[Free] 2019(Nov) EnsurePass Palo Alto Networks PCNSE Dumps with VCE and PDF 201-210

Get Full Version of the Exam

Question No.201

A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server. What can be done to simplify the NAT policy?

  1. Configure ECMP to handle matching NAT traffic

  2. Configure a NAT Policy rule with Dynamic IP and Port

  3. Create a new Source NAT Policy rule that matches the existingtraffic and enable the Bi-directional option

  4. Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bi- directional option

Correct Answer: C


https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-configuration- examples

Question No.202

A VPN connection is set up between Site-A and Site-B, but no traffic is passing inthe system log of Site-A, there is an event logged as like-nego-p1-fail-psk. What action will bring the VPN up and allow traffic to start passing between the sites?

  1. Change the Site-B IKE Gateway profile version to match Site-A,

  2. Change the Site-A IKEGateway profile exchange mode to aggressive mode.

  3. Enable NAT Traversal on the Site-A IKE Gateway profile.

  4. Change the pre-shared key of Site-B to match the pre-shared key of Site-A

Correct Answer: D

Question No.203

Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?

  1. Disable Server Response Inspection

  2. Apply an Application Override

  3. Disable HIP Profile

  4. Add server IP Security Policy exception

Correct Answer: A

Question No.204

Refer to Exhibit. A firewall has three PDF rules and a default route with a next hop of that is configured in the default VR. Auser named XX-bes a PC with a IP address. He makes an HTTPS connection to What is the next hop IP address for the HTTPS traffic from Wills PC?






Correct Answer: B

Question No.205

Only two Trust to Untrust allow rules have been created in the Security policy



Rule1 allows google-base Rule2 allows youtube-base

The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accessshttps://www.youtube.comin a web browser, they get an error indecating that theserver cannot be found.

Which action will allow youtube.com display in the browser correctly?

  1. Add SSL App-ID to Rule1

  2. Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID#39;s to it

  3. Add the DNS App-ID to Rule2

  4. Add theWeb-browsing App-ID to Rule2

Correct Answer: C

Question No.206

YouTube videos are consuming too much bandwidth on the network, causing delays in mission- critical traffic. The administrator wants to throttle YouTube traffic. The following interfaces and zones are in use on thefirewall:



ethernet1/1, Zone: Untrust (Internet-facing) ethernet1/2, Zone: Trust (client-facing)

A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface Ethernet1/1 has a QoS profile called Outbound, and interface Ethernet1/2 has a QoS profile called Inbound.

Which setting for class 6 with throttle YouTube traffic?

  1. Outbound profile with Guaranteed Ingress

  2. Outbound profile with Maximum Ingress

  3. Inbound profile with Guaranteed Egress

  4. Inbound profile with Maximum Egress

Correct Answer: D

Question No.207

A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is notreliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled. Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?

  1. Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole

  2. File Blocking profiles applied to outbound security policies with action set to alert

  3. Vulnerability Protection profiles applied to outbound security policies with action set to block

  4. Antivirus profiles applied to outbound security policies with action set to alert

Correct Answer: A

Question No.208

Company.com has an in-house application that the Palo Alto Networks device doesn#39;t identify correctly. A Threat ManagementTeam member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine. Which method should company.com use to immediately address this traffic on a Palo Alto Networks device?

  1. Create a custom Application without signatures, then create an Application Override policy that includes the source, Destination, Destination Port/Protocol and Custom Application of the traffic.

  2. Wait until an official Application signature is provided from Palo Alto Networks.

  3. Modify the session timer settings on the closest referanced application to meet the needs of the in-house application

  4. Create a Custom Application with signatures matching unique identifiers of the in-house applicationtraffic

Correct Answer: D

Question No.209

Which Panorama feature allows for logs generated by Panorama to be forwarded to an external SecurityInformation and Event Management(SIEM) system?

  1. Panorama Log Settings

  2. Panorama Log Templates

  3. Panorama Device Group Log Forwarding

  4. Collector Log Forwarding for Collector Groups

Correct Answer: A

Explanation: https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/manage- log-collection/enable-log-forwarding-from-panorama-to-external-destinations

Question No.210

What arethree valid method of user mapping? (Choose three)

  1. Syslog

  2. XML API C. 802.1X

  1. WildFire

  2. Server Monitoring

Correct Answer: ABE

Get Full Version of the Exam