최신 PCNSE 무료덤프 - Palo Alto Networks Certified Network Security Engineer

문제1

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?

A. A self-signed Certificate Authority certificate generated by the firewall

B. A web server certificate signed by the organization's PKI

C. A Machine Certificate for the firewall signed by the organization's PKI

D. A subordinate Certificate Authority certificate signed by the organization's PKI

정답: D

설명: (DumpTOP 회원만 볼 수 있음)

문제2

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

A. Disable the HA2 link.

B. Set the passive link state to shutdown".

C. Disable config sync.

D. Disable HA.

정답: C

설명: (DumpTOP 회원만 볼 수 있음)

문제3

A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known What can the administrator configure to establish the VPN connection?

A. Use the Dynamic IP address type.

B. Set up certificate authentication.

C. Enable Passive Mode

D. Configure the peer address as an FQDN.

정답: A

설명: (DumpTOP 회원만 볼 수 있음)

문제4

An administrator is tasked to provide secure access to applications running on a server in the company's on- premises datacenter.
What must the administrator consider as they prepare to configure the decryption policy?

A. Obtain or generate the forward trust and forward untrust certificate from the datacenter server.

B. Obtain or generate the self-signed certificate with private key in the firewall

C. Obtain or generate the server certificate and private key from the datacenter server.

D. Ensure HA3 interfaces are configured in a HA pair environment to sync decrypted sessions.

정답: C

문제5

A company wants to use GlobalProtect as its remote access VPN solution.
Which GlobalProtect features require a Gateway license?

A. IPv6 for internal gateways

B. Single or multiple internal gateways

C. Multiple external gateways

D. Split DNS and HIP checks

정답: D

문제6

A firewall administrator wants to be able at to see all NAT sessions that are going 'through a firewall with source NAT. Which CLI command can the administrator use?

A. show session all filter nat source

B. show session all filter nat-rule-source

C. show running nat-rule-ippool rule "rule_name

D. show running nat-policy

정답: A

문제7

A firewall administrator is configuring an IPSec tunnel between a company's HQ and a remote location. On the HQ firewall, the interface used to terminate the IPSec tunnel has a static IP. At the remote location, the interface used to terminate the IPSec tunnel has a DHCP assigned IP address.
Which two actions are required for this scenario to work? (Choose two.)

A. On the HQ firewall select peer IP address type FQDN

B. On the remote location firewall select peer IP address type Dynamic

C. On the HQ firewall enable DDNS under the interface used for the IPSec tunnel

D. On the remote location firewall enable DONS under the interface used for the IPSec tunnel

정답: A,C

문제8

Which rule type controls end user SSL traffic to external websites?

A. SSL Forward Proxy

B. SSL Outbound Proxyless Inspection

C. SSL Inbound Inspection

D. SSH Proxy

정답: A

설명: (DumpTOP 회원만 볼 수 있음)

문제9

The firewall team has been asked to deploy a new Panorama server and to forward all firewall logs to this server By default, which component of the Palo Alto Networks firewall architect is responsible for log forwarding and should be checked for early signs of overutilization?

A. Dataplane CPU

B. Packet buffers

C. Management plane CPU

D. On-chip packet descriptors

정답: C

문제10

An engineer configures a destination NAT policy to allow inbound access to an internal server in the DMZ.
The NAT policy is configured with the following values:
- Source zone: Outside and source IP address 1.2.2.2
- Destination zone: Outside and destination IP address 2.2.2.1
The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone.
Which destination IP address and zone should the engineer use to configure the security policy?

A. Destination Zone Outside. Destination IP address 10.10.10.1

B. Destination Zone Outside. Destination IP address 2.2.2.1

C. Destination Zone DMZ, Destination IP address 2.2.2.1

D. Destination Zone DMZ, Destination IP address 10.10.10.1

정답: C

문제11

Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?

A. By navigating to Monitor > Logs > Traffic, applying filter "(subtype eq virus)"

B. By navigating to Monitor > Logs > Threat, applying filter "(subtype eq wildfire-virus)'

C. By navigating to Monitor > Logs> Threat, applying filter "(subtype eq virus)"

D. By navigating to Monitor > Logs > WildFire Submissions, applying filter "(subtype eq wildfire-virus)"

정답: D

문제12

A security engineer has configured a GlobalProtect portal agent with four gateways Which GlobalProtect Gateway will users connect to based on the chart provided?

A. East

B. South

C. Central

D. West

정답: A

설명: (DumpTOP 회원만 볼 수 있음)

문제13

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

A. LDAP Server Profile configuration

B. PAN-OS integrated User-ID agent

C. GlobalProtect

D. Windows-based User-ID agent

정답: C

설명: (DumpTOP 회원만 볼 수 있음)

문제14

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?

A. Policy Optimizer

B. Preview Changes

C. Test Policy Match

D. Managed Devices Health

정답: C

설명: (DumpTOP 회원만 볼 수 있음)

문제15

What does the User-ID agent use to find login and logout events in syslog messages?

A. Log Forwarding profile

B. Syslog Parse profile

C. Syslog Server profile

D. Authentication log

정답: B

문제16

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?

A. In the GUI under Monitor > Packet Capture > Manage Filters under the Non-IP field, select "exclude"

B. Command line> debug dataplane packet-diag clear filter all

C. Command line > debug dataplane packet-diag clear filter-marked-session all

D. In the GLH under Monitor > Packet Capture > Manage Filters under Ingress Interface select an interface

정답: B

문제17

A company has recently migrated their branch office's PA-220S to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama They notice that commit times have drastically increased for the PA-220S after the migration What can they do to reduce commit times?

A. Perform a device group push using the "merge with device candidate config" option

B. Disable "Share Unused Address and Service Objects with Devices" in Panorama Settings.

C. Update the apps and threat version using device-deployment

D. Use "export or push device config bundle" to ensure that the firewall is integrated with the Panorama config.

정답: B

설명: (DumpTOP 회원만 볼 수 있음)

최신 PCNSE 무료덤프 - Palo Alto Networks Certified Network Security Engineer

우리와 연락하기

유용한 링크

최신 업데이트