Palo Alto Networks PCNSE Exam Questions Instant Access

Question 1

A company has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a phishing campaign against the organization prompts a search for more controls to secure access to critical assets. For users who need to access these systems, the company decides to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What must the company do in order to use PAN-OS MFA?

AConfigure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile.

BUse a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns.

CConfigure a Captive Portal authentication policy that uses an authentication sequence.

DCreate an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy.

Answer : D

Question 2

An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when the link failed?

AThe active firewall failed over to the passive HA member because 'any' is selected for the Link Monitoring

BNo action was taken because Path Monitoring is disabled

CNo action was taken because interface ethernet1/1 did not fail

DThe active firewall failed over to the passive HA member due to an AE1 Link Group failure

Answer : C

Question 3

Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?

Athe 'Shared' device group

Btemplate stacks

Ca device group

Dtemplate variables

Answer : D

Question 4

Where can a service route be configured for a specific destination IP?

AUse Netw ork > Virtual Routers, select the Virtual Router > Static Routes > IPv4

BUse Device > Setup > Services > Services

CUse Device > Setup > Services > Service Route Configuration > Customize > Destination

DUse Device > Setup > Services > Service Route Configuration > Customize > IPv4

Answer : C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0

Question 5

An administrator has purchased WildFire subscriptions for 90 firewalls globally.

What should the administrator consider with regards to the WildFire infra-structure?

ATo comply with data privacy regulations, WildFire signatures and ver-dicts are not shared globally.

BPalo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.

CEach WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.

DThe WildFire Global Cloud only provides bare metal analysis.

Answer : C

https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts

Each WildFire cloud---global (U.S.), regional, and private---analyzes samples and generates WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data. https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html

Question 6

An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?

Ashow chassis status slot s1

Bshow s/stem state filter ethernet1/1

Cshow s/stem state filter sw.dev interface config

Dshow s/stem state filter-pretty sys.sl*

Answer : D

Question 7

Exhibit.

Given the screenshot, how did the firewall handle the traffic?

ATraffic was allowed by profile but denied by policy as a threat.

BTraffic was allowed by policy but denied by profile as a threat.

CTraffic was allowed by policy but denied by profile as encrypted.

DTraffic was allowed by policy but denied by profile as a nonstandard port.

Answer : B

Palo Alto Networks Certified Security Engineer PAN-OS 11.0 PCNSE Exam Questions