paloalto networks-pcnse7 formatted · paloalto networks-pcnse7_formatted number : 000-000 passing...
TRANSCRIPT
http://www.gratisexam.com/
Paloalto Networks-PCNSE7_formatted
Number: 000-000Passing Score: 800Time Limit: 120 minFile Version: 1.0
http://www.gratisexam.com/
Paloalto Networks
Exam PCNSE7
Palo Alto Networks Certified Network Security Engineer
[ Total Questions: 60 ]
TestGuide4U (ExamGuidesForIT)Check Out Our Site at: www.e-junkie.com\TestGuide4uMore Exams Can be Purchased through Credit Cards or Paypal Online Directly.Download link will be sent to your email immediately after the purchase.
http://www.gratisexam.com/
Экзамен A
QUESTION 1
Which Public Key infrastructure component is used to authenticate users for GlobalProtectwhen the Connect Method is set to pre-logon?
http://www.gratisexam.com/
A. Certificate revocation listB. Trusted root certificateC. Machine certificateD. Online Certificate Status Protocol
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 2
What can missing SSL packets when performing a packet capture on dataplane interfaces?
A. The packets are hardware offloaded to the offloaded processor on the dataplaneB. The missing packets are offloaded to the management plane CPUC. The packets are not captured because they are encryptedD. There is a hardware problem with offloading FPGA on the management plane
Correct Answer: ASection: (none)Explanation
http://www.gratisexam.com/
Explanation/Reference:
QUESTION 3
A company has a web server behind a Palo Alto Networks next-generation firewall that itwants to make accessible to the public at 1.1.1.1. The company has decided to configure adestination NAT Policy rule.
Given the following zone information:
·DMZ zone: DMZ-L3
·Public zone: Untrust-L3
·Guest zone: Guest-L3
·Web server zone: Trust-L3
·Public IP address (Untrust-L3): 1.1.1.1
·Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of NATPolicy rule?
A. Untrust-L3B. DMZ-L3C. Guest-L3D. Trust-L3
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 4
http://www.gratisexam.com/
A host attached to ethernet1/3 cannot access the internet. The default gateway is attachedto ethernet1/4. After troubleshooting. It is determined that traffic cannot pass from theethernet1/3 to ethernet1/4. What can be the cause of the problem?
A. DHCP has been set to Auto.B. Interface ethernet1/3 is in Layer 2 mode and interface ethernet1/4 is in Layer 3
mode.C. Interface ethernet1/3 and ethernet1/4 are in Virtual Wire Mode.D. DNS has not been properly configured on the firewall
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 5
What are three valid actions in a File Blocking Profile? (Choose three)
http://www.gratisexam.com/
A. ForwardB. BlockC. AlretD. UploadE. Reset-bothF. Continue
Correct Answer: ABC
http://www.gratisexam.com/
Section: (none)Explanation
Explanation/Reference:Explanation: https://live.paloaltonetworks.com/t5/Configuration-Articles/File-Blocking-Rulebase-and-Action-Precedence/ta-p/53623
QUESTION 6
Which client software can be used to connect remote Linux client into a Palo Alto NetworksInfrastructure without sacrificing the ability to scan traffic and protect against threats?
A. X-Auth IPsec VPNB. GlobalProtect Apple IOSC. GlobalProtect SSLD. GlobalProtect Linux
Correct Answer: DSection: (none)Explanation
Explanation/Reference:Explanation:( http://blog.webernetz.net/2014/03/31/palo-alto-globalprotect-for-linux-with-vpnc/ )
QUESTION 7
A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) inActive/Passive mode. Which statement is true about this deployment?
A. The two devices must share a routable floating IP addressB. The two devices may be different models within the PA-5000 seriesC. The HA1 IP address from each peer must be on a different subnetD. The management port may be used for a backup control connection
Correct Answer: DSection: (none)Explanation
http://www.gratisexam.com/
Explanation/Reference:
QUESTION 8
How is the Forward Untrust Certificate used?
A. It issues certificates encountered on the Untrust security zone when clients attempt toconnect to a site that has be decrypted/
B. It is used when web servers request a client certificate.C. It is presented to clients when the server they are connecting to is signed by a certificate
authority that is not trusted by firewall.D. It is used for Captive Portal to identify unknown users.
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 9
A company is upgrading its existing Palo Alto Networks firewall from version 7.0.1 to 7.0.4.
Which three methods can the firewall administrator use to install PAN-OS 7.0.4 across theenterprise?( Choose three)
A. Download PAN-OS 7.0.4 files from the support site and install them on eachfirewall after manually uploading.
B. Download PAN-OS 7.0.4 to a USB drive and the firewall will automatically update afterthe USB drive is inserted in the firewall.
C. Push the PAN-OS 7.0.4 updates from the support site to install on each firewall.D. Push the PAN-OS 7.0.4 update from one firewall to all of the other remaining after
updating one firewall.E. Download and install PAN-OS 7.0.4 directly on each firewall.F. Download and push PAN-OS 7.0.4 from Panorama to each firewall.
http://www.gratisexam.com/
Correct Answer: ADFSection: (none)Explanation
Explanation/Reference:
QUESTION 10
A network security engineer is asked to perform a Return Merchandise Authorization(RMA) on a firewall
Which part of files needs to be imported back into the replacement firewall that is usingPanorama?
http://www.gratisexam.com/
A. Device state and license filesB. Configuration and serial number filesC. Configuration and statistics filesD. Configuration and Large Scale VPN (LSVPN) setups file
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 11
N NO: 56
http://www.gratisexam.com/
A firewall administrator is troubleshooting problems with traffic passing through the PaloAlto Networks firewall. Which method shows the global counters associated with the trafficafter configuring the appropriate packet filters?
A. From the CLI, issue the show counter global filter pcap yes command.B. From the CLI, issue the show counter global filter packet-filter yes command.C. From the GUI, select show global counters under the monitor tab.D. From the CLI, issue the show counter interface command for the ingress interface.
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 12
Company.com has an in-house application that the Palo Alto Networks device doesn'tidentify correctly. A Threat Management Team member has mentioned that this in-houseapplication is very sensitive and all traffic being identified needs to be inspected by theContent-ID engine.
Which method should company.com use to immediately address this traffic on a Palo AltoNetworks device?
A. Create a custom Application without signatures, then create an Application Overridepolicy that includes the source, Destination, Destination Port/Protocol and CustomApplication of the traffic.
B. Wait until an official Application signature is provided from Palo Alto Networks.C. Modify the session timer settings on the closest referanced application to meet the
needs of the in-house applicationD. Create a Custom Application with signatures matching unique identifiers of the in-house
application traffic
Correct Answer: ASection: (none)Explanation
http://www.gratisexam.com/
Explanation/Reference:
QUESTION 13
A critical US-CERT notification is published regarding a newly discovered botnet. Themalware is very evasive and is not reliably detected by endpoint antivirus software.Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on theinternet and SSL Forward Proxy Decryption is not enabled.
Which component once enabled on a perirneter firewall will allow the identification ofexisting infected hosts in an environment?
A. Anti-Spyware profiles applied outbound security policies with DNS Query action set tosinkhole
B. File Blocking profiles applied to outbound security policies with action set to alertC. Vulnerability Protection profiles applied to outbound security policies with action set to
blockD. Antivirus profiles applied to outbound security policies with action set to alert
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 14
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is beingflooded with tens thousands of bogus UDP connections per second to a single destinationIP address and post.
Which option when enabled with the correction threshold would mitigate this attack withoutdropping legitirnate traffic to other hosts insides the network?
A. Zone Protection Policy with UDP Flood ProtectionB. QoS Policy to throttle traffic below maximum limitC. Security Policy rule to deny trafic to the IP address and port that is under attack
http://www.gratisexam.com/
D. Classified DoS Protection Policy using destination IP only with a Protect action
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 15
Which three function are found on the dataplane of a PA-5050? (Choose three)
A. Protocol DecoderB. Dynamic routingC. ManagementD. Network ProcessingE. Signature Match
Correct Answer: BDESection: (none)Explanation
Explanation/Reference:
QUESTION 16
Which Palo Alto Networks VM-Series firewall is supported for VMware NSX?
A. VM-100B. VM-200C. VM-1000-HVD. VM-300
Correct Answer: CSection: (none)Explanation
http://www.gratisexam.com/
Explanation/Reference:
QUESTION 17
What are three valid method of user mapping? (Choose three)
A. SyslogB. XML APIC. 802.1XD. WildFireE. Server Monitoring
Correct Answer: BCSection: (none)Explanation
Explanation/Reference:
QUESTION 18
Which three log-forwarding destinations require a server profile to be configured? (Choosethree)
A. SNMP TrapB. EmailC. RADIUSD. KerberosE. PanoramaF. Syslog
Correct Answer: ABFSection: (none)Explanation
http://www.gratisexam.com/
Explanation/Reference:
QUESTION 19
Which command can be used to validate a Captive Portal policy?
A. eval captive-portal policy <criteria>B. request cp-policy-eval <criteria>C. test cp-policy-match <criteria>D. debug cp-policy <criteria>
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 20
How does Panorama handle incoming logs when it reaches the maximum storagecapacity?
http://www.gratisexam.com/
A. Panorama discards incoming logs when storage capacity full.B. Panorama stops accepting logs until licenses for additional storage space are appliedC. Panorama stops accepting logs until a reboot to clean storage space.D. Panorama automatically deletes older logs to create space for new ones.
Correct Answer: DSection: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:Explanation:(https://www.paloaltonetworks.com/documentation/60/panorama/panorama_adminguide/set-up-panorama/determine-panorama-log-storage-requirements)
QUESTION 21
A network security engineer has been asked to analyze Wildfire activity. However, theWildfire Submissions item is not visible form the Monitor tab.
What could cause this condition?
A. The firewall does not have an active WildFire subscription.B. The engineer's account does not have permission to view WildFire Submissions.C. A policy is blocking WildFire Submission traffic.D. Though WildFire is working, there are currently no WildFire Submissions log entries.
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 22
Which two methods can be used to mitigate resource exhaustion of an application server?(Choose two)
A. Vulnerability ObjectB. DoS Protection ProfileC. Data Filtering ProfileD. Zone Protection Profile
Correct Answer: BDSection: (none)
http://www.gratisexam.com/
Explanation
Explanation/Reference:
QUESTION 23
Only two Trust to Untrust allow rules have been created in the Security policy
Rule1 allows google-base
Rule2 allows youtube-base
The youtube-base App-ID depends on google-base to function. The google-base App-IDimplicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.comin a web browser, they get an error indecating that the server cannot be found.
Which action will allow youtube.com display in the browser correctly?
A. Add SSL App-ID to Rule1B. Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to
itC. Add the DNS App-ID to Rule2D. Add the Web-browsing App-ID to Rule2
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 24
Which two mechanisms help prevent a spilt brain scenario an Active/Passive HighAvailability (HA) pair? (Choose two)
A. Configure the management interface as HA3 BackupB. Configure Ethernet 1/1 as HA1 Backup
http://www.gratisexam.com/
CConfigure Ethernet 1/1 as HA2 BackupC. Configure the management interface as HA2 BackupD. Configure the management interface as HA1 BackupE. Configure ethernet1/1 as HA3 Backup
Correct Answer: BESection: (none)Explanation
Explanation/Reference:
QUESTION 25
The company's Panorama server (IP 10.10.10.5) is not able to manage a firewall that wasrecently deployed. The firewall's dedicated management port is being used to connect tothe management network.
Which two commands may be used to troubleshoot this issue from the CLI of the newfirewall? (Choose two)
http://www.gratisexam.com/
A. test panoramas-connect 10.10.10.5B. show panoramas-statusC. show arp all I match 10.10.10.5D. topdump filter "host 10.10.10.5E. debug dataplane packet-diag set capture on
Correct Answer: ACSection: (none)Explanation
Explanation/Reference:
http://www.gratisexam.com/
QUESTION 26
A company has a policy that denies all applications it classifies as bad and permits onlyapplication it classifies as good. The firewall administrator created the following securitypolicy on the company's firewall.
Which interface configuration will accept specific VLAN IDs?
Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two)
A. A report can be created that identifies unclassified traffic on the network.B. Different security profiles can be applied to traffic matching rules 2 and 3.C. Rule 2 and 3 apply to traffic on different ports.D. Separate Log Forwarding profiles can be applied to rules 2 and 3.
Correct Answer: ABSection: (none)Explanation
Explanation/Reference:
QUESTION 27
A logging infrastructure may need to handle more than 10,000 logs per second.
Which two options support a dedicated log collector function? (Choose two)
A. Panorama virtual appliance on ESX(i) onlyB. M-500C. M-100 with Panorama installed
http://www.gratisexam.com/
D. M-100
Correct Answer: ACSection: (none)Explanation
Explanation/Reference:Explanation:(https://live.paloaltonetworks.com/t5/Management-Articles/Panorama-Sizing-and-Design-Guide/ta-p/72181)
QUESTION 28
Click the Exhibit button below,
A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is
http://www.gratisexam.com/
configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address.He makes an HTTPS connection to 172.16.10.20.
Which is the next hop IP address for the HTTPS traffic from Will's PC?
A. 172.20.30.1B. 172.20.40.1C. 172.20.20.1D. 172.20.10.1
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 29
Which three options are available when creating a security profile? (Choose three)
A. Anti-MalwareB. File BlockingC. Url FilteringD. IDS/ISPE. Threat PreventionF. Antivirus
Correct Answer: BCFSection: (none)Explanation
Explanation/Reference:
QUESTION 30
After pushing a security policy from Panorama to a PA-3020 firwall, the firewall
http://www.gratisexam.com/
administrator notices that traffic logs from the PA-3020 are not appearing in Panorama'straffic logs. What could be the problem?
http://www.gratisexam.com/
A. A Server Profile has not been configured for logging to this Panorama device.B. Panorama is not licensed to receive logs from this particular firewall.C. The firewall is not licensed for logging to this Panorama device.D. None of the firwwall's policies have been assigned a Log Forwarding profile
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 31
A network Administrator needs to view the default action for a specific spyware signature.The administrator follows the tabs and menus through Objects> Security Profiles> Anti-Spyware and select default profile.
What should be done next?
A. Click the simple-critical rule and then click the Action drop-down list.B. Click the Exceptions tab and then click show all signatures.C. View the default actions displayed in the Action column.D. Click the Rules tab and then look for rules with "default" in the Action column.
Correct Answer: BSection: (none)Explanation
http://www.gratisexam.com/
Explanation/Reference:
QUESTION 32
The web server is configured to listen for HTTP traffic on port 8080. The clients access theweb server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule isconfigured to translate both IP address and report to 10.1.1.100 on TCP Port 8080.
Which NAT and security rules must be configured on the firewall? (Choose two)
A. A security policy with a source of any from untrust-I3 Zone to a destination of 10.1.1.100in dmz-I3 zone using web-browsing application
B. A NAT rule with a source of any from untrust-I3 zone to a destination of 10.1.1.100 indmz-zone using service-http service.
C. A NAT rule with a source of any from untrust-I3 zone to a destination of 1.1.1.100 inuntrust-I3 zone using service-http service.
D. A security policy with a source of any from untrust-I3 zone to a destination of 1.1.100 indmz-I3 zone using web-browsing application.
Correct Answer: BDSection: (none)Explanation
http://www.gratisexam.com/
Explanation/Reference:
QUESTION 33
What are three possible verdicts that WildFire can provide for an analyzed sample?(Choose three)
A. CleanB. BenginC. AdwareD. SuspiciousE. GraywareF. Malware
Correct Answer: BEFSection: (none)Explanation
Explanation/Reference:Explanation: https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/wildfire-features/wildfire-grayware-verdict
QUESTION 34
A VPN connection is set up between Site-A and Site-B, but no traffic is passing in thesystem log of Site-A, there is an event logged as like-nego-p1-fail-psk.
What action will bring the VPN up and allow traffic to start passing between the sites?
A. Change the Site-B IKE Gateway profile version to match Site-A,B. Change the Site-A IKE Gateway profile exchange mode to aggressive mode.C. Enable NAT Traversal on the Site-A IKE Gateway profile.D. Change the pre-shared key of Site-B to match the pre-shared key of Site-A
Correct Answer: DSection: (none)Explanation
http://www.gratisexam.com/
Explanation/Reference:
QUESTION 35
Which Security Policy Rule configuration option disables antivirus and anti-spywarescanning of server-to-client flows only?
A. Disable Server Response InspectionB. Apply an Application OverrideC. Disable HIP ProfileD. Add server IP Security Policy exception
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 36
How are IPV6 DNS queries configured to user interface ethernet1/3?
A. Network > Virtual Router > DNS InterfaceB. Objects > CustomerObjects > DNSC. Network > Interface MgrntD. Device > Setup > Services > Service Route Configuration
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 37
http://www.gratisexam.com/
What must be used in Security Policy Rule that contain addresses where NAT policyapplies?
A. Pre-NAT addresse and Pre-NAT zonesB. Post-NAT addresse and Post-Nat zonesC. Pre-NAT addresse and Post-Nat zonesD. Post-Nat addresses and Pre-NAT zones
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 38Palo Alto Networks maintains a dynamic database of malicious domains.
Which two Security Platform components use this database to prevent threats? (Choosetwo)
A. Brute-force signaturesB. BrightCloud Url FilteringC. PAN-DB URL FilteringD. DNS-based command-and-control signatures
Correct Answer: CDSection: (none)Explanation
Explanation/Reference:
QUESTION 39
A network administrator uses Panorama to push security polices to managed firewalls atbranch offices. Which policy type should be configured on Panorama if the administrators
http://www.gratisexam.com/
at the branch office sites to override these products?
http://www.gratisexam.com/
A. Pre RulesB. Post RulesC. Explicit RulesD. Implicit Rules
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 40
Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured todynamically create the routes between the sites. The OSPF configuration in Site-A isconfigured properly, but the route for the tunner is not being established. The Site-Binterfaces in the graphic are using a broadcast Link Type. The administrator hasdetermined that the OSPF configuration in Site-B is using the wrong Link Type for one of itsinterfaces.
http://www.gratisexam.com/
Which Link Type setting will correct the error?
A. Set tunnel. 1 to p2pB. Set tunnel. 1 to p2mpC. Set Ethernet 1/1 to p2mpD. Set Ethernet 1/1 to p2p
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 41
Which two interface types can be used when configuring GlobalProtect Portal?(Choosetwo)
A. Virtual WireB. LoopbackC. Layer 3D. Tunnel
Correct Answer: BC
http://www.gratisexam.com/
Section: (none)Explanation
Explanation/Reference:
QUESTION 42
The GlobalProtect Portal interface and IP address have been configured. Which othervalue needs to be defined to complete the network settings configuration of GlobalPortectPortal?
A. Server CertificateB. Client CertificateC. Authentication ProfileD. Certificate Profile
Correct Answer: ASection: (none)Explanation
Explanation/Reference:Explanation:(https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-GlobalProtect/ta-p/58351)
QUESTION 43
A network engineer has revived a report of problems reaching 98.139.183.24 through vr1on the firewall. The routing table on this firewall is extensive and complex.
Which CLI command will help identify the issue?
A. test routing fib virtual-router vr1B. show routing route type static destination 98.139.183.24C. test routing fib-lookup ip 98.139.183.24 virtual-router vr1D. show routing interface
http://www.gratisexam.com/
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 44
Which two options are required on an M-100 appliance to configure it as a Log Collector?(Choose two)
A. From the Panorama tab of the Panorama GUI select Log Collector mode and thencommit changes
B. Enter the command request system system-mode logger then enter Y to confirmthe change to Log Collector mode.
C. From the Device tab of the Panorama GUI select Log Collector mode and then commitchanges.
D. Enter the command logger-mode enable the enter Y to confirm the change to LogCollector mode.
E. Log in the Panorama CLI of the dedicated Log Collector
Correct Answer: BESection: (none)Explanation
Explanation/Reference:Explanation:(https://www.paloaltonetworks.com/documentation/60/panorama/panorama_adminguide/set-up-panorama/set-up-the-m-100-appliance)
QUESTION 45
Which interface configuration will accept specific VLAN IDs?
http://www.gratisexam.com/
http://www.gratisexam.com/
A. Tab ModeB. SubinterfaceC. Access InterfaceD. Trunk Interface
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 46
A company has a pair of Palo Alto Networks firewalls configured as an Acitve/Passive HighAvailability (HA) pair.
What allows the firewall administrator to determine the last date a failover event occurred?
A. From the CLI issue use the show System logB. Apply the filter subtype eq ha to the System logC. Apply the filter subtype eq ha to the configuration logD. Check the status of the High Availability widget on the Dashboard of the GUI
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
http://www.gratisexam.com/
QUESTION 47
Which three options does the WF-500 appliance support for local analysis? (Choose three)
A. E-mail linksB. APK filesC. jar filesD. PNG filesE. Portable Executable (PE) files
Correct Answer: ACESection: (none)Explanation
Explanation/Reference:
QUESTION 48
A host attached to Ethernet 1/4 cannot ping the default gateway. The widget on thedashboard shows Ethernet 1/1 and Ethernet 1/4 to be green. The IP address of Ethernet1/1 is 192.168.1.7 and the IP address of Ethernet 1/4 is 10.1.1.7. The default gateway isattached to Ethernet 1/1. A default route is properly configured.
What can be the cause of this problem?
A. No Zone has been configured on Ethernet 1/4.B. Interface Ethernet 1/1 is in Virtual Wire Mode.C. DNS has not been properly configured on the firewall.D. DNS has not been properly configured on the host.
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
http://www.gratisexam.com/
QUESTION 49
Which three fields can be included in a pcap filter? (Choose three)
A. Egress interfaceB. Source IPC. Rule numberD. Destination IPE. Ingress interface
Correct Answer: BDESection: (none)Explanation
Explanation/Reference:Explanation:(https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Packet-Capture/ta-p/72069)
http://www.gratisexam.com/