[December-2021]Real PCNSE Exam PDF Free Download in Braindump2go[Q390-Q421] December 1, 2021 greatexam December/2021 Latest Braindump2go PCNSE Exam Dumps with PDF and VCE Free Updated Today! Following are some new PCNSE Real Exam Questions! QUESTION 390Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken? A. Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN, ICMP, ICMPv6, UDP, and other IP flood attacks.B. Add a WildFire subscription to activate DoS and zone protection features.C. Replace the hardware firewall, because DoS and zone protection are not available with VM-Series systems.D. Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection. Answer: AExplanation:Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/zone-protection-and-dos-protection.html QUESTION 391An administrator receives the following error message:“IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id 172.16.33.33/24 type IPv4 address protocol 0 port 0.”How should the administrator identify the root cause of this error message? A. Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure.B. Check whether the VPN peer on one end is set up correctly using policy-based VPN.C. In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate.D. In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers. Answer: BExplanation:Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/vpns/set-up-site-to-site-vpn/interpret-vpn-error-messages.html QUESTION 392The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-groupWhat objects and policies will the Dallas-FW receive if “Share Unused Address and Service Objects” is enabled in Panorama? A. Address Objects– Shared Address1– Branch Address1Policies– Shared Policy1– Branch Policy1B. Address Objects– Shared Address1– Shared Address2– Branch Address1Policies– Shared Policy1– Shared Policy2– Branch Policy1C. Address Objects– Shared Address1– Shared Address2– Branch Address1– DC Address1Policies– Shared Policy1– Shared Policy2– Branch Policy1D. Address Objects– Shared Address1– Shared Address2– Branch Address1Policies– Shared Policy1– Branch Policy1 Answer: C QUESTION 393An administrator has purchased WildFire subscriptions for 90 firewalls globally.What should the administrator consider with regards to the WildFire infrastructure? A. To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally.B. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.C. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.D. The WildFire Global Cloud only provides bare metal analysis. Answer: CExplanation:Reference: https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html QUESTION 394What are three reasons for excluding a site from SSL decryption? (Choose three.) A. the website is not present in EnglishB. unsupported ciphersC. certificate pinningD. unsupported browser versionE. mutual authentication Answer: BCEExplanation:Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/decryption-exclusions/exclude-a-server-from-decryption QUESTION 395When setting up a security profile, which three items can you use? (Choose three.) A. Wildfire analysisB. anti-ransomwareC. antivirusD. URL filteringE. decryption profile Answer: ACDExplanation:Reference: https://manualzz.com/doc/10741747/pan%E2%80%90os-administrator%E2%80%99s-guide-policy QUESTION 396What are three types of Decryption Policy rules? (Choose three.) A. SSL Inbound InspectionB. SSH ProxyC. SSL Forward ProxyD. Decryption BrokerE. Decryption Mirror Answer: ABCExplanation:Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption/decryption-overview.html#:~:text=The%20firewall%20provides%20three%20types,to%20control%20tunneled%20SSH%20traffic QUESTION 397Which two features require another license on the NGFW? (Choose two.) A. SSL Inbound InspectionB. SSL Forward ProxyC. Decryption MirrorD. Decryption Broker Answer: CDExplanation:Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-decryption-port-mirroring.htmlhttps://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-licenses.html QUESTION 398A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an Interface Management profile to secure management access? (Choose three.) A. Permitted IP AddressesB. SSHC. httpsD. User-IDE. HTTP Answer: BCEExplanation:Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/use-interface-management-profiles-to-restrict-access.html QUESTION 399A customer is replacing its legacy remote-access VPN solution. Prisma Access has been selected as the replacement. During onboarding, the following options and licenses were selected and enabled:– Prisma Access for Remote Networks: 300Mbps– Prisma Access for Mobile Users: 1500 Users– Cortex Data Lake: 2TB– Trusted Zones: trust– Untrusted Zones: untrust– Parent Device Group: sharedThe customer wants to forward to a Splunk SIEM the logs that are generated by users that are connected to Prisma Access for Mobile Users. Which two settings must the customer configure? (Choose two.) A. Configure Panorama Collector group device log forwarding to send logs to the Splunk syslog server.B. Configure Cortex Data Lake log forwarding and add the Splunk syslog server.C. Configure a log forwarding profile and select the Panorama/Cortex Data Lake checkbox. Apply the LogForwarding profile to all of the security policy rules in Mobile_User_Device_Group.D. Configure a Log Forwarding profile, select the syslog checkbox, and add the Splunk syslog server. Apply the Log Forwarding profile to all of the security policy rules in the Mobile_User_Device_Group. Answer: BCExplanation:Reference: https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html QUESTION 400A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system.Where is the best place to validate if the firewall is blocking the user’s TAR file? A. Threat logB. Data Filtering logC. WildFire Submissions logD. URL Filtering log Answer: BExplanation:Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZ1CAK QUESTION 401Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.) A. inherit address-objects from templatesB. define a common standard template configuration for firewallsC. standardize server profiles and authentication configuration across all stacksD. standardize log-forwarding profiles for security polices across all stacks Answer: ABExplanation:Reference: https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/templates-and-template-stacks QUESTION 402An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted information Security to look for more controls that can secure access to critical assets. For users that need to access these systems, Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.What should the enterprise do to use PAN-OS MFA? A. Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns.B. Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy.C. Configure a Captive Portal authentication policy that uses an authentication sequence.D. Configure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile. Answer: BExplanation:Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-multi-factor-authentication.html#id1eeb304d-b2f4-46a3-a3b8-3d84c69fb214_idc4b47dbd-9777-4ec8-be70-c16ca0ea1756 QUESTION 403An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama. The enterprise already uses GlobalProtect with SAML authentication to obtain IP-to-user mapping information.However, Information Security wants to use this information in Prisma Access for policy enforcement based on group mapping. Information Security uses on-premises Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD.How can policies based on group mapping be learned and enforced in Prisma Access? A. Configure Prisma Access to learn group mapping via SAML assertion.B. Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access.C. Assign a master device in Panorama through which Prisma Access learns groups.D. Create a group mapping configuration that references an LDAP profile that points to on-premises domain controllers. Answer: CExplanation:Reference: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/retrieve-user-id-information.html#id823f5b30-2c1d-4c87-9ae6-a06573455af7 QUESTION 404What happens to traffic traversing SD-WAN fabric that doesn’t match any SD-WAN policies? A. Traffic is dropped because there is no matching SD-WAN policy to direct traffic.B. Traffic matches a catch-all policy that is created through the SD-WAN plugin.C. Traffic matches implied policy rules and is redistributed round robin across SD-WAN links.D. Traffic is forwarded to the first physical interface participating in SD-WAN based on lowest interface number (i.e., Eth1/1 over Eth1/3). Answer: CExplanation:Reference: https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/configure-sd-wan/distribute-unmatched-sessions.html QUESTION 405A remote administrator needs firewall access on an untrusted interface. Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two.) A. certificate authority (CA) certificateB. server certificateC. client certificateD. certificate profile Answer: CDExplanation:Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-administrator-authentication-to-the-web-interface.html QUESTION 406An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama. All 84 firewalls have an active WildFire subscription. On each firewall, WildFire logs are available.This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing? A. WildFire logsB. System logsC. Threat logsD. Traffic logs Answer: AExplanation:Reference: https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/manage-log-collection/configure-log-forwarding-to-panorama.html QUESTION 407A company wants to use their Active Directory groups to simplify their Security policy creation from Panorama.Which configuration is necessary to retrieve groups from Panorama? A. Configure an LDAP Server profile and enable the User-ID service on the management interface.B. Configure a group mapping profile to retrieve the groups in the target template.C. Configure a Data Redistribution Agent to receive IP User Mappings from User-ID agents.D. Configure a master device within the device groups. Answer: DExplanation:Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG QUESTION 408How can packet buffer protection be configured? A. at zone level to protect firewall resources and ingress zones, but not at the device levelB. at the interface level to protect firewall resourcesC. at the device level (globally) to protect firewall resources and ingress zones, but not at the zone levelD. at the device level (globally) and, if enabled globally, at the zone level Answer: DExplanation:Reference: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/zone-protection-and-dos-protection/configure-zone-protection-to-increase-network-security/configure-packet-buffer-protection QUESTION 409An existing NGFW customer requires direct internet access offload locally at each site, and IPSec connectivity to all branches over public internet. One requirement is that no new SD-WAN hardware be introduced to the environment.What is the best solution for the customer? A. Configure a remote network on PAN-OSB. Upgrade to a PAN-OS SD-WAN subscriptionC. Configure policy-based forwardingD. Deploy Prisma SD-WAN with Prisma Access Answer: BExplanation:Reference: https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/about-sd-wan.html QUESTION 410A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business application uptime requirements.What is the correct setting? A. Change the HA timer profile to “user-defined” and manually set the timers.B. Change the HA timer profile to “fast”.C. Change the HA timer profile to “aggressive” or customize the settings in advanced profile.D. Change the HA timer profile to “quick” and customize in advanced profile. Answer: CExplanation:Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/high-availability/set-up-activepassive-ha/configure-activepassive-ha.html QUESTION 411What is the function of a service route? A. The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source interface and source IP address.B. The service packets enter the firewall on the port assigned from the external service. The server sends its response to the configured destination interface and destination IP address.C. The service route is the method required to use the firewall’s management plane to provide services to applications.D. Service routes provide access to external services, such as DNS servers, external authentication servers or Palo Alto Networks services like the Customer Support Portal. Answer: AExplanation:Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/service-routes.html QUESTION 412Which of the following commands would you use to check the total number of the sessions that are currently going through SSL Decryption processing? A. show session all filter ssl-decryption yes total-count yesB. show session all ssl-decrypt yes count yesC. show session all filter ssl-decrypt yes count yesD. show session filter ssl-decryption yes total-count yes Answer: CExplanation:Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF2CAK QUESTION 413Refer to the image. An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the Global template NTP servers. The administrator needs to change the IP address to a preferable server for this template stack but cannot impact other template stacks.How can the issue be corrected? A. Override the value on the NYCFW template.B. Override a template value using a template stack variable.C. Override the value on the Global template.D. Enable “objects defined in ancestors will take higher precedence” under Panorama settings. Answer: AExplanation:Reference: https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/templates-and-template-stacks QUESTION 414While troubleshooting an SSL Forward Proxy decryption issue, which PAN-OS CLI command would you use to check the details of the end entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate? A. show system setting ssl-decrypt certsB. show system setting ssl-decrypt certificateC. debug dataplane show ssl-decrypt ssl-statsD. show system setting ssl-decrypt certificate-cache Answer: BExplanation:Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF2CAK QUESTION 415Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process? A. removing the Panorama serial number from the ZTP serviceB. performing a factory reset of the firewallC. performing a local firewall commitD. removing the firewall as a managed device in Panorama Answer: CExplanation:Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail? id=kA14u0000001UiOCAU&lang=en_US%E2%80%A9&refURL=http%3A%2F% 2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail QUESTION 416In URL filtering, which component matches URL patterns? A. live URL feeds on the management planeB. security processing on the data planeC. single-pass pattern matching on the data planeD. signature matching on the data plane Answer: CExplanation:Reference: https://www.firewall.cx/networking-topics/firewalls/palo-alto-firewalls/1152-palo-alto-firewall-single-pass-parallel-processing-hardware-architecture.html QUESTION 417In a template, you can configure which two objects? (Choose two.) A. Monitor profileB. application groupC. SD-WAN path quality profileD. IPsec tunnel Answer: BC QUESTION 418An organization’s administrator has the funds available to purchase more firewalls to increase the organization’s security posture.The partner SE recommends placing the firewalls as close as possible to the resources that they protect.Is the SE’s advice correct, and why or why not? A. No. Firewalls provide new defense and resilience to prevent attackers at every stage of the cyberattack lifecycle, independent of placement.B. Yes. Firewalls are session-based, so they do not scale to millions of CPS.C. No. Placing firewalls in front of perimeter DDoS devices provides greater protection for sensitive devices inside the network.D. Yes. Zone Protection profiles can be tailored to the resources that they protect via the configuration of specific device types and operating systems. Answer: DExplanation:Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/zone-protection-and-dos-protection.html QUESTION 419An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy.Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed? A. Preview ChangesB. Policy OptimizerC. Managed Devices HealthD. Test Policy Match Answer: DExplanation:Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/test-policy-rule-traffic-matches.html QUESTION 420What is a key step in implementing WildFire best practices? A. Configure the firewall to retrieve content updates every minute.B. Ensure that a Threat Prevention subscription is active.C. In a mission-critical network, increase the WildFire size limits to the maximum value.D. n a security-first network, set the WildFire size limits to the minimum value. Answer: BExplanation:Reference: https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire-deployment-best-practices/wildfire-best-practices QUESTION 421What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)? A. Phase 2 SAs are synchronized over HA2 links.B. Phase 1 and Phase 2 SAs are synchronized over HA2 links.C. Phase 1 SAs are synchronized over HA1 links.D. Phase 1 and Phase 2 SAs are synchronized over HA3 links. Answer: AExplanation:Reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAuZCAW&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail Resources From: 1.2021 Latest Braindump2go PCNSE Exam Dumps (PDF & VCE) Free Share:https://www.braindump2go.com/pcnse.html 2.2021 Latest Braindump2go PCNSE PDF and PCNSE VCE Dumps Free Share:https://drive.google.com/drive/folders/1VvlcN8GDfslOVKt1Cj-E7yHyUNUyXuxc?usp=sharing 3.2021 Free Braindump2go PCNSE Exam Questions Download:https://www.braindump2go.com/free-online-pdf/PCNSE-PDF-Dumps(390-421).pdf Free Resources from Braindump2go,We Devoted to Helping You 100% Pass All Exams!