrypt
• C. IPsec tunnel encryption
• D. Packet egress process

Answer: A

NEW QUESTION 17
A network design change requires an existing firewall to start accessing Palo Alto Updates from a data plane interface address instead of the management interface.
Which configuration setting needs to be modified?

• A. Service route
• B. Default route
• C. Management profile
• D. Authentication profile

Answer: A

NEW QUESTION 18
A company.com wants to enable Application Override. Given the following screenshot:

Which two statements are true if Source and Destination traffic match the Application Override policy? (Choose two)

• A. Traffic that matches "rtp-base" will bypass the App-ID and Content-ID engines.
• B. Traffic will be forced to operate over UDP Port 16384.
• C. Traffic utilizing UDP Port 16384 will now be identified as "rtp-base".
• D. Traffic utilizing UDP Port 16384 will bypass the App-ID and Content-ID engines.

Answer: AC