PCNSE7 Exam - Palo Alto Networks Certified Network Security Engineer

NEW QUESTION 1
An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair.
Which NGFW receives the configuration from Panorama?

• A. The Passive firewall, which then synchronizes to the active firewall
• B. The active firewall, which then synchronizes to the passive firewall
• C. Both the active and passive firewalls, which then synchronize with each other
• D. Both the active and passive firewalls independently, with no synchronization afterward

Answer: C

NEW QUESTION 2
Which item enables a firewall administrator to see details about traffic that is currently active through the NGFW?

• A. ACC
• B. System Logs
• C. App Scope
• D. Session Browser

Answer: D

NEW QUESTION 3
Which two interface types can be used when configuring GlobalProtect Portal?(Choose two)

• A. Virtual Wire
• B. Loopback
• C. Layer 3
• D. Tunnel

Answer: BC

NEW QUESTION 4
A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Which statement is true about this deployment?

• A. The two devices must share a routable floating IP address
• B. The two devices may be different models within the PA-5000 series
• C. The HA1 IP address from each peer must be on a different subnet
• D. The management port may be used for a backup control connection

Answer: D

NEW QUESTION 5
An administrator has users accessing network resources through Citrix XenApp 7 x. Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources?

• A. Client Probing
• B. Terminal Services agent
• C. GlobalProtect
• D. Syslog Monitoring

Answer: C

NEW QUESTION 6
Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?

• A. web-browsing and 443
• B. SSL and 80
• C. SSL and 443
• D. web-browsing and 80

Answer: B

NEW QUESTION 7
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens thousands of bogus UDP connections per second to a single destination IP address and post.
Which option when enabled with the correction threshold would mitigate this attack without dropping legitirnate traffic to other hosts insides the network?

• A. Zone Protection Policy with UDP Flood Protection
• B. QoS Policy to throttle traffic below maximum limit
• C. Security Policy rule to deny trafic to the IP address and port that is under attack
• D. Classified DoS Protection Policy using destination IP only with a Protect action

Answer: D

NEW QUESTION 8
YouTube videos are consuming too much bandwidth on the network, causing delays in mission-critical traffic. The administrator wants to throttle YouTube traffic. The following interfaces and zones are in use on the firewall:
* ethernet1/1, Zone: Untrust (Internet-facing)
* ethernet1/2, Zone: Trust (client-facing)
A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface Ethernet1/1 has a QoS profile called Outbound, and interface Ethernet1/2 has a QoS profile called Inbound.
Which setting for class 6 with throttle YouTube traffic?

• A. Outbound profile with Guaranteed Ingress
• B. Outbound profile with Maximum Ingress
• C. Inbound profile with Guaranteed Egress
• D. Inbound profile with Maximum Egress

Answer: D

NEW QUESTION 9
An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make?
A)

B)

C)

D)

E)

• A. Option A
• B. Option B
• C. Option C
• D. Option D
• E. Option E

Answer: B

NEW QUESTION 10
A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall. Which method shows the global counters associated with the traffic after configuring the appropriate packet filters?

• A. From the CLI, issue the show counter global filter pcap yes command.
• B. From the CLI, issue the show counter global filter packet-filter yes command.
• C. From the GUI, select show global counters under the monitor tab.
• D. From the CLI, issue the show counter interface command for the ingress interface.

Answer: B

NEW QUESTION 11
Which three settings are defined within the Templates object of Panorama? (Choose three.)

• A. Setup
• B. Virtual Routers
• C. Interfaces
• D. Security
• E. Application Override

Answer: ADE

NEW QUESTION 12
The IT department has received complaints abou VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter.
Which feature can be used to identify, in real time, the applications taking up the most bandwidth?

• A. QoS Statistics
• B. Applications Report
• C. Application Command Center (ACC)
• D. QoS Log

Answer: A

NEW QUESTION 13
A user’s traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been
configured with a PBF rule that the user’s traffic matches when it goes to http://www.company.com.
How can the firewall be configured automatically disable the PBF rule if the next hop goes down?

• A. Create and add a Monitor Profile with an action of Wait Recover in the PBF rule in question.
• B. Create and add a Monitor Profile with an action of Fail Over in the PBF rule in question.
• C. Enable and configure a Link Monitoring Profile for the external interface of the firewall.
• D. Configure path monitoring for the next hop gateway on the default route in the virtual router.

Answer: D

NEW QUESTION 14
A session in the Traffic log is reporting the application as “incomplete.” What does “incomplete” mean?

• A. The three-way TCP handshake was observed, but the application could not be identified.
• B. The three-way TCP handshake did not complete.
• C. The traffic is coming across USP, and the application could not be identified.
• D. Data was received but was instantly discarded because of a Deny policy was applied before App-ID could be applied.

Answer: C

NEW QUESTION 15
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans.
Which Security Profile type will protect against worms and trojans?

• A. Anti-Spyware
• B. Instruction Prevention
• C. File Blocking
• D. Antivirus

Answer: D

NEW QUESTION 16
Which protection feature is available only in a Zone Protection Profile?

• A. SYN Flood Protection using SYN Flood Cookies
• B. ICMP Flood Protection
• C. Port Scan Protection
• D. UDP Flood Protections

Answer: A

NEW QUESTION 17
A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report?

• A. Blocked Activity
• B. Bandwidth Activity
• C. Threat Activity
• D. Network Activity

Answer: D

NEW QUESTION 18
Which Palo Alto Networks VM-Series firewall is valid?

• A. VM-25
• B. VM-800
• C. VM-50
• D. VM-400

Answer: C