Palo Alto PCNSE NGFW Questions with complete solutions 2023

Palo Alto PCNSE NGFW Questions with complete solutions 2023When creating a custom admin role, which four types of privileges can be defined? (Choose four.) A. Command Line B. Panorama C. XML API D. Java API E. REST API F. WebUI ACEF Global user authentication is supported by which three authentication services? (Choose three.) A. Certificate B. RADIUS C. SAML D. LDAP E. TACACS+ BCE What is the result of performing a firewall Commit operation? A. The saved configuration becomes the loaded configuration. B. The loaded configuration becomes the candidate configuration. C. The candidate configuration becomes the running configuration. D. The candidate configuration becomes the saved configuration. C Which three MGT port configuration settings must be configured before you can remotely access the web interface? (Choose three.) A. netmask B. default gateway C. hostname D. DNS server E. IP address ABE When committing changes to a firewall, what is the result of clicking the Preview Changes link? A. shows any error messages that would appear during a commit B. lists the individual settings for which you are committing changes C. compares the candidate configuration to the running configuration D. displays any unresolved application dependencies C Which two separate firewall planes comprise the PAN-OS architecture? (Choose two.) A. HA plane B. signature processing plane C. data plane D. management (control) plane E. routing plane CD Which two statements are true regarding the candidate configuration? (Choose two.) A. It controls the current operation of the firewall. B. It always contains the factory default configuration. C. It contains possible changes to the current configuration. D. It can be reverted to the current configuration. CD Which object cannot be segmented using virtual systems on a firewall? A. network security zone B. data plane interface C. administrative access D. MGT interface D The Palo Alto Networks Cybersecurity Portfolio focuses on which three principle technologies? (Choose three.) A. securing the cloud B. securing operations response C. securing third-party application access D. securing the enterprise E. securing the internet of things ABD What are the two attributes of the dedicated out-of-band network management port in Palo Alto Networks firewalls? (Choose two.) A. supports only SSH connections B. labeled MGT by default C. requires a static, non-DHCP network configuration D. cannot be configured as a standard traffic port BD True or false? To register a hardware firewall, you will need the firewall’s serial number. A. true B. false A n the web interface, what is signified when a text box is highlighted in red? A. The value in the text box is required. B. The value in the text box is controlled by Panorama. C. The value in the text box is optional. D. The value in the text box is an error. A True or false? Service routes can be used to configure an in-band port to access external services. A. true B. false A True or false? The running configuration consists of configuration changes in progress but not active on the firewall. A. true B. false B True or false? Server Profiles define connections that the firewall can make to external servers. A. true B. false A True or false? Certificate-based authentication replaces all other forms of either local or external authentication. A. true B. false A Which two activities are part of the cyberattack lifecycle reconnaissance stage? (Choose two.) A. port scans B. social engineering C. RAT installation D. establish C2 AB At which packet flow stage does the firewall detect and block pre-session reconnaissance and DoS attacks? A. application identification B. content inspection C. ingress D. slowpath C True or false? A Layer 3 interface can be configured as dual stack with both IPv4 and IPv6 addresses. A. true B. false A Which protection method can be used to mitigate single-session DoS attacks? A. DoS Protection policy B. packet buffer protection C. Zone Protection Profile D. DoS Protection Profile B True or false? DoS Protection policy is applied to session traffic before a Zone Protection Profile. A. true B. false B Which type of protection is provided by both a Zone Protection Profile and a DoS Protection Profile? A. packet-based and protocol-based B. session limits C. reconnaissance D. flood D Which firewall configuration component is used to block access to known-bad IP addresses? A. NAT policy B. IP Security Profile C. Security policy D. Vulnerability Protection Profile C In which three locations can you configure the firewall to use an EDL? (Choose three.) A. DoS Protection Profile B. URL Filtering Profile C. Antivirus Profile D. Anti-Spyware Profile E. Security policy BDE In which firewall configuration component can you use an EDL of type Domain List? A. Antivirus Profile B. Security policy C. Anti-Spyware Profile D. URL Filtering Profile C True or false? A best practice is to enable the “sinkhole” action in an Anti-Spyware Profile. A. true B. false A True or false? When migration is done from the firewall of another vendor to a Palo Alto Networks firewall, a best practice is to always migrate the existing Security policy. A. true B. false A True or false? If App-ID cannot identify the traffic, Content-ID cannot inspect the traffic for malware. A. true B. false A Which item is the name of an object that dynamically identifies and associates applications based on application attributes that you define: Category, Subcategory, Technology, Risk, and Characteristic? A. application B. application profile C. application filter D. application group C Before App-ID would identify traffic as facebook-base, it would first identify the traffic as which application? A. web-browsing B. ssl C. unknown-udp D. unknown-tcp B When are brand-new application signatures released by Palo Alto Networks? A. once per month B. as soon as possible C. with each PAN-OS software update D. once per week A What triggers Security policy rule match in the Policy Optimizer’s No App Specified window? A. “any” in the Application column B. “Allow” in the Action column C. “unknown” in the Application column D. "application-default” in the Service column A True or false? Content-ID inspection is possible for a custom application only if you define a Parent App for the custom application and the Parent App is a non-custom App-ID application. A. true B. false A True or false? You must define a custom signature for a custom application that is identified by an Application Override rule. A. true B. false B True or false? Content-ID inspection is possible for custom application traffic that is identified by an Application Override rule, but only if the custom application’s Parent App is based on a non-custom application. A. true B. false A Which file type can a firewall send to WildFire when the firewall does not have a WildFire subscription? A. JAR B. APK C. PDF D. EXE D Which WildFire verdict might indicate obtrusive behavior but not a security threat? A. Phishing B. Grayware C. Benign D. Malware B True or false? When a malicious file or link is detected in an email, WildFire can update antivirus signatures in the PAN-DB database. A. true B. false B Which two types of activities does SSL/TLS decryption by the firewall help to block? (Choose two.) A. protocol-based attacks B. sensitive data exfiltration C. malware introduction D. denial-of-service attacks BC