Updated PCNSE7 New Questions From Lead2pass Free Downloading:
After pushing a security policy from Panorama to a PA-3020 firewall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in Panorama’s traffic logs. What could be the problem?
A. A Server Profile has not been configured for logging to this Panorama device.
B. Panorama is not licensed to receive logs from this particular firewall.
C. The firewall is not licensed for logging to this Panorama device.
D. None of the firewall’s policies have been assigned a Log Forwarding profile
A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled.
Which component once enabled on a perimeter firewall will allow the identification of existing infected hosts in an environment?
A. Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole
B. File Blocking profiles applied to outbound security policies with action set to alert
C. Vulnerability Protection profiles applied to outbound security policies with action set to block
D. Antivirus profiles applied to outbound security policies with action set to alert
Starting with PAN-OS 6.0, DNS sinkhole is an action that can be enabled in Anti-Spyware profiles. A DNS sinkhole can be used to identify infected hosts on a protected network using DNS traffic in environments where the firewall can see the DNS query to a malicious URL.
The DNS sinkhole enables the Palo Alto Networks device to forge a response to a DNS query for a known malicious domain/URL and causes the malicious domain name to resolve to a definable IP address (fake IP) that is given to the client. If the client attempts to access the fake IP address and there is a security rule in place that blocks traffic to this IP, the information is recorded in the logs.
Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs? (Choose two)
A. The devices are pre-configured with a virtual wire pair out the first two interfaces.
B. The devices are licensed and ready for deployment.
C. The management interface has an IP address of 192.168.1.1 and allows SSH and HTTPS connections.
D. A default bidirectional rule is configured that allows Untrust zone traffic to go to the Trust zone.
E. The interfaces are pingable.
A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a firewall
Which part of files needs to be imported back into the replacement firewall that is using Panorama?
A. Device state and license files
B. Configuration and serial number files
C. Configuration and statistics files
D. Configuration and Large Scale VPN (LSVPN) setups file
A network engineer has revived a report of problems reaching 184.108.40.206 through vr1 on the firewall. The routing table on this firewall is extensive and complex.
Which CLI command will help identify the issue?
A. test routing fib virtual-router vr1
B. show routing route type static destination 220.127.116.11
C. test routing fib-lookup ip 18.104.22.168 virtual-router vr1
D. show routing interface
This document explains how to perform a fib lookup for a particular destination within a particular virtual router on a Palo Alto Networks firewall.
1. Select the desired virtual router from the list of virtual routers configured with the command:
> test routing fib-lookup virtual-router <value>
2. Specify a destination IP address:
> test routing fib-lookup virtual-router default ip <ip address>
Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two)
A. Configure the management interface as HA3 Backup
B. Configure Ethernet 1/1 as HA1 Backup
C. Configure Ethernet 1/1 as HA2 Backup
D. Configure the management interface as HA2 Backup
E. Configure the management interface as HA1 Backup
F. Configure ethernet1/1 as HA3 Backup
E: For firewalls without dedicated HA ports, select two data interfaces for the HA2 link and the backup HA1 link. Then, use an Ethernet cable to connect these in-band HA interfaces across both firewalls.
Use the management port for the HA1 link and ensure that the management ports can connect to each other across your network.
1. In Device > High Availability > General, edit the Control Link (HA1) section.
2. Select the interface that you have cabled for use as the HA1 link in the Port drop down menu. Set the IP address and netmask. Enter a Gateway IP address only if the HA1 interfaces are on separate subnets. Do not add a gateway if the devices are directly connected.
What are three valid actions in a File Blocking Profile? (Choose three)
You can configure a file blocking profile with the following actions:
Forward – When the specified file type is detected, the file is sent to WildFire for analysis. A log
is also generated in the data filtering log.
Block – When the specified file type is detected, the file is blocked and a customizable block
page is presented to the user. A log is also generated in the data filtering log.
Alert – When the specified file type is detected, a log is generated in the data filtering log.
Continue – When the specified file type is detected, a customizable response page is presented
to the user. The user can click through the page to download the file. A log is also generated in
the data filtering log. Because this type of forwarding action requires user interaction, it is only
applicable for web traffic.
Continue-and-forward – When the specified file type is detected, a customizable continuation
page is presented to the user. The user can click through the page to download the file. If the
user clicks through the continue page to download the file, the file is sent to WildFire for analysis.
A log is also generated in the data filtering log.
An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator’s home and experiencing issues completing the connection. The following is th output from the command:
What could be the cause of this problem?
A. The public IP addresses do not match for both the Palo Alto Networks Firewall and the ASA.
B. The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the ASA.
C. The shared secrets do not match between the Palo Alto firewall and the ASA
D. The deed peer detection settings do not match between the Palo Alto Networks Firewall and the ASA
The Proxy IDs could have been checked for mismatch.
Which interface configuration will accept specific VLAN IDs?
A. Tab Mode
C. Access Interface
D. Trunk Interface
You can only assign a single VLAN to a subinterface, and not to the physical interface. Each subinterface must have a VLAN ID before it can pass traffic.
Palo Alto Networks maintains a dynamic database of malicious domains.
Which two Security Platform components use this database to prevent threats? (Choose two)
A. Brute-force signatures
B. BrightCloud Url Filtering
C. PAN-DB URL Filtering
D. DNS-based command-and-control signatures
C: PAN-DB categorizes URLs based on their content at the domain, file and page level, and receives updates from WildFire cloud-based malware analysis environment every 30 minutes to make sure that, when web content changes, so do categorizations. This continuous feedback loop enables you to keep pace with the rapidly changing nature of the web, automatically.
D: DNS is a very necessary and ubiquitous application, as such, it is a very commonly abused protocol for command-and-control and data exfiltration. This tech brief summarizes the DNS classification, inspection and protection capabilities supported by our next-generation security platform, which includes:
1. Malformed DNS messages (symptomatic of vulnerability exploitation attack).
2. DNS responses with suspicious composition (abused query types, DNS-based denial of service attacks).
3. DNS queries for known malicious domains. Our ability to prevent threats from hiding within DNS
The passive DNS network feature allows you to opt-in to share anonymized DNS query and response data with our global passive DNS network. The data is continuously mined to discover malicious domains that are then added to the PAN-OS DNS signature set that is delivered daily, enabling timely detection of compromised hosts within the network and the disruption of command-and-control channels that rely on name resolution.
PCNSE7 dumps full version (PDF&VCE): https://www.lead2pass.com/pcnse7.html
Large amount of free PCNSE7 exam questions on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDc3F3eHZRclVhZ3c