New VCE and PDF Exam Dumps from PassLeader

➢ Vendor: Palo Alto Networks

➢ Exam Code: PCNSE

➢ Exam Name: Palo Alto Networks Certified Security Engineer

(PCNSE) - PAN-OS 10.0

➢ Part of New Questions from PassLeader (Updated in Apr/2022)

Visit PassLeader and Download Full Version PCNSE Exam Dumps

NEW QUESTION 466

An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with
three remote networks. What is the minimum amount of bandwidth the administrator could
configure at the compute location?

A. 90 Mbps
B. 300 Mbps
C. 75 Mbps
D. 50 Mbps

Answer: D
Explanation:
The number you specify for the bandwidth applies to both the egress and ingress traffic for the
remote network connection. If you specify a bandwidth of 50 Mbps, Prisma Access provides you
with a remote network connection with 50 Mbps of bandwidth on ingress and 50 Mbps on egress.
Your bandwidth speeds can go up to 10% over the specified amount without traffic being dropped;
for a 50 Mbps connection, the maximum bandwidth allocation is 55 Mbps on ingress and 55 Mbps
on egress (50 Mbps plus 10% overage allocation).
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-
admin/prisma-access-for-networks/how-to-calculate-network-bandwidth

NEW QUESTION 467

What is the function of a service route?

A. The service route is the method required to use the firewall's management plane to provide
services to applications.
B. The service packets enter the firewall on the port assigned from the external service. The
server sends its response to the configured destination interface and destination IP address.
C. The service packets exit the firewall on the port assigned for the external service. The
server sends its response to the configured source interface and source IP address.
D. Service routes provide access to external services such as DNS servers external
authentication servers or Palo Alto Networks services like the Customer Support Portal.

Answer: C

PCNSE v10 Exam Dumps PCNSE v10 Exam Questions PCNSE v10 PDF Dumps PCNSE v10 VCE Dumps
https://www.passleader.com/pcnse.html
 New VCE and PDF Exam Dumps from PassLeader
NEW QUESTION 468
A prospect is eager to conduct a Security Lifecycle Review (SLR) with the aid of the Palo Alto
Networks NGFW. Which interface type is best suited to provide the raw data for an SLR from the
network in a way that is minimally invasive?

A. Layer 3
B. Virtual Wire
C. Tap
D. Layer 2

Answer: D

NEW QUESTION 469

An engineer is in the planning stages of deploying User-ID in a diverse directory services
environment. Which server OS platforms can be used for server monitoring with User-ID?

A. Microsoft Terminal Server, Red Hat Linux, and Microsoft Active Directory.
B. Microsoft Active Directory, Red Hat Linux, and Microsoft Exchange.
C. Microsoft Exchange, Microsoft Active Directory, and Novell eDirectory.
D. Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory.

Answer: B

NEW QUESTION 470

Your company has to Active Directory domain controllers spread across multiple WAN links. All
users authenticate to Active Directory Each link has substantial network bandwidth to support all
mission-critical applications. The firewalls management plane is highly utilized. Given this scenario
which type of User-ID agent is considered a best practice by Palo Alto Networks?

A. PAN-OS integrated agent.

B. Captive Portal.
C. Citrix terminal server agent with adequate data-plane resources.
D. Windows-based User-ID agent on a standalone server.

Answer: A

NEW QUESTION 471

A customer is replacing their legacy remote access VPN solution. The current solution is in place
to secure only internet egress for the connected clients. Prisma Access has been selected to
replace the current remote access VPN solution. During onboarding the following options and
licenses were selected and enabled:
- Prisma Access for Remote Networks 300Mbps.
- Prisma Access for Mobile Users 1500 Users.
- Cortex Data Lake 2TB.
- Trusted Zones trust.
- Untrusted Zones untrust.
- Parent Device Group shared.
How can you configure Prisma Access to provide the same level of access as the current VPN
solution?

A. Configure mobile users with trust-to-untrust Security policy rules to allow the desired traffic
outbound to the internet.
B. Configure mobile users with a service connection and trust-to-trust Security policy rules to
allow the desired traffic outbound to the internet.
C. Configure remote networks with a service connection and trust-to-untrust Security policy

PCNSE v10 Exam Dumps PCNSE v10 Exam Questions PCNSE v10 PDF Dumps PCNSE v10 VCE Dumps
https://www.passleader.com/pcnse.html
 New VCE and PDF Exam Dumps from PassLeader
rules to allow the desired traffic outbound to the internet.
D. Configure remote networks with trust-to-trust Security policy rules to allow the desired
traffic outbound to the internet.

Answer: D

NEW QUESTION 472

What best describes the HA Promotion Hold Time?

A. the time that is recommended to avoid an HA failover due to the occasional flapping of
neighboring devices
B. the time that is recommended to avoid a failover when both firewalls experience the same
link/path monitor failure simultaneously
C. the time that the passive firewall will wait before taking over as the active firewall after
communications with the HA peer have been lost
D. the time that a passive firewall with a low device priority will wait before taking over as the
active firewall if the firewall is operational again

Answer: B

NEW QUESTION 473

During the process of developing a decryption strategy and evaluating which websites are required
for corporate users to access, several sites have been identified that cannot be decrypted due to
technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites
will therefore be blocked if decrypted. How should the engineer proceed?

A. Allow the firewall to block the sites to improve the security posture.
B. Add the sites to the SSL Decryption Exclusion list to exempt them from decryption.
C. Install the unsupported cipher into the firewall to allow the sites to be decrypted.
D. Create a Security policy to allow access to those sites.

Answer: A

NEW QUESTION 474

When using certificate authentication for firewall administration, which method is used for
authorization?

A. Radius
B. LDAP
C. Kerberos
D. Local

Answer: C

NEW QUESTION 475

An administrator analyzes the following portion of a VPN system log and notices the following issue:
"Received local id 10.10.1.4/24 type IPv4 address protocol 0 port 0, received remote id 10.1.10.4/24
type IPv4 address protocol 0 port 0." What is the cause of the issue?

A. IPSec crypto profile mismatch.

B. IPSec protocol mismatch.
C. mismatched Proxy-IDs.
D. bad local and peer identification IP addresses in the IKE gateway.

Answer: C

PCNSE v10 Exam Dumps PCNSE v10 Exam Questions PCNSE v10 PDF Dumps PCNSE v10 VCE Dumps
https://www.passleader.com/pcnse.html
 New VCE and PDF Exam Dumps from PassLeader

NEW QUESTION 476

What is considered the best practice with regards to zone protection?

A. Review DoS threat activity (ACC -> Block Activity) and look for patterns of abuse.
B. Use separate log-forwarding profiles to forward DoS and zone threshold event logs
separately from other threat logs.
C. If the levels of zone and DoS protection consume too many firewall resources, disable zone
protection.
D. Set the Alarm Rate threshold for event-log messages to high severity or critical severity.

Answer: C

NEW QUESTION 477

An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet
gateway and wants to be sure of the functions that are supported on the VMire interface. What are
three supported functions on the VWire interface? (Choose three.)

A. NAT
B. QoS
C. IPSec
D. OSPF
E. SSL Decryption

Answer: ABC

NEW QUESTION 478

An administrator needs to build Security rules in a Device Group that allow traffic to specific users
and groups defined in Active Directory. What must be configured in order to select users and groups
for those rules from Panorama?

A. The Security rules must be targeted to a firewall in the device group and have Group
Mapping configured.
B. A master device with Group Mapping configured must be set in the device group where
the Security rules are configured.
C. User-ID Redistribution must be configured on Panorama to ensure that all firewalls have
the same mappings.
D. A User-ID Certificate profile must be configured on Panorama.

Answer: D

NEW QUESTION 479

Which three use cases are valid reasons for requiring an Active/Active high availability deployment?
(Choose three.)

A. The environment requires real, full-time redundancy from both firewalls at all times.
B. The environment requires Layer 2 interfaces in the deployment.
C. The environment requires that both firewalls maintain their own routing tables for faster
dynamic routing protocol convergence.
D. The environment requires that all configuration must be fully synchronized between both
members of the HA pair.
E. The environment requires that traffic be load-balanced across both firewalls to handle peak
traffic spikes.

Answer: BCD

PCNSE v10 Exam Dumps PCNSE v10 Exam Questions PCNSE v10 PDF Dumps PCNSE v10 VCE Dumps
https://www.passleader.com/pcnse.html
 New VCE and PDF Exam Dumps from PassLeader

NEW QUESTION 480

Which protocol is supported by GlobalProtect Clientless VPN?

A. HTTPS
B. FTP
C. RDP
D. SSH

Answer: C

NEW QUESTION 481

When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption
can be implemented using phased approach in alignment with Palo Alto Networks best practices
What should you recommend?

A. Enable SSL decryption for known malicious source IP addresses.

B. Enable SSL decryption for source users and known malicious URL categories.
C. Enable SSL decryption for malicious source users.
D. Enable SSL decryption for known malicious destination IP addresses.

Answer: D

NEW QUESTION 482

An administrator needs firewall access on a trusted interface. Which two components are required
to configure certificate based, secure authentication to the web Ul? (Choose two.)

A. Certificate Profile
B. Server Certificate
C. SSH Service Profile
D. SSL/TLS Service Profile

Answer: AC

NEW QUESTION 483

Where is information about packet buffer protection logged?

A. Alert entries are in the Alarms log Entries for dropped traffic, discarded sessions, and
blocked IP address are in the Threat log.
B. All entries are in the System log.
C. Alert entries are in the System log Entries for dropped traffic, discarded sessions and
blocked IP addresses are in the Threat log.
D. All entries are in the Alarms log.

Answer: C
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNGFCA4

NEW QUESTION 484

Which statement regarding HA timer settings is true?

A. Use the Recommended profile for typical failover timer settings.

B. Use the Moderate profile for typical failover timer settings.
C. Use the Aggressive profile for slower failover timer settings.
D. Use the Critical profile for faster failover timer settings.

PCNSE v10 Exam Dumps PCNSE v10 Exam Questions PCNSE v10 PDF Dumps PCNSE v10 VCE Dumps
https://www.passleader.com/pcnse.html
 New VCE and PDF Exam Dumps from PassLeader

Answer: C

NEW QUESTION 485

A network security engineer must implement Quality of Service policies to ensure specific levels of
delivery guarantees for various applications in the environment. They want to ensure that they know
as much as they can about QoS before deploying. Which statement about the QoS feature is
correct?

A. QoS is only supported on firewalls that have a single virtual system configured.
B. QoS can be used in conjunction with SSL decryption.
C. QoS is only supported on hardware firewalls.
D. QoS can be used on firewalls with multiple virtual systems configured.

Answer: C

NEW QUESTION 486

Which GlobalProtect component must be configured to enable Chentless VPN?

A. GlobalProtect satellite.
B. GlobalProtect app.
C. GlobalProtect portal.
D. GlobalProtect gateway.

Answer: C
Explanation:
Creating the GlobalProtect portal is as simple as letting it know if you have accessed it already. A
new gateway for accessing the GlobalProtect portal will appear. Client authentication can be used
with an existing one.
https://www.nstec.com/how-to-configure-clientless-vpn-in-palo-alto/#5

NEW QUESTION 487

……

Visit PassLeader and Download Full Version PCNSE Exam Dumps

PCNSE v10 Exam Dumps PCNSE v10 Exam Questions PCNSE v10 PDF Dumps PCNSE v10 VCE Dumps
https://www.passleader.com/pcnse.html