[Dec 12, 2024] PCNSC Exam Dumps - Try Best PCNSC Exam Questions - Test4Engine
Verified PCNSC exam dumps Q&As with Correct 62 Questions and Answers
NEW QUESTION # 16
When is the content inspection performed in the packet flow process?
- A. before session lookup
- B. after the SSL Proxy re-encrypts the packet
- C. after the application has been identified
- D. before the packet forwarding process
Answer: C
NEW QUESTION # 17
An organization has Palo Alto Networks MGfWs that send logs to remote monitoring and security management platforms. The network team has report has excessive traffic on the corporate WAN. How could the Palo Alto Networks NOFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?
- A. Forward logs from external sources to Panorama for correlation, arid from Panorama send to the NGFW
- B. Configure log compression and optimization features on all remote firewalls.
- C. Any configuration on an M-500 would address the insufficient bandwidth concerns.
- D. forward logs from firewalls only to Panorama, and have Panorama forward log* lo other external service.
Answer: D
NEW QUESTION # 18
What command can you use to check the status of GlobalProtect clients connected to the firewall?
- A. show globalprotect current-user
- B. show globalprotect gateway
- C. show globalprotect status
- D. show globalprotect statistics
Answer: B
NEW QUESTION # 19
An administrator sees several inbound sessions identified as unknown tcp in the Traffic logs. The administrator determines that these sessions are from external users accessing the company's propriety accounting application. The administrator wants to reliability identity this as their accounting application and to scan this traffic for threats.
Which option would achieve this result?
- A. Create an Application Override policy and a custom threat signature for the application.
- B. Create an Application Override policy
- C. Create a custom App-ID and enable scanning on the advanced tab.
- D. Create a custom App-ID and use the "ordered condition cheek box.
Answer: A
NEW QUESTION # 20
Match the App-ID adoption task with its order in the process.
Answer:
Explanation:
Explanation:
To match the App-ID adoption task with its order in the process, follow these steps:
* Perform a like-for-like (Layer 3/4) migration from the legacy firewall to the Palo Alto Networks NGFW.
* This is the initial step to ensure that the Palo Alto Networks NGFW is in place and functioning with the existing security policies.
* Capture, retain, and verify that all traffic has been logged for a period of time.
* This step involves enabling logging and monitoring traffic to understand the application usage and to ensure that all traffic is being logged.
* Clone the legacy rules and add application information to the intended application-based rules.
* This step involves creating copies of the existing rules and enhancing them with application-specific information using App-ID.
* Verify that no traffic is hitting the legacy rules.
* After creating application-based rules, ensure that traffic is now hitting these new rules instead of the legacy rules. This indicates that the transition to App-ID based policies is successful.
* Remove the legacy rules.
* Once it is confirmed that no traffic is hitting the legacy rules and the new App-ID based rules are effectively managing the traffic, the legacy rules can be safely removed.
Order in Process:
* Perform a like-for-like (Layer 3/4) migration from the legacy firewall to the Palo Alto Networks NGFW.
* Capture, retain, and verify that all traffic has been logged for a period of time.
* Clone the legacy rules and add application information to the intended application-based rules.
* Verify that no traffic is hitting the legacy rules.
* Remove the legacy rules.
References:
* Palo Alto Networks - App-ID Best Practices: https://docs.paloaltonetworks.com/best-practices
* Palo Alto Networks - Migration from Legacy Firewalls: https://docs.paloaltonetworks.com/migration
NEW QUESTION # 21
Which two options prevents the firewall from capturing traffic passing through it? (Choose two.)
- A. The traffic does not match the packet capture filter
- B. The traffic is offloaded.
- C. The firewall is in milti-vsys mode.
- D. The firewall's DP CPU is higher than 50%
Answer: A,B
NEW QUESTION # 22
Which three authentication faction factors does PAN-OS software support for MFA? (Choose three.)
- A. Pull
- B. Push
- C. Okta Adaptive
- D. Voice
- E. SMS
Answer: A,B,D
NEW QUESTION # 23
An administrator needs to create a new Antivirus Profile to address a virus that is spreading internally over SMB.
To create a secure posture the administrator should choose which set of actions for the SMB decoder in an Antivirus Profile?
- A. Action - Drop; Wildfire Action - Reset-Both
- B. Action - Reset-Both: Wildfire Action - Reset-Both
- C. Action - Reset-Both. WiWfire Action - Alert
- D. Action - Allow; Wildfire Action - Allow
Answer: B
Explanation:
To create a secure Antivirus Profile to address a virus spreading internally over SMB, the administrator should choose the following set of actions for the SMB decoder:
B:Action - Reset-Both; Wildfire Action - Reset-Both
Choosing "Reset-Both" for both the Antivirus Action and the Wildfire Action ensures that the connection is terminated on both the client and server sides whenever a virus is detected. This action helps prevent the spread of the virus by cutting off the infected connection immediately.
References:
* Palo Alto Networks - Antivirus Profile Best Practices: https://docs.paloaltonetworks.com/best-practices
* Palo Alto Networks - Creating and Configuring Antivirus Profiles:
* https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/antivirus-profiles
NEW QUESTION # 24
A Security policy rule is configured with a Vulnerability Protection Profile and an action of Deny".
Which action will this configuration cause on the matched traffic?
- A. The configuration is invalid it will cause the firewall to Skip this Security policy rule A warning will be displayed during a command.
- B. The configuration is invalid. The Profile Settings section will be- grayed out when the action is set to "Deny"
- C. The configuration is valid It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is set to "Deny" The configuration will allow the matched session unless a vulnerability signature is detected. The "Deny" action will supersede the per. defined, severity defined actions defined in the associated Vulnerability Protection Profile.
Answer: B
NEW QUESTION # 25
What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1 version?
- A. Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or stacks.
- B. When Panorama is reverted to an earlier PAN-OS release, variable used in template stacks will be removed authentically.
- C. Administrators need to manually update variable characters to those to used in pre-PAN-OS 8.1.
- D. An administrator must use the Expedition tool to adapt the configuration to the pre-pan-OS 8.1 state.
Answer: A
NEW QUESTION # 26
Which CLI command is used to verify the high availability state of a Palo Alto Networks firewall?
- A. show high-availability status
- B. show ha status
- C. show ha state
- D. show high-availability state
Answer: B
NEW QUESTION # 27
Which Captive Portal mode must be contoured to support MFA authentication?
- A. Redirect
- B. Transparent
- C. NTLM
- D. Single Sign-On
Answer: A
NEW QUESTION # 28
Which two action would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL forward proxy? (Choose two.)
- A. Create a no-decrypt Decryption Policy rule.
- B. Enable the "Block seasons with untrusted Issuers- setting.
- C. Configure an EDL to pull IP Addresses of known sites resolved from a CRL.
- D. Create a Security Policy rule with vulnerability Security Profile attached.
- E. Configure a Dynamic Address Group for untrusted sites.
Answer: B,D
NEW QUESTION # 29
What type of NAT rule is required to translate an internal server's private IP address to a public IP address for external access?
- A. Source NAT
- B. Bidirectional NAT
- C. Destination NAT
- D. Dynamic NAT
Answer: C
NEW QUESTION # 30
In Panorama, what is the correct order of precedence for security policies?
- A. Device group pre-rules, shared pre-rules, local rules, shared post-rules, device group post-rules
- B. Shared pre-rules, device group pre-rules, local rules, device group post-rules, shared post-rules
- C. Shared pre-rules, device group pre-rules, local rules, shared post-rules, device group post-rules
- D. Device group pre-rules, shared pre-rules, local rules, device group post-rules, shared post-rules
Answer: B
NEW QUESTION # 31
In a multi-tenant environment, what feature allows you to assign different administrators to different tenants?
- A. Device Groups
- B. Admin Roles
- C. Access Domains
- D. Virtual Systems
Answer: C
NEW QUESTION # 32
An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port. Which log entry can the administrator use to verify that sessions are being decrypted?
- A. In the details of the Threat log entries
- B. In the details of the Traffic log entries
- C. Decryption tag
- D. Data filtering log
Answer: B
NEW QUESTION # 33
Which of the following is a primary use case for the Decryption Broker feature?
- A. Sharing decrypted traffic with multiple security appliances
- B. Decrypting outbound SSL traffic
- C. Managing multiple decryption rules
- D. Aggregating traffic logs from different sources
Answer: A
NEW QUESTION # 34
Refer to the exhibit.
An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
A)
B)
C)
D)
- A. Option B
- B. Option A
- C. Option C
- D. Option D
Answer: D
NEW QUESTION # 35
What feature should be used to decrypt and inspect inbound SSL traffic without having to install a certificate on the client devices?
- A. SSL Reverse Proxy
- B. SSL Inbound Inspection
- C. SSL Forward Proxy
- D. SSL Outbound Inspection
Answer: A
NEW QUESTION # 36
......
Palo Alto Networks PCNSC Test Engine PDF - All Free Dumps: https://www.test4engine.com/PCNSC_exam-latest-braindumps.html
Get New PCNSC Certification – Valid Exam Dumps Questions: https://drive.google.com/open?id=1PRakNxyLCL5yuTJkOXfX3-YGdneg03VE