Summer Sale Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: v4s65

PCNSE Exam Dumps - Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0

Go to page:
Question # 97

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)

A.

Change the firewall management IP address

B.

Configure a device block list

C.

Add administrator accounts

D.

Rename a vsys on a multi-vsys firewall

E.

Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode

Full Access
Question # 98

Which statement explains the difference between using the PAN-OS integrated User-ID agent and the standalone User-ID agent when using Active Directory for user-to-IP mapping?

A.

The PAN-OS integrated User-ID agent must be a member of the Active Directory domain

B.

The PAN-OS integrated User-ID agent consumes fewer resources on the NGFW’s management CPU

C.

The standalone User-ID agent consumes fewer resources on the NGFW’s management CPU

D.

The standalone User-ID agent must run directly on the domain controller server

Full Access
Question # 99

What happens when an A/P firewall pair synchronizes IPsec tunnel security associations (SAs)?

A.

Phase 1 and Phase 2 SAs are synchronized over HA3 links.

B.

Phase 2 SAs are synchronized over HA2 links.

C.

Phase 1 and Phase 2 SAs are synchronized over HA2 links.

D.

Phase 1 SAs are synchronized over HA1 links.

Full Access
Question # 100

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow. Upon opening the newly created packet capture, the administrator still sees traffic for the previous filter.

What can the administrator do to limit the captured traffic to the newly configured filter?

A.

In the GUI under Monitor > Packet Capture > Manage Filters, under Ingress Interface, select an interface.

B.

Command line: > debug dataplane packet-diag clear filter all

C.

In the GUI under Monitor > Packet Capture > Manage Filters, under the Non-IP field, select "exclude."

D.

Command line: > debug dataplane packet-diag clear filter-marked-session all

Full Access
Question # 101

A company wants to use GlobalProtect as its remote access VPN solution.

Which GlobalProtect features require a Gateway license?

A.

Multiple external gateways

B.

Single or multiple internal gateways

C.

Split DNS and HIP checks

D.

IPv6 for internal gateways

Full Access
Question # 102

Forwarding of which two log types is configured in Objects -> Log Forwarding? (Choose two)

A.

GlobalProtect

B.

Authentication

C.

User-ID

D.

WildFire

Full Access
Question # 103

A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.

Which set of steps should the engineer take to accomplish this objective?

A.

1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.3. Place (NAT-Rule-1) above (NAT-Rule-2).

B.

1- Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23.2. Check the box for negate option to negate this IP subnet from NAT translation.

C.

1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.3. Place (NAT-Rule-2) above (NAT-Rule-1).

D.

1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/32.2. Check the box for negate option to negate this IP from the NAT translation.

Full Access
Go to page: