[Free] 2019(Nov) EnsurePass Palo Alto Networks PCNSE Dumps with VCE and PDF 61-70

Get Full Version of the Exam

Question No.61

Which feature can provide NGFWs with User-ID mapping information?

  1. GlobalProtect

  2. WebCaptcha

  3. Native 802.1q authentication

  4. Native 802.1x authentication

Correct Answer: A

Question No.62

Refer to exhibit. An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN. How could the Palo AltoNetworks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?


  1. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.

  2. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW.

  3. Configure log compression and optimization features on all remote firewalls.

  4. Any configuration on an M-500 would address the insufficient bandwidth concerns.

Correct Answer: A

Question No.63

Refer to the exhibit. A web server in the DMZ is being mapped to a public address through DNAT. Which Security policy rule will allow traffic to flow to the web server?


  1. Untrust (any) to Untrust (10. 1.1. 100), web browsing – Allow

  2. Untrust (any) to Untrust (1. 1. 1. 100), web browsing – Allow

  3. Untrust (any) to DMZ (1. 1. 1. 100), web browsing – Allow

  4. Untrust (any) to DMZ (10. 1. 1. 100), web browsing – Allow

Correct Answer: B

Question No.64

Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?

  1. port mapping

  2. server monitoring

  3. client probing

  4. XFF headers

Correct Answer: A


https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/configure-user- mapping-for-terminal-server-users

Question No.65

When is the content inspection performed in the packet flow process?

  1. after the application has been identified

  2. before session lookup

  3. before the packet forwarding process

  4. after the SSL Proxy re-encrypts the packet

Correct Answer: A


https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta- p/56081

Question No.66

A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone andto assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones?

  1. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLANand use a VLAN ID of0 for untagged traffic. Assign each interface/subinterface to a unique zone.

  2. Create V-Wire objects with two V-Wire sub interface and assign only a single VLAN ID to the quot;Tag Allowed field one of the V-Wire object Repeat for every additional VLAN and usea VIAN ID of 0 for untagged traffic. Assign each interface/subinterfaceto a unique zone.

  3. Create V-Wire objects with two V-Wire interfaces and define a range quot;0- 4096quot; in the #39;Tag Allowed filed of the V-Wire object.

  4. Create Layer 3 sub interfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3interface would handle untagged traffic. Assign each interface

/subinterface to a unique zone. Do not assign any interface anIP address

Correct Answer: C

Question No.67

Which Captive Portal mode must be configured to support MFA authentication?

  1. NTLM

  2. Redirect

  3. Single Sign-On

  4. Transparent

Correct Answer: B


https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure- multi-factor-authentication

Question No.68

An administrator needs to upgrade an NGFW to the most current version of PAN-OS?software. The following is occurring:


Firewall has Internet connectivity through e1/1.


Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.


Service route is configured, sourcing update traffic from e1/1.



A communication error appears in the System logs when updates are performed. Download does not complete.

What must be configured to enable the firewall to download the current version of PAN-OS software?

  1. DNS settings for the firewall to use for resolution

  2. scheduler for timed downloads of PAN-OS software

  3. static route pointing application PaloAlto-updates to the update servers

  4. Security policy ruleallowing PaloAlto-updates as the application

Correct Answer: D

Question No.69

An administrator needs to determine why users onthe trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make?









Correct Answer: B

Question No.70

In a virtual router, which object contains all potential routes?

  1. MIB

  2. RIB

  3. SIP

  4. FIB

Correct Answer: B

Get Full Version of the Exam