Palo Alto Networks Certified Network Security Engineer · 1. Navigate to the Palo Alto Networks Support Portal on a web browser. 2. Go to the Software Updates page and download the

Palo Alto Networks Certified Network Security

Engineer

Palo Alto Networks PCNSE7 Dumps Available Here at:

https://www.certification-questions.com/palo-alto-networks-exam/pcnse7-dumps.html

Enrolling now you will get access to 104 questions in a unique set of

PCNSE7 dumps

Question 1 A host attached to ethernet1/4 cannot ping the default gateway. The widget on the dashboard shows

ethernet1/1 and ethernet1/4 to be green. The IP address of ethernet1/1 is 192.168.1.7 and the IP address

of ethernet1/4 is 10.1.1.7. The default gateway is attached to ethernet1/l. A default route is properly

configured.

What can be the cause of this problem?

Options:

A. No zone has been configured on ethernet1/4.

B. Interface ethernet1/1 is in Virtual Wire Mode

C. DNS has not been properly configured on the firewall.

D. DNS has not been properly configured on the host.

Answer: A

Explanation:

After you plan your zones and the corresponding interfaces, you can configure them on the device.

Incorrect Answers:

B: In a virtual wire deployment, the firewall is installed transparently on a network segment by binding two

ports together and should be used only when no switching or routing is needed.

C, D: DNS is not required to ping IP addresses.

References: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/getting-started/configure-

interfaces-and-zones

Question 2 Site-A and Site- have a site-to-site VPN set up between them. OSPF is configured to dynamically create

the routes between the sites. The OSPF configuration in Site- is configured properly, but the route for the

tunnel is not being established. The Site- interfaces in the graphic are using a broadcast Link Type. The

Palo Alto Networks PCNSE7

https://www.certification-questions.com



administrator has determined that the OSPF configuration in Site- is using the wrong Link Type for one of

its interfaces.

Which Link Type setting will correct the error?

Options:

A. Set ethernet1/21 to p2p

B. Set tunnel.10 to p2p

C. Set tunnel.10 to p2mp

D. Set ethernet1/21 to p2mp

Answer: A

Explanation:

We should set p2p on the Ethernet interface to enable automatic discovery of neighbors.

Note: OSPF Link type — Choose Broadcast if you want all neighbors that are accessible through the

interface to be discovered automatically by multicasting OSPF hello messages, such as an Ethernet

interface. Choose p2p (point-to-point) to automatically discover the neighbor. Choose p2mp (point-to-

multipoint) when neighbors must be defined manually. Defining neighbors manually is allowed only for

p2mp mode.

References: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/networking/ospf

Question 3 Given the following routing table:



Which configuration change on the firewall would cause it to use 10.66.24.88 as the next hop for the

192.168.93.0/30 network?

Options:

A. Configuring the Administrative Distance for RIP to be lower than that of OSPF Int

B. Configuring the metric for RIP to be higher than that of OSPF Int

C. Configuring the Administrative Distance for RIP to be higher than that of OSPF Ext

D. Configuring the metric for RIP to be lower than that of OSPF Ext

Answer: A

Explanation:

We see that the entry for 192.168.93.0/3 with next hop 10.66.24.88 is marked with an R, it is an RIP route.

There is also an entry for 192.168.93.0/3 with next hop 10.66.24.93 with active OSPF intra-area route (Oi

Int).

By lowering the Administrative Distance for RIP to a value lower than OSPF the entry with next hop

10.66.24.88 will be preferred.

Note: The best route is then selected among them based on Administrative Distance (AD) value of routing

protocols which routes came from and that route is marked with flag A, stating that it is the Active route.

Administrative distance (AD) is an arbitrary numerical value assigned to dynamic routes, static routes and

directly-connected routes. The value is used by vendor-specific routers to rank routes from most preferred

to least preferred. When multiple paths to the same destination are available, the router uses the route with

the lowest administrative distance and inserts the preferred route into its routing table.

References: https://live.paloaltonetworks.com/t5/Management-Articles/Routing-Table-has-Multiple-



Prefixes-for-the-Same-Route/ta-p/54781

Question 4 A VPN connection is set up between Site-A and Site-B, but no traffic is passing. In the system log of Site-

A, there is an event logged as ike-nego-p1-fail-psk.

What action will bring the VPN up and allow traffic to start passing between the sites?

Options:

A. Change the Site- IKE Gateway profile version to match Site-A.

B. Change the Site- IKE Gateway profile exchange mode to aggressive mode.

C. Enable NAT Traversal on the Site- IKE Gateway profile.

D. Change the pre-shared key of Site- to match the pre-shared key of Site-A.

Answer: D

Explanation:

The IKEp1 negation failed to due to the pre-shared key (psk).

Note: The IKE authentication can be performed using either pre-shared key (shared secret), signatures, or

public key encryption.

References: https://en.wikipedia.org/wiki/Internet_Key_Exchange

Question 5 A company is upgrading its existing Palo Alto Networks firewalls from version 7.0.1 to 7.0.4.

Which three methods can the firewall administrator use to install PAN-OS 7.0.4 across the enterprise?

(Choose three.)

Options:

A. Download PAN-OS 7.0.4 files from the support site and install them on each firewall after

manually

uploading.

B. Download PAN-OS 7.0.4 to a USB drive and the firewall will automatically update after the USB

drive is

inserted in the firewall.

C. Push the PAN-OS 7.0.4 updates from the support site to install on each firewall.

D. Push the PAN-OS 7.0.4 update from one firewall to all of the other remaining after updating one



firewall.

E. Download and install PAN-OS 7.0.4 directly on each firewall.

F. Download and push PAN-OS 7.0.4 from Panorama to each firewall.

Answer: A, C, F

Explanation:

A: To manually download the software and install onto the device:

1. Navigate to the Palo Alto Networks Support Portal on a web browser.

2. Go to the Software Updates page and download the appropriate PAN-OS release for your device.

3. On the WebUI of the device, navigate to Device > Software and click "Upload." Browse to locate the

downloaded software package, then click OK to upload the file to the device.

4. Click "Install from File" and select the uploaded file.

5. Click OK to initiate the upgrade.

CF: How to Upgrade PAN-OS on a Palo Alto Networks Device

Steps

1. From the WebGUI, go to Device > Software, or on Panorama, Panorama > Software on the left pane to

open the software page.

2. In the lower left corner, click "Check Now" to update the list of latest software releases available from

Palo Alto Networks.

3. Download and install the new release. Refer to the Base Version Note below about base versions.

1. To install a new release from the download site:

2. Click Download next to the release to be installed. When the download is complete, a check mark is

displayed in the Downloaded column.

3. Click Install next to the release to initiate the installation. During installation, an option is available to

have the device automatically reboot when installation is complete.

4. When the installation is complete, a prompt displays to restart the device.

References: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Upgrade-PAN-OS-on-a-

Palo-Alto-Networks-Device/ta-p/53648

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Install-Software-Image-that-was-

Pushed-from-Panorama/ta-p/56713

Question 6 A logging infrastructure may need to handle more than 10,000 logs per second.

Which two options support a dedicated log collector function? (Choose two.)

Options:

A. Panorama virtual appliance on ESX(i) only

B. M-500

C. M-100 with Panorama installed

D. M-100



Answer: B, C

Explanation:

B: Each M-500 appliance can process up to 60,000 logs/second.

M-100 appliance in Log Collector Mode. Each M-100 appliance can process up to 30,000 logs/second and

store up to 4TB of log data.

C: M-100 appliance in Log Collector Mode. Each M-100 appliance can process up to 30,000 logs/second.

Note: To enable the Panorama management server (Panorama virtual appliance or M-Series appliance in

Panorama mode) to manage a Log Collector, you must add it as a managed collector. The M-Series

appliance in Panorama mode has a predefined (default) local Log Collector. However, switching from

Panorama Mode to Log Collector Mode would remove the local Log Collector and would require you to re-

configure the appliance as a Dedicated Log Collector (M-Series appliance in Log Collector mode).

Incorrect Answers:

A: With only up to 10,000 logs/second recommended log collector:

Depends on the Panorama management server:

* Virtual appliance—Panorama collects logs without any Log Collector.

* M-Series appliance—Local default Log Collector

D: M-100 without Panorama installed, would use the Local default Log collector, and would handle

maximum 10,000 logs per second.

References: https://www.paloaltonetworks.com/documentation/70/panorama/panorama_adminguide/

manage-log-collection/log-collection-deployments#18043

Question 7 Which three fields can be included in a pcap filter? (Choose three.)

Options:

A. Egress Interface

B. Source IP

C. Rule number

D. Destination IP

E. Ingress Interface

Answer: B, C, D

Explanation:

BD: Following are few filter examples (though NOT limited solely to these options) which can be

referenced/utilized/applied:

Filter By Port

> tcpdump filter "port 80"

Filter By Source IP

> tcpdump filter "src x.x.x.x"

Filter By Destination IP



> tcpdump filter "dst x.x.x.x"

Filter By Host (src & dst) IP

> tcpdump filter "host x.x.x.x"

Filter By Host (src & dst) IP, excluding SSH traffic

> tcpdump filter "host x.x.x.x and not port 22"

C: pcap filter expression primitives include:

* rnr num

True if the packet was logged as matching the specified PF rule number (applies only to packets logged by

OpenBSD's or FreeBSD's pf(4)).

* rulenum num

Synonymous with the rnr modifier.

References:

https://live.paloaltonetworks.com/t5/Management-Articles/How-To-Packet-Capture-tcpdump-On-

Management-Interface/ta-p/55415

http://www.tcpdump.org/manpages/pcap-filter.7.html

Question 8 A company hosts a publicly accessible web server behind a Palo Alta Networks next-generation firewall

with the following configuration information:

* Users outside the company are in the "Untrust-L3” zone.

* The web server physically resides in the "Trust-L3” zone.

* Web server public IP address: 23.54.6.10.

* Web server private IP address: 192.168.1.10.

Which two items must the NAT policy contain to allow users in the Untrust-L3 zone to access the web

server? (Choose two.)

Options:

A. Untrust-L3 for both Source and Destination Zone

B. Destination IP of 192.168.1.10

C. Untrust-L3 for Source Zone and Trust-L3 for Destination Zone

D. Destination IP of 23.54.6.10

Answer: C, D

Explanation:

C: Restrict access from the Internet to the servers on the DMZ to specific server IP addresses only.

For example, you might only allow users to access the webmail servers from outside.

Zone: Untrust to DMZ

D: Set the Destination Address to the Public web server address object you created earlier. The public web

server address object references the public IP address—23.54.6.10—of the web server that is accessible

on the DMZ.

References: https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/getting-started/set-up-



basic-security-policies

Question 9 A network engineer has received a report of problems reaching 98.139.183.24 through vr1 on the firewall.

The routing table on this firewall is extensive and complex.

Which CLI command will help identify the issue?

Options:

A. test routing fib virtual-router vrl

B. show routing route type static destination 98.139.183.24

C. test routing fib—lookup ip 98.139.183.24 virtual-router vrl

D. show routing interface

Answer: C

Explanation:

This document explains how to perform a fib lookup for a particular destination within a particular virtual

router on a Palo Alto Networks firewall.

1. Select the desired virtual router from the list of virtual routers configured with the command:

> test routing fib-lookup virtual-router <value>

2. Specify a destination IP address:

> test routing fib-lookup virtual-router default ip <ip address>

Note: A forwarding information base (FIB), also known as a forwarding table or MAC table, is most

commonly used in network bridging, routing, and similar functions to find the proper interface to which the

input interface should forward a packet.

References: https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Perform-FIB-Lookup-for-a-

Particular-Destination/ta-p/52188

Question 10 A network administrator needs to view the default action for a specific spyware signature. The

administrator follows the tabs and menus through Objects > Security Profiles > Anti-Spyware and selects

the default profile.

What should be done next?

Options:

A. Click the simple-critical rule and then click the Action drop-down list.

B. Click the Exceptions tab and then click Show all signatures.

C. View the default actions displayed in the Action column.

D. Click the Rules tab and then look for rules with "default” in the Action column.



Answer: B

Explanation:

All Anti-spyware and Vulnerability Protection signatures have a default action defined by Palo Alto

Networks. You can view the default action by navigating to Objects > Security Profiles > Anti-Spyware or

Objects > Security Profiles >Vulnerability Protection and then selecting a profile. Click the Exceptions tab

and then click Show all signatures and you will see a list of the signatures with the default action in the

Action column. To change the default action, you must create a new profile and then create rules with a

non-default action, and/or add individual signature exceptions to Exceptions in the profile.

References: https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/threat-prevention/set-up-

antivirus-anti-spyware-and-vulnerability-protection.html

Would you like to see more? Don't miss our PCNSE7 PDF

file at:

https://www.certification-questions.com/palo-alto-networks-pdf/pcnse7-pdf.html



Palo Alto Networks Certified Network Security Engineer · 1. Navigate to the Palo Alto Networks Support Portal on a web browser. 2. Go to the Software Updates page and download the

Documents