Palo Alto Networks Certified Network Security Engineer - PCNSE Exam Practice Test

An engineer needs to collect User-ID mappings from the company's existing proxies. What two methods can be used to pull this data from third-party proxies? (Choose two)
Correct Answer: A,D
Explanation: Only visible for TrainingDump members. You can sign-up / login (it's free).
Information Security is enforcing group-based policies by using security-event monitoring on Windows User- ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.
Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution How can Information Security extract and learn iP-to-user mapping information from authentication events for VPN and wireless users?
Correct Answer: A
Explanation: Only visible for TrainingDump members. You can sign-up / login (it's free).
A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)
Correct Answer: A,B,C
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?
Correct Answer: A
A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?
Correct Answer: C
A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?
Correct Answer: B
Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?
Correct Answer: B
Explanation: Only visible for TrainingDump members. You can sign-up / login (it's free).
A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.
What should the engineer do to complete the configuration?
Correct Answer: C
Explanation: Only visible for TrainingDump members. You can sign-up / login (it's free).
Users are intermittently being cut off from local resources whenever they connect to GlobalProtect. After researching, it is determined that this is caused by an incorrect setting on one of the NGFWs. Which action will resolve this issue?
Correct Answer: A
Explanation: Only visible for TrainingDump members. You can sign-up / login (it's free).
A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.
Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?
Correct Answer: C
Explanation: Only visible for TrainingDump members. You can sign-up / login (it's free).
Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)
Correct Answer: A,B
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?
Correct Answer: B
An engineer configures a destination NAT policy to allow inbound access to an internal server in the DMZ.
The NAT policy is configured with the following values:
- Source zone: Outside and source IP address 1.2.2.2
- Destination zone: Outside and destination IP address 2.2.2.1
The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone.
Which destination IP address and zone should the engineer use to configure the security policy?
Correct Answer: C
0
0
0
0