2017 June New Updated PCNSE7 Exam Dumps with PDF and VCE Free Shared in www.Braindump2go.com  Today!
100% Real Exam Questions! 100% Exam Pass Guaranteed!

1.|2017 New PCNSE7 PDF and PCNSE7 VCE 131Q&As Download:
http://www.braindump2go.com/pcnse7.html

2.|2017 New PCNSE7 Questions and Answers PDF Download:
https://drive.google.com/drive/folders/0B75b5xYLjSSNZUpkbFJ5WVdSaVk?usp=sharing

QUESTION 41
How is the Forward Untrust Certificate used?

A.    It issues certificates encountered on the Untrust security zone when clients attempt to connect to a site that has be decrypted/
B.    It is used when web servers request a client certificate.
C.    It is presented to clients when the server they are connecting to is signed by a certificate authority that is not trusted by firewall.
D.    It is used for Captive Portal to identify unknown users.

Answer: C
Explanation:
Though a single certificate can be used for both Forward Trust and Forward Untrust, creating a separate certificate specifically for Untrust (which must be generated as a CA) allows for easy differentiation of a valid certificate/trust error as the Palo Alto Networks device proxies the secure session.
Verify the CA to be blocked, keeping in mind that doing so blocks access to all sites issued by this CA.
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Prevent-Access-to-Encrypted-Websites-Based-on-Certificate/ta-p/57585

QUESTION 42
A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies.
Which CLI command syntax will display the rule that matches the test?

A.    test security -policy- match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number
B.    show security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number>
C.    test security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number>
D.    show security-policy-match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number>
test security-policy-match source

Answer: A
Explanation:
If you know the source or destination IP address, the test command from the CLI will search the security policies and display the best match:
Example:
> test security-policy-match source <source IP> destination <destination IP> protocol <protocol number>
The output will show which policy rule will be applied to this traffic match based on the source and destination IP addresses.
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Test-Which-Security-Policy-Applies-to-a-Traffic-Flow/ta-p/53693

QUESTION 43
The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to 10.1.1.100 on TCP Port 8080.
Which NAT and security rules must be configured on the firewall? (Choose two)
 

A.    A security policy with a source of any from untrust-I3 Zone to a destination of 10.1.1.100 in dmz-I3 zone using web-browsing application
B.    A NAT rule with a source of any from untrust-I3 zone to a destination of 10.1.1.100 in dmz-zone using service-http service.
C.    A NAT rule with a source of any from untrust-I3 zone to a destination of 1.1.1.100 in untrust-I3 zone using service-http service.
D.    A security policy with a source of any from untrust-I3 zone to a destination of 1.1.100 in dmz-I3 zone using web-browsing application.

Answer: CD

QUESTION 44
A company has a pair of Palo Alto Networks firewalls configured as an Acitve/Passive High Availability (HA) pair.
What allows the firewall administrator to determine the last date a failover event occurred?

A.    From the CLI issue use the show System log
B.    Apply the filter subtype eq ha to the System log
C.    Apply the filter subtype eq ha to the configuration log
D.    Check the status of the High Availability widget on the Dashboard of the GUI

Answer: B

QUESTION 45
A network administrator uses Panorama to push security polices to managed firewalls at branch offices. Which policy type should be configured on Panorama if the administrators at the branch office sites to override these products?

A.    Pre Rules
B.    Post Rules
C.    Explicit Rules
D.    Implicit Rules

Answer: B
Explanation:
https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/documentation_tkb/134/1/Panorama-Design-Planning.pdf

QUESTION 46
Which client software can be used to connect remote Linux client into a Palo Alto Networks Infrastructure without sacrificing the ability to scan traffic and protect against threats?

A.    X-Auth IPsec VPN
B.    GlobalProtect Apple IOS
C.    GlobalProtect SSL
D.    GlobalProtect Linux

Answer: A

QUESTION 47
Only two Trust to Untrust allow rules have been created in the Security policy
– Rule1 allows google-base
– Rule2 allows youtube-base
The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found.
Which action will allow youtube.com display in the browser correctly?

A.    Add SSL App-ID to Rule1
B.    Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID’s to it
C.    Add the DNS App-ID to Rule2
D.    Add the Web-browsing App-ID to Rule2

Answer: C

QUESTION 48
The GlobalProtect Portal interface and IP address have been configured. Which other value needs to be defined to complete the network settings configuration of GlobalPortect Portal?

A.    Server Certificate
B.    Client Certificate
C.    Authentication Profile
D.    Certificate Profile

Answer: A
Explanation:
Specify the network settings to enable agents to connect to the portal.
If you have not yet created the network interface for the portal, see Create Interfaces and Zones for GlobalProtect for instructions. If you haven’t yet created an SSL/TLS service profile for the portal, see Deploy Server Certificates to the GlobalProtect Components.
https://www.paloaltonetworks.com/documentation/70/globalprotect/globalprotect-admin-guide/set-up-the-globalprotect-infrastructure/set-up-access-to-the-globalprotect-portal#47470

QUESTION 49
Which command can be used to validate a Captive Portal policy?

A.    eval captive-portal policy <criteria>
B.    request cp-policy-eval <criteria>
C.    test cp-policy-match <criteria>
D.    debug cp-policy <criteria>

Answer: C
Explanation:
You can use the test security-policy-match command to determine whether the policy is configured correctly. For example, suppose you have a rule that blocks user duane from playing World of Warcraft; you could test the policy as follows:
test security-policy-match application worldofwarcraft source-user acme\duane source any destination any destination-port any protocol 6
“deny worldofwarcraft” {
from corporate;
source any;
source-region any;
to internet;
destination any;
destination-region any;
user acme\duane;
category any;
application/service worldofwarcraft;
action deny;
terminal no;
}
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/user-id/verify-the-user-id-configuration

QUESTION 50
A company is upgrading its existing Palo Alto Networks firewall from version 7.0.1 to 7.0.4.
Which three methods can the firewall administrator use to install PAN-OS 7.0.4 across the enterprise?( Choose three)

A.    Download PAN-OS 7.0.4 files from the support site and install them on each firewall after manually uploading.
B.    Download PAN-OS 7.0.4 to a USB drive and the firewall will automatically update after the USB drive is inserted in the firewall.
C.    Push the PAN-OS 7.0.4 updates from the support site to install on each firewall.
D.    Push the PAN-OS 7.0.4 update from one firewall to all of the other remaining after updating one firewall.
E.    Download and install PAN-OS 7.0.4 directly on each firewall.
F.     Download and push PAN-OS 7.0.4 from Panorama to each firewall.

Answer: AEF


!!!RECOMMEND!!!

1.|2017 New PCNSE7 PDF and PCNSE7 VCE 131Q&As Download:
http://www.braindump2go.com/pcnse7.html

2.|2017 New PCNSE7 Study Guide Video:
https://youtu.be/or7j9-27yWc