It is more faster and easier to pass the Paloalto Networks PCNSE7 exam by using Realistic Paloalto Networks Palo Alto Networks Certified Network Security Engineer questuins and answers. Immediate access to the Improve PCNSE7 Exam and find the same core area PCNSE7 questions with professionally verified answers, then PASS your exam with a high score now.

2021 Apr PCNSE7 exam answers

Q21. A network administrator uses Panorama to push security polices to managed firewalls at branch offices. Which policy type should be configured on Panorama if the administrators at the branch office sites to override these products?

A. Pre Rules

B. Post Rules

C. Explicit Rules

D. Implicit Rules 

Answer: A


Q22. The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to 10.1.1.100 on TCP Port 8080.

 

Which NAT and security rules must be configured on the firewall? (Choose two)

A. A security policy with a source of any from untrust-I3 Zone to a destination of 10.1.1.100 in dmz-I3 zone using web-browsing application

B. A NAT rule with a source of any from untrust-I3 zone to a destination of 10.1.1.100 in dmz-zone using service-http service.

C. A NAT rule with a source of any from untrust-I3 zone to a destination of 1.1.1.100 in untrust-I3 zone using service-http service.

D. A security policy with a source of any from untrust-I3 zone to a destination of 1.1.100 in dmz-I3 zone using web-browsing application.

Answer: B,D


Q23. ION NO: 40

Palo Alto Networks maintains a dynamic database of malicious domains.

Which two Security Platform components use this database to prevent threats? (Choose two)

A. Brute-force signatures

B. BrightCloud Url Filtering

C. PAN-DB URL Filtering

D. DNS-based command-and-control signatures 

Answer: C,D


Q24. A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Which statement is true about this deployment?

A. The two devices must share a routable floating IP address

B. The two devices may be different models within the PA-5000 series

C. The HA1 IP address from each peer must be on a different subnet

D. The management port may be used for a backup control connection 

Answer: D


Q25. How does Panorama handle incoming logs when it reaches the maximum storage capacity?

A. Panorama discards incoming logs when storage capacity full.

B. Panorama stops accepting logs until licenses for additional storage space are applied

C. Panorama stops accepting logs until a reboot to clean storage space.

D. Panorama automatically deletes older logs to create space for new ones. 

Answer: D

Explanation:

(https://www.paloaltonetworks.com/documentation/60/panorama/panorama_adminguide/se t-up-panorama/determine-panorama-log-storage-requirements)


Down to date PCNSE7 exam cost:

Q26. How are IPV6 DNS queries configured to user interface ethernet1/3?

A. Network > Virtual Router > DNS Interface

B. Objects > CustomerObjects > DNS

C. Network > Interface Mgrnt

D. Device > Setup > Services > Service Route Configuration 

Answer: D


Q27. Only two Trust to Untrust allow rules have been created in the Security policy Rule1 allows google-base

Rule2 allows youtube-base

The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found.

Which action will allow youtube.com display in the browser correctly?

A. Add SSL App-ID to Rule1

B. Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to it

C. Add the DNS App-ID to Rule2

D. Add the Web-browsing App-ID to Rule2 

Answer: C


Q28. Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to- client flows only?

A. Disable Server Response Inspection

B. Apply an Application Override

C. Disable HIP Profile

D. Add server IP Security Policy exception 

Answer: A


Q29. A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule. Given the following zone information:

•DMZ zone: DMZ-L3

•Public zone: Untrust-L3

•Guest zone: Guest-L3

•Web server zone: Trust-L3

•Public IP address (Untrust-L3): 1.1.1.1

•Private IP address (Trust-L3): 192.168.1.50

What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?

A. Untrust-L3

B. DMZ-L3

C. Guest-L3

D. Trust-L3 

Answer: A


Q30. Which three function are found on the dataplane of a PA-5050? (Choose three)

A. Protocol Decoder

B. Dynamic routing

C. Management

D. Network Processing

E. Signature Match 

Answer: B,D,E