• Home
  • Articles
  • New 2023 Realistic Free Palo Alto Networks PCNSE Exam Dump Questions & Answer [Q127-Q145]

New 2023 Realistic Free Palo Alto Networks PCNSE Exam Dump Questions & Answer [Q127-Q145]

Share

New 2023 Realistic Free Palo Alto Networks PCNSE Exam Dump Questions and Answer

PCNSE Practice Test Engine: Try These 310 Exam Questions

NEW QUESTION # 127
A customer is replacing its legacy remote-access VPN solution Prisma Access has been selected as the replacement During onboarding, the following options and licenses were selected and enabled:

The customer wants to forward to a Splunk SIEM the logs that are generated by users that are connected to Prisma Access for Mobile Users Which two settings must the customer configure? (Choose two)

  • A. Configure Cortex Data Lake log forwarding and add the Splunk syslog server
  • B. Configure Panorama Collector group device log forwarding to send logs to the Splunk syslog server
  • C. Configure a Log Forwarding profile, select the syslog checkbox and add the Splunk syslog server Apply the Log Forwarding profile to all of the security policy rules in the Mobiie_User_Device_Group
  • D. Configure a log forwarding profile and select the Panorama/Cortex Data Lake checkbox Apply the Log Forwarding profile to all of the security policy rules in Mobile_User_Device_Group

Answer: B,C


NEW QUESTION # 128
How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?

  • A. Use the debug dataplane packet-diag set capture stage firewall file command.
  • B. Use the debug dataplane packet-diag set capture stage management file command.
  • C. Enable all four stages of traffic capture (TX, RX, DROP, Firewall).
  • D. Use the tcpdump command.

Answer: D

Explanation:
Reference:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/take-packet-captures/take-a-packet-capture-on-the-management-interface.html


NEW QUESTION # 129
The following objects and policies are defined in a device group hierarchy


A)

B)

C)
Address Objects
-Shared Address 1
-Branch Address2
Policies -Shared Polic1
l -Branch Policyl
D)
Address Objects -Shared Addressl -Shared Address2 -Branch Addressl Policies -Shared Policyl -Shared Policy2 -Branch Policyl

  • A. Option D
  • B. Option B
  • C. Option C
  • D. Option A

Answer: D


NEW QUESTION # 130
Refer to the exhibit.

Which certificates can be used as a Forwarded Trust certificate?

  • A. Domain Sub-CA
  • B. Certificate from Default Trust Certificate Authorities
  • C. Forward_Trust
  • D. Domain-Root-Cert

Answer: B


NEW QUESTION # 131
A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects. How would an administrator configure the interface to 1Gbps?

  • A. set deviceconfig interface speed-duplex 1Gbps-full-duplex
  • B. set deviceconfig system speed-duplex 1Gbps-duplex
  • C. set deviceconfig system speed-duplex 1Gbps-full-duplex
  • D. set deviceconfig Interface speed-duplex 1Gbps-half-duplex

Answer: C

Explanation:
Reference:
user@PA# set deviceconfig system speed-duplex 100Mbps-full-duplex 100Mbps-full-duplex 100Mbps-half-duplex 100Mbps-half-duplex 10Mbps-full-duplex 10Mbps-full-duplex 10Mbps-half-duplex 10Mbps-half-duplex 1Gbps-full-duplex 1Gbps-full-duplex 1Gbps-half-duplex 1Gbps-half-duplex auto-negotiate auto-negotiate


NEW QUESTION # 132
An administrator wants to upgrade an NGFW from PAN-OS 7.1.2 to PAN-OS 8.1.0. The firewall is not a part of an HA pair.
What needs to be updated first?

  • A. Applications and Threats
  • B. PAN-OS Upgrade Agent
  • C. XML Agent
  • D. WildFire

Answer: D


NEW QUESTION # 133
The automated Correlation Engine uses correlation objects to analyze the logs for patterns. When a match occurs:

  • A. The Correlation Engine blocks the connection
  • B. The Correlation Engine generates a correlation event
  • C. The Correlation Engine dumps the alarm log
  • D. The Correlation Engine displays a warning message to the end user

Answer: B


NEW QUESTION # 134
After configuring HA in Active/Passive mode on a pair of firewalls the administrator gets a failed commit with the following details.

What are two explanations for this type of issue? (Choose two)

  • A. The peer IP is not included in the permit list on Management Interface Settings
  • B. One of the firewalls has gone into the suspended state
  • C. Either management or a data-plane interface is used as HA1-backup
  • D. The Backup Peer HA1 IP Address was not configured when the commit was issued

Answer: C,D

Explanation:
Cause The issue is seen when the HA1-backup is configured with either management (MGT) or an in-band interface. The "Backup Peer HA1 IP Address" is not configured : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UmPCAU&lang=en_US%E2%80%A9


NEW QUESTION # 135
Which statement is true regarding a Best Practice Assessment?

  • A. It runs only on firewalls
  • B. When guided by an authorized sales engineer, it helps determine the areas of greatest risk where you should focus prevention activities.
  • C. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture
  • D. It shows how your current configuration compares to Palo Alto Networks recommendations

Answer: D

Explanation:
Explanation
The Best Practice Assessment (BPA) tool compares the configuration of firewalls and Panorama to the Palo Alto Networks best practice recommendations. Run the BPA periodically to identify security weaknesses, see the best practice settings, and implement them to improve your security posture.
https://docs.paloaltonetworks.com/best-practices/10-2/bpa-getting-started


NEW QUESTION # 136
A company is looking to increase redundancy in their network. Which interface type could help accomplish this?

  • A. Tap
  • B. Layer 2
  • C. Aggregate ethernet
  • D. Virtual wire

Answer: C

Explanation:
Explanation
An aggregate group increases the bandwidth between peers by load balancing traffic across the combined interfaces. It also provides redundancyhttps://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/configure-interfaces/config


NEW QUESTION # 137
What is the best definition of the Heartbeat Interval?

  • A. The interval in milliseconds between hello packets
  • B. The frequency at which the HA peers check link or path availability
  • C. The frequency at which the HA peers exchange ping
  • D. The interval during which the firewall will remain active following a link monitor failure

Answer: A

Explanation:
Explanation
According to the Palo Alto Networks Knowledge Base12, the best definition of the Heartbeat Interval is A.
The interval in milliseconds between hello packets.
The Heartbeat Interval is a CLI command that configures how often an HA peer sends an ICMP ping to its partner through the HA control link. The ping verifies network connectivity and ensures that the peer kernel is responsive. The default value is 1000ms for all Palo Alto Networks platforms.


NEW QUESTION # 138
A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode.
Which statement is true about this deployment?

  • A. The two devices must share a routable floating IP address
  • B. The HA1 IP address from each peer must be on a different subnet
  • C. The two devices may be different models within the PA-5000 series
  • D. The management port may be used for a backup control connection

Answer: D


NEW QUESTION # 139
When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

  • A. You must set the interface to Layer 2 Layer 3. or virtual wire
  • B. You must enable DoS and zone protection
  • C. You must use a static IP address
  • D. The interface must be used for traffic to the required services

Answer: D


NEW QUESTION # 140
Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)

  • A. The firewall is in multi-vsys mode.
  • B. The firewall's DP CPU is higher than 50%.
  • C. The traffic is offloaded.
  • D. The traffic does not match the packet capture filter.

Answer: C,D

Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/take-packet-
captures/disable-hardware-offload


NEW QUESTION # 141
An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 subinterface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.
Without changing the existing access to the management interface, how can the engineer fulfill this request?

  • A. Add the network segment's IP range to the Permitted IP Addresses list
  • B. Configure a service route for HTTP to use the subinterface
  • C. Specify the subinterface as a management interface in Setup > Device > Interfaces.
  • D. Enable HTTPS in an Interface Management profile on the subinterface.

Answer: D

Explanation:
Explanation
An interface management profile defines which services are available on an interface, such as HTTPS, SSH, ping, or SNMP. By enabling HTTPS in an interface management profile on the subinterface, the engineer can allow XML API access to the firewall for automation on the network segment that is routed through the subinterface. Specifying the subinterface as a management interface in Setup > Device > Interfaces is not possible, as only physical interfaces can be designated as management interfaces. Adding the network segment's IP range to the Permitted IP Addresses list will not help, as this list only applies to the dedicated management interface. Configuring a service route for HTTP to use the subinterface will not help, as this will only affect the outbound traffic from the firewall to external services, not the inbound traffic to the firewall for XML API access. References:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/configure-int
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/en


NEW QUESTION # 142
Which three options are supported in HA Lite? (Choose three.)

  • A. Virtual link
  • B. Configuration synchronization
  • C. Active/passive deployment
  • D. Session synchronization
  • E. Synchronization of IPsec security associations

Answer: B,C,E

Explanation:
"The PA-200 firewall supports HA Lite only. HA Lite is an active/passive deployment that provides configuration synchronization and some runtime data synchronization such as IPSec security associations. It does not support any session synchronization (HA2), and therefore does not offer stateful failover."


NEW QUESTION # 143
Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent?
(Choose two.)

  • A. Log Forwarding
  • B. LDAP
  • C. HTTP
  • D. Log Ingestion

Answer: A,C


NEW QUESTION # 144
An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port. Which log entry can the administrator use to verify that sessions are being decrypted?

  • A. Decryption log
  • B. Data Filtering log
  • C. In the details of the Threat log entries
  • D. In the details of the Traffic log entries

Answer: D

Explanation:
Reference:
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption/ta-p/59719


NEW QUESTION # 145
......

Guaranteed Success in PCNSE PAN-OS PCNSE Exam Dumps: https://www.actualpdf.com/PCNSE_exam-dumps.html

Palo Alto Networks PCNSE Daily Practice Exam New 2023 Updated 310 Questions: https://drive.google.com/open?id=1XjW33JqUW0s2dw1AjxmfQAwtXx-8wbNX

Related Articles

more
Palo Alto Networks PCNSE Certification Practice Exam