PCNSE7 Exam - Palo Alto Networks Certified Network Security Engineer

NEW QUESTION 1
How can a candidate or running configuration be copied to a host external from Panorama?

• A. Commit a running configuration.
• B. Save a configuration snapshot.
• C. Save a candidate configuration.
• D. Export a named configuration snapshot.

Answer: D

NEW QUESTION 2
Which authentication source requires the installation of Palo Alto Networks software, other than PAN-OS 7x, to obtain a username-to-IP-address mapping?

• A. Microsoft Active Directory
• B. Microsoft Terminal Services
• C. Aerohive Wireless Access Point
• D. Palo Alto Networks Captive Portal

Answer: B

NEW QUESTION 3
Which field is optional when creating a new Security Policy rule?

• A. Name
• B. Description
• C. Source Zone
• D. Destination Zone
• E. Action

Answer: B

NEW QUESTION 4
A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.)

• A. Application Override policy.
• B. Security policy to identify the custom application.
• C. Custom application.
• D. Custom Service object.

Answer: BC

NEW QUESTION 5
The company's Panorama server (IP 10.10.10.5) is not able to manage a firewall that was recently deployed. The firewall's dedicated management port is being used to connect to the management network.
Which two commands may be used to troubleshoot this issue from the CLI of the new firewall? (Choose two)

• A. test panoramas-connect 10.10.10.5
• B. show panoramas-status
• C. show arp all I match 10.10.10.5
• D. topdump filter "host 10.10.10.5
• E. debug dataplane packet-diag set capture on

Answer: BD

NEW QUESTION 6
Support for which authentication method was added in PAN-OS 7.0?

• A. RADIUS
• B. LDAP
• C. Diameter
• D. TACACS+

Answer: D

NEW QUESTION 7
When a malware-infected host attempts to resolve a known command-and-control server, the traffic matches a security policy with DNS sinhole enabled, generating a traffic log.
What will be the destination IP Address in that log entry?

• A. The IP Address of sinkhole.paloaltonetworks.com
• B. The IP Address of the command-and-control server
• C. The IP Address specified in the sinkhole configuration
• D. The IP Address of one of the external DNS servers identified in the anti-spyware database

Answer: C

Explanation: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Verify-DNS-Sinkhole-Function-is-Working/ta-p/65864

NEW QUESTION 8
Refer to Exhibit:


A firewall has three PDF rules and a default route with a next hop of 172.29.19.1 that is configured in the default VR. A user named XX-bes a PC with a 192.168.101.10 IP address.
He makes an HTTPS connection to 172.16.10.29.
What is the next hop IP address for the HTTPS traffic from Wills PC.

• A. 172.20.30.1
• B. 172.20.20.1
• C. 172.20.10.1
• D. 172.20.40.1

Answer: B

NEW QUESTION 9
A company has a policy that denies all applications it classifies as bad and permits only application it classifies as good. The firewall administrator created the following security policy on the company's firewall.

Which interface configuration will accept specific VLAN IDs?
Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two)

• A. A report can be created that identifies unclassified traffic on the network.
• B. Different security profiles can be applied to traffic matching rules 2 and 3.
• C. Rule 2 and 3 apply to traffic on different ports.
• D. Separate Log Forwarding profiles can be applied to rules 2 and 3.

Answer: BD

NEW QUESTION 10
Which method will dynamically register tags on the Palo Alto Networks NGFW?

• A. Restful API or the VMWare API on the firewall or on the User-ID agent or the read-only domain controller (RODC)
• B. Restful API or the VMware API on the firewall or on the User-ID agent
• C. XML-API or the VMware API on the firewall or on the User-ID agent or the CLI
• D. XML API or the VM Monitoring agent on the NGFW or on the User-ID agent

Answer: D

NEW QUESTION 11
The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to 10.1.1.100 on TCP Port 8080.

Which NAT and security rules must be configured on the firewall? (Choose two)

• A. A security policy with a source of any from untrust-I3 Zone to a destination of 10.1.1.100 in dmz-I3 zone using web-browsing application
• B. A NAT rule with a source of any from untrust-I3 zone to a destination of 10.1.1.100 in dmz-zone using service-http service.
• C. A NAT rule with a source of any from untrust-I3 zone to a destination of 1.1.1.100 in untrust-I3 zone using service-http service.
• D. A security policy with a source of any from untrust-I3 zone to a destination of 1.1.100 in dmz-I3 zone using web-browsing application.

Answer: BD

NEW QUESTION 12
Which Public Key infrastructure component is used to authenticate users for GlobalProtect when the Connect Method is set to pre-logon?

• A. Certificate revocation list
• B. Trusted root certificate
• C. Machine certificate
• D. Online Certificate Status Protocol

Answer: C

NEW QUESTION 13
Refer to exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring platforms?

• A. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.
• B. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW.
• C. Configure log compression and optimization features on all remote firewalls.
• D. Any configuration on an M-500 would address the insufficient bandwidth concerns.

Answer: C

NEW QUESTION 14
Click the Exhibit button

An administrator has noticed a large increase in bittorrent activity. The administrator wants to determine where the traffic is going on the company.
What would be the administrator's next step?

• A. Right-Click on the bittorrent link and select Value from the context menu
• B. Create a global filter for bittorrent traffic and then view Traffic logs.
• C. Create local filter for bittorrent traffic and then view Traffic logs.
• D. Click on the bittorrent application link to view network activity

Answer: D

NEW QUESTION 15
A host attached to ethernet1/3 cannot access the internet. The default gateway is attached to ethernet1/4. After troubleshooting. It is determined that traffic cannot pass from the ethernet1/3 to ethernet1/4. What can be the cause of the problem?

• A. DHCP has been set to Auto.
• B. Interface ethernet1/3 is in Layer 2 mode and interface ethernet1/4 is in Layer 3 mode.
• C. Interface ethernet1/3 and ethernet1/4 are in Virtual Wire Mode.
• D. DNS has not been properly configured on the firewall

Answer: B

NEW QUESTION 16
A network security engineer needs to configure a virtual router using IPv6 addresses. Which two routing options support these addresses? (Choose two)

• A. BGP not sure
• B. OSPFv3
• C. RIP
• D. Static Route

Answer: BD

Explanation: https://live.paloaltonetworks.com/t5/Management-Articles/Does-PAN-OS-Support-Dynamic-Routing-Protocols-OSPF-or-BGP-with/ta-p/62773

NEW QUESTION 17
A file sharing application is being permitted and no one knows what this application is used for.
How should this application be blocked?

• A. Block all unauthorized applications using a security policy
• B. Block all known internal custom applications
• C. Create a WildFire Analysis Profile that blocks Layer 4 and Layer 7 attacks
• D. Create a File blocking profile that blocks Layer 4 and Layer 7 attacks

Answer: D

NEW QUESTION 18
Which three options are available when creating a security profile? (Choose three)

• A. Anti-Malware
• B. File Blocking
• C. Url Filtering
• D. IDS/ISP
• E. Threat Prevention
• F. Antivirus

Answer: ABF