PCNSE7 Exam - Palo Alto Networks Certified Network Security Engineer

NEW QUESTION 1
An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same NGFW. The update contains an application that matches the same traffic signatures as the custom application.
Which application should be used to identify traffic traversing the NGFW?

• A. Custom application
• B. System logs show an application error and neither signature is used.
• C. Downloaded application
• D. Custom and downloaded application signature files are merged and both are used

Answer: A

NEW QUESTION 2
A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule.
Given the following zone information:
•DMZ zone: DMZ-L3
•Public zone: Untrust-L3
•Guest zone: Guest-L3
•Web server zone: Trust-L3
•Public IP address (Untrust-L3): 1.1.1.1
•Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?

• A. Untrust-L3
• B. DMZ-L3
• C. Guest-L3
• D. Trust-L3

Answer: A

NEW QUESTION 3
The certificate information displayed in the following image is for which type of certificate?

• A. Forward Trust certificate
• B. Self-Signed Root CA certificate
• C. Web Server certificate
• D. Public CA signed certificate

Answer: D

NEW QUESTION 4
A logging infrastructure may need to handle more than 10,000 logs per second. Which two options support a dedicated log collector function? (Choose two)

• A. Panorama virtual appliance on ESX(i) only
• B. M-500
• C. M-100 with Panorama installed
• D. M-100

Answer: BC

Explanation: (https://live.paloaltonetworks.com/t5/Management-Articles/Panorama-Sizing-and-Design-Guide/ta-p/72181)

NEW QUESTION 5
Which method does an administrator use to integrate all non-native MFA platforms in PAN- OS® software?

• A. Okta
• B. DUO
• C. RADIUS
• D. PingID

Answer: C

NEW QUESTION 6
What are three possible verdicts that WildFire can provide for an analyzed sample? (Choose three)

• A. Clean
• B. Bengin
• C. Adware
• D. Suspicious
• E. Grayware
• F. Malware

Answer: BEF

Explanation: https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/wildfire-features/wildfire-grayware-verdict

NEW QUESTION 7
Which three log-forwarding destinations require a server profile to be configured? (Choose three)

• A. SNMP Trap
• B. Email
• C. RADIUS
• D. Kerberos
• E. Panorama
• F. Syslog

Answer: ABF

NEW QUESTION 8
What must be used in Security Policy Rule that contain addresses where NAT policy applies?

• A. Pre-NAT addresse and Pre-NAT zones
• B. Post-NAT addresse and Post-Nat zones
• C. Pre-NAT addresse and Post-Nat zones
• D. Post-Nat addresses and Pre-NAT zones

Answer: C

NEW QUESTION 9
After pushing a security policy from Panorama to a PA-3020 firwall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in Panorama’s traffic logs. What could be the problem?

• A. A Server Profile has not been configured for logging to this Panorama device.
• B. Panorama is not licensed to receive logs from this particular firewall.
• C. The firewall is not licensed for logging to this Panorama device.
• D. None of the firwwall's policies have been assigned a Log Forwarding profile

Answer: D

NEW QUESTION 10
A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers.
Which option will protect the individual servers?

• A. Enable packet buffer protection on the Zone Protection Profile.
• B. Apply an Anti-Spyware Profile with DNS sinkholing.
• C. Use the DNS App-ID with application-default.
• D. Apply a classified DoS Protection Profile.

Answer: A

NEW QUESTION 11
An administrator has configured the Palo Alto Networks NGFW’s management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates?

• A. A scheduler will need to be configured for application signatures.
• B. A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers.
• C. A Threat Prevention license will need to be installed.
• D. A service route will need to be configured.

Answer: D

Explanation: The firewall uses the service route to connect to the Update Server and checks for new content release versions and, if there are updates available, displays them at the top of the list.

NEW QUESTION 12
Which URL Filtering Security Profile action togs the URL Filtering category to the URL Filtering log?

• A. Log
• B. Alert
• C. Allow
• D. Default

Answer: B

NEW QUESTION 13
Which client software can be used to connect remote Linux client into a Palo Alto Networks Infrastructure without sacrificing the ability to scan traffic and protect against threats?

• A. X-Auth IPsec VPN
• B. GlobalProtect Apple IOS
• C. GlobalProtect SSL
• D. GlobalProtect Linux

Answer: A

Explanation: ( http://blog.webernetz.net/2014/03/31/palo-alto-globalprotect-for-linux-with-vpnc/ )

NEW QUESTION 14
An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router.
Which two options enable the administrator to troubleshoot this issue? (Choose two.)

• A. View Runtime Stats in the virtual router.
• B. View System logs.
• C. Add a redistribution profile to forward as BGP updates.
• D. Perform a traffic pcap at the routing stage.

Answer: AC

NEW QUESTION 15
An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS® software, the administrator enables log forwarding from the firewalls to Panorama. Pre-existing logs from the firewalls are not appearing in Panorama.
Which action would enable the firewalls to send their pre-existing logs to Panorama?

• A. Use the import option to pull logs into Panorama.
• B. A CLI command will forward the pre-existing logs to Panorama.
• C. Use the ACC to consolidate pre-existing logs.
• D. The log database will need to exported form the firewalls and manually imported intoPanorama.

Answer: B

NEW QUESTION 16
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

• A. Configure the option for “Threshold”.
• B. Disable automatic updates during weekdays.
• C. Automatically “download only” and then install Applications and Threats later, after the administrator approves the update.
• D. Automatically “download and install” but with the “disable new applications” option used.

Answer: C

NEW QUESTION 17
Which three options does the WF-500 appliance support for local analysis? (Choose three)

• A. E-mail links
• B. APK files
• C. jar files
• D. PNG files
• E. Portable Executable (PE) files

Answer: ACE

NEW QUESTION 18
Refer to the exhibit.

Which certificates can be used as a Forwarded Trust certificate?

• A. Certificate from Default Trust Certificate Authorities
• B. Domain Sub-CA
• C. Forward_Trust
• D. Domain-Root-Cert

Answer: A