[Free] 2019(Nov) EnsurePass Palo Alto Networks PCNSE Dumps with VCE and PDF 21-30

Get Full Version of the Exam

Question No.21

A client has a sensitive application server in theirdata center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks. How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)?

  1. Define a custom App-ID to ensure that only legitimate application traffic reaches the server.

  2. Add a Vulnerability Protection Profile to block the attack.

  3. Add QoS Profiles to throttle incoming requests.

  4. Add a DoS Protection Profile with defined session count.

Correct Answer: D



Question No.22

If an administrator wants to decrypt SMTP traffic and possesses the server#39;s certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?

  1. TLS Bidirectional Inspection

  2. SSL Inbound Inspection

  3. SSH Forward Proxy

  4. SMTP Inbound Decryption

Correct Answer: B


https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/configure-ssl- inbound-inspection

Question No.23

Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?

  1. Both SSH keys and SSL certificates must be generated.

  2. No prerequisites are required.

  3. SSH keys must be manually generated.

  4. SSL certificates must be generated.

Correct Answer: B


https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/configure-ssh- proxy

Question No.24

Which four NGFW multi-factor authentication factors are supported by PAN-OS? (Choose four.)

  1. User logon

  2. Short message service

  3. Push

  4. SSH key

  5. One-Time Password

  6. Voice

Correct Answer: BCEF

Question No.25

Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS?software?

  1. XML API

  2. Port Mapping

  3. Client Probing

  4. Server Monitoring

Correct Answer: A


Captive Portal and the other standard user mapping methods might not work for certain types of user access. For example, the standard methods cannot add mappings of usersconnecting from a third-party VPN solution or users connecting to a 802.1x-enabled wireless network. For such cases, you can use the PAN-OS XML API to capture login events and send them to the PAN-OS integrated User-ID agent.


Question No.26

For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose two )

  1. equal-cost multipath

  2. ingress processing errors

  3. rule match with action quot;allowquot;

  4. rule match with action quot;denyquot;

Correct Answer: BD

Question No.27

An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing and preemption is disabled. What must be verified to upgrade the firewalls to the most recent version of PAN-OS software?

  1. Wildfire update package

  2. User-ID agent

  3. Anti virus update package

  4. Application and Threats update package

Correct Answer: D


Dependencies: Before upgrade, make sure the firewall is running a version ofapp threat (content version) that meets theminimum requirement of the new PAN-OS Upgrade.

https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta- p/111045

Question No.28

A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server. Which solution in PAN-OS?software wouldhelp in this case?

  1. application override

  2. Virtual Wire mode

  3. content inspection

  4. redistribution of user mappings

Correct Answer: D


https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/deploy-user-id-in-a- large-scale-network

Question No.29

Based on the following image, what is the correct path of root, intermediate, and end-user certificate?


  1. Palo Alto Networks gt; Symantec gt; VeriSign

  2. Symantec gt; VeriSign gt; Palo Alto Networks

  3. VeriSign gt; Palo Alto Networks gt; Symantec

  4. VeriSign gt; Symantec gt; Palo Alto Networks

Correct Answer: D

Question No.30

An administrator has configured a QoS policy rule and a QoS profile that limits the maximum allowable bandwidth for the YouTube application. However, YouTube is consuming more than the maximum bandwidth allotment configured. Which configuration step needs to be configured to enable QoS?

  1. Enable QoS Data Filtering Profile

  2. Enable QoS monitor

  3. Enable Qos interface

  4. Enable Qos in the interface Management Profile.

Correct Answer: C

Get Full Version of the Exam