1. Home
  2. Paloalto Networks
  3. Palo Alto Certifications and Accreditations
  4. PCNSE
  5. Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Questions and Answers

Pass the Paloalto Networks Palo Alto Certifications and Accreditations PCNSE Questions and answers with CertsForce

 Paloalto Networks Exams      Go to Exam Detail      Get Premium Access
Viewing page 3 out of 12 pages
Viewing questions 21-30 out of questions
Questions # 21:

What must be configured to apply tags automatically based on User-ID logs?

Options:
A.

Device ID

B.

Log Forwarding profile

C.

Group mapping

D.

Log settings

Questions # 22:

A firewall administrator wants to be able at to see all NAT sessions that are going ‘through a firewall with source NAT. Which CLI command can the administrator use?

Options:
A.

show session all filter nat-rule-source

B.

show running nat-rule-ippool rule "rule_name

C.

show running nat-policy

D.

show session all filter nat source

Questions # 23:

A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.

What should the engineer do to complete the configuration?

Options:
A.

Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to 1.1.1.10 with the destination port equal to UDP/53.

B.

Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward.

C.

Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Reverse.

D.

Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to 192.168.1.10 with the destination port equal to UDP/53.

Questions # 24:

Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?

Options:
A.

NAT

B.

DOS protection

C.

QoS

D.

Tunnel inspection

Questions # 25:

An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when the link failed?

Question # 25

Options:
A.

The active firewall failed over to the passive HA member because "any" is selected for the Link Monitoring

B.

No action was taken because Path Monitoring is disabled

C.

No action was taken because interface ethernet1/1 did not fail

D.

The active firewall failed over to the passive HA member due to an AE1 Link Group failure

Questions # 26:

Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.

In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?

Options:
A.

NAT Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Server -Destination IP: 172.16.15.10 -Source Translation: Static IP / 172.16.15.1Security Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Trust -Destination IP: 172.16.15.10 -Application: ssh

B.

NAT Rule:Source Zone: Trust -Source IP: 192.168.15.0/24 -Destination Zone: Trust -Destination IP: 192.168.15.1 -Destination Translation: Static IP / 172.16.15.10Security Rule:Source Zone: Trust -Source IP: 192.168.15.0/24 -Destination Zone: Server -Destination IP: 172.16.15.10 -Application: ssh

C.

NAT Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Trust -Destination IP: 192.168.15.1 -Destination Translation: Static IP /172.16.15.10Security Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Server -Destination IP: 172.16.15.10 -Application: ssh

D.

NAT Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Server -Destination IP: 172.16.15.10 -Source Translation: dynamic-ip-and-port / ethernet1/4Security Rule:Source Zone: Trust -Source IP: Any -Destination Zone: Server -Destination IP: 172.16.15.10 -Application: ssh

Questions # 27:

A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an interface Management profile to secure management access? (Choose three)

Options:
A.

HTTPS

B.

SSH

C.

Permitted IP Addresses

D.

HTTP

E.

User-IO

Questions # 28:

Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?

Options:
A.

the 'Shared' device group

B.

template stacks

C.

a device group

D.

template variables

Questions # 29:

Which operation will impact the performance of the management plane?

Options:
A.

Decrypting SSL sessions

B.

Generating a SaaS Application report

C.

Enabling DoS protection

D.

Enabling packet buffer protection

Questions # 30:

A network security engineer is going to enable Zone Protection on several security zones How can the engineer ensure that Zone Protection events appear in the firewall's logs?

Options:
A.

Select the check box "Log packet-based attack events" in the Zone Protection profile

B.

No action is needed Zone Protection events appear in the threat logs by default

C.

Select the check box "Log Zone Protection events" in the Content-ID settings of the firewall

D.

Access the CLI in each firewall and enter the command set system setting additional-threat-log on

Viewing page 3 out of 12 pages
Viewing questions 21-30 out of questions