Special Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

PCNSE Exam Dumps - Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0

Go to page:
Question # 89

A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.

Which set of steps should the engineer take to accomplish this objective?

A.

1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.

2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.

3. Place (NAT-Rule-1) above (NAT-Rule-2).

B.

1- Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23.

2. Check the box for negate option to negate this IP subnet from NAT translation.

C.

1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.

2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.

3. Place (NAT-Rule-2) above (NAT-Rule-1).

D.

1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/32.

2. Check the box for negate option to negate this IP from the NAT translation.

Full Access
Question # 90

Why would a traffic log list an application as "not-applicable”?

A.

The firewall denied the traffic before the application match could be performed.

B.

The TCP connection terminated without identifying any application data

C.

There was not enough application data after the TCP connection was established

D.

The application is not a known Palo Alto Networks App-ID.

Full Access
Question # 91

An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for authenticating users. What should the administrator be aware of regarding the authentication sequence, based on the Authentication profile in the order Kerberos LDAP, and TACACS+?

A.

The firewall evaluates the profiles in the alphabetical order the Authentication profiles have been named until one profile successfully authenticates the user.

B.

The firewall evaluates the profiles in top-to-bottom order until one Authentication profile successfully authenticates the user.

C.

The priority assigned to the Authentication profile defines the order of the sequence.

D.

If the authentication times cut for the firs: Authentication profile in the authentication sequence, no further authentication attempts will be made.

Full Access
Question # 92

Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?

A.

Yes, because the action is set to alert

B.

No, because this is an example from a defeated phishing attack

C.

No, because the severity is high and the verdict is malicious.

D.

Yes, because the action is set to allow.

Full Access
Question # 93

During a routine security audit, the risk and compliance team notices a series of WildFire logs that contain a "malicious" verdict and the action "allow." Upon further inspection, the team confirms that these same threats are automatically blocked by the firewalls the following day. How can the existing configuration be adjusted to ensure that new threats are blocked within minutes instead of having to wait until the following day?

A.

Confirm the file types and direction are configured correctly in the WildFire analysis profile

B.

Configure the appropriate actions in the Antivirus security profile

C.

Configure the appropriate actions in the File Blocking profile

D.

Confirm the file size limits are configured correctly in the WildFire general settings

Full Access
Question # 94

Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?

A.

NAT

B.

DOS protection

C.

QoS

D.

Tunnel inspection

Full Access
Question # 95

In a template, which two objects can be configured? (Choose two.)

A.

SD-WAN path quality profile

B.

Monitor profile

C.

IPsec tunnel

D.

Application group

Full Access
Question # 96

An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.

The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.

Which profile is the engineer configuring?

A.

Packet Buffer Protection

B.

Zone Protection

C.

Vulnerability Protection

D.

DoS Protection

Full Access
Go to page: