[September-2021]Braindump2go New PCNSE PDF and VCE Dumps Free Share(Q360-Q384)


A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (Cas):

i. Enterprise-Trusted-CA; which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system )

ii. Enterpnse-Untrusted-CA, which is verified as Forward Untrust Certificate

iii. Enterprise-lntermediate-CA

iv. Enterprise-Root-CA which is verified only as Trusted Root CA An end-user visits https //www example-website com/ with a server certificate Common Name (CN) www example-website com

The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall.

The end-user's browser will show that the certificate for www example-website com was issued by which of the following?

A.Enterprise-Untrusted-CA which is a self-signed CA

B.Enterprise-Trusted-CA which is a self-signed CA

C.Enterprise-lntermediate-CA which was. in turn, issued by Enterprise-Root-CA

D.Enterprise-Root-CA which is a self-signed CA

Answer: B


An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls.

The firewalls will provide access to mobile users and act as edge locations to on-premises Infrastructure.

The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration.

Which two solutions can the administrator use to scale this configuration? (Choose two.)


B.template stacks

C.collector groups

D.virtual systems

Answer: BC


A traffic log might list an application as "not-applicable" for which two reasons? (Choose two )

A.0The firewall did not install the session

B.The TCP connection terminated without identifying any application data

C.The firewall dropped a TCP SYN packet

D.There was not enough application data after the TCP connection was established

Answer: AD


An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version.

What is considered best practice for this scenario?

A.Perform the Panorama and firewall upgrades simultaneously

B.Upgrade the firewall first wait at least 24 hours and then upgrade the Panorama version

C.Upgrade Panorama to a version at or above the target firewall version

D.Export the device state perform the update, and then import the device state

Answer: A


An administrator needs to implement an NGFW between their DMZ and Core network EIGRP Routing between the two environments is required.

Which interface type would support this business requirement?

A.Layer 3 interfaces but configuring EIGRP on the attached virtual router

B.Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ

C.Layer 3 or Aggregate Ethernet interfaces but configuring EIGRP on subinterfaces only

D.Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel (with the GlobalProtect License to support LSVPN and EIGRP protocols)

Answer: D


When you configure a Layer 3 interface what is one mandatory step?

A.Configure Security profiles, which need to be attached to each Layer 3 interface

B.Configure Interface Management profiles which need to be attached to each Layer 3 interface

C.Configure virtual routers to route the traffic for each Layer 3 interface

D.Configure service routes to route the traffic for each Layer 3 interface

Answer: A


An administrator has a PA-820 firewall with an active Threat Prevention subscription.

The administrator is considering adding a WildFire subscription.

How does adding the WildFire subscription improve the security posture of the organization1?

A.Protection against unknown malware can be provided in near real-time

B.WildFire and Threat Prevention combine to provide the utmost security posture for the firewall

C.After 24 hours WildFire signatures are included in the antivirus update

D.WildFire and Threat Prevention combine to minimize the attack surface

Answer: D


Which three statements accurately describe Decryption Mirror? (Choose three.)

A.Decryption Mirror requires a tap interface on the firewall

B.Decryption, storage, inspection and use of SSL traffic are regulated in certain countries

C.Only management consent is required to use the Decryption Mirror feature

D.You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment

E.Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel

Answer: ABC


As a best practice, which URL category should you target first for SSL decryption?

A.Online Storage and Backup

B.High Risk

C.Health and Medicine

D.Financial Services

Answer: A


An administrator wants to enable zone protection

Before doing so, what must the administrator consider?

A.Activate a zone protection subscription.

B.To increase bandwidth no more than one firewall interface should be connected to a zone

C.Security policy rules do not prevent lateral movement of traffic between zones

D.The zone protection profile will apply to all interfaces within that zone

Answer: A


What are two characteristic types that can be defined for a variable? (Choose two )



C.path group

D.IP netmask

Answer: BD


What are three valid qualifiers for a Decryption Policy Rule match? (Choose three )

A.Destination Zone


C.Custom URL Category


E.Source Interface

Answer: ADE


Given the following configuration, which route is used for destination

A.Route 4

B.Route 3

C.Route 1

D.Route 3

Answer: A


When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?

A.The interface must be used for traffic to the required services

B.You must enable DoS and zone protection

C.You must set the interface to Layer 2 Layer 3. or virtual wire

D.You must use a static IP address

Answer: A


What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection?

A.link state

B.stateful firewall connection



Answer: C


When setting up a security profile which three items can you use? (Choose three )

A.Wildfire analysis

B.anti-ransom ware


D.URL filtering

E.decryption profile

Answer: ACD


A variable name must start with which symbol?





Answer: A


An administrator needs to troubleshoot a User-ID deployment. The administrator believes that there is an issue related to LDAP authentication. The administrator wants to create a packet capture on the management plane.

Which CLI command should the administrator use to obtain the packet capture for validating the configuration?

A.> ftp export mgmt-pcap from mgmt.pcap to <FTP host>

B.> scp export mgmt-pcap from mgmt.pcap to {usernameQhost:path>

C.> scp export pcap-mgmt from pcap.mgiat to (username@host:path)

D.> scp export pcap from pcap to (usernameQhost:path)

Answer: C


What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

A.the website matches a category that is not allowed for most users

B.the website matches a high-risk category

C.the web server requires mutual authentication

D.the website matches a sensitive category

Answer: AD


During SSL decryption which three factors affect resource consumption1? (Choose three )

A.TLS protocol version

B.transaction size

C.key exchange algorithm

D.applications that use non-standard ports

E.certificate issuer

Answer: ABC


An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used.

After looking at the configuration, the administrator believes that the firewall is not using a static route.

What are two reasons why the firewall might not use a static route"? (Choose two.)

A.no install on the route

B.duplicate static route

C.path monitoring on the static route

D.disabling of the static route

Answer: C


Before you upgrade a Palo Alto Networks NGFW what must you do?

A.Make sure that the PAN-OS support contract is valid for at least another year

B.Export a device state of the firewall

C.Make sure that the firewall is running a version of antivirus software and a version of WildFire that support the licensed subscriptions.

D.Make sure that the firewall is running a supported version of the app + threat update

Answer: B


Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

A.PAN-OS integrated User-ID agent

B.LDAP Server Profile configuration


D.Windows-based User-ID agent

Answer: A


Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?

A.Yes. because the action is set to "allow ''

B.No because WildFire categorized a file with the verdict "malicious"

C.Yes because the action is set to "alert"

D.No because WildFire classified the seventy as "high."

Answer: B


An administrator needs to gather information about the CPU utilization on both the management plane and the data plane.

Where does the administrator view the desired data?

A.Monitor > Utilization

B.Resources Widget on the Dashboard

C.Support > Resources

D.Application Command and Control Center

Answer: A

2021 Latest Braindump2go PCNSE PDF and PCNSE VCE Dumps Free Share:


4.7 Star App Store Review!
The Communities are great you rarely see anyone get in to an argument :)
Love Love LOVE

Select Collections