- Home
- Palo Alto Networks
- Palo Alto Networks Certified Network Security Engineer
- PaloAltoNetworks.PCNSE7.v2018-04-11.q106
- Question 106
Valid PCNSE7 Dumps shared by ExamDiscuss.com for Helping Passing PCNSE7 Exam! ExamDiscuss.com now offer the newest PCNSE7 exam dumps, the ExamDiscuss.com PCNSE7 exam questions have been updated and answers have been corrected get the newest ExamDiscuss.com PCNSE7 dumps with Test Engine here:
Access PCNSE7 Dumps Premium Version
(177 Q&As Dumps, 35%OFF Special Discount Code: freecram)
<< Prev Question
Question 106/106
A company has a policy that denies all applications it classifies as bad and permits only applications it classifies as good. The firewall administrator created the following security policy on the company's firewall:
Which two benefits are gained from having both rule 2 and rule 3 present? (Choose two.)
Which two benefits are gained from having both rule 2 and rule 3 present? (Choose two.)
Correct Answer: B,D
Explanation/Reference:
B: Most malware sneaks onto the network in legitimate applications or services. Therefore, to safely enable applications you must scan all traffic allowed into the network for threats. To do this, attach security profiles to all Security policy rules that allow traffic so that you can detect threats-both known and unknown-in your network traffic.
D: Log forwarding profiles allow you to forward traffic and threat logs to Panorama or an external system. A log forwarding profile can be added to a security zone to forward zone protection logs or to a security policy to forward logs for traffic that matches that policy.
Incorrect Answers:
A: Rules are not use to identify unclassified traffic.
Note: Besides checking for a specific application, you can also check for any unknown applications in the list of top applications. These are applications that did not match a defined App-ID signature and display as unknown-udp and unknown-tcp. To delve into these unknown applications, click on the name to drill down to the details for the unclassified traffic.
C: Rule 2 and Rule 3 apply to all any address in Trust-L3, and are not restricted to any specific ports.
References:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/create-best-practice-security- profiles
https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/reports-and-logging/log-forwarding- profiles.html
B: Most malware sneaks onto the network in legitimate applications or services. Therefore, to safely enable applications you must scan all traffic allowed into the network for threats. To do this, attach security profiles to all Security policy rules that allow traffic so that you can detect threats-both known and unknown-in your network traffic.
D: Log forwarding profiles allow you to forward traffic and threat logs to Panorama or an external system. A log forwarding profile can be added to a security zone to forward zone protection logs or to a security policy to forward logs for traffic that matches that policy.
Incorrect Answers:
A: Rules are not use to identify unclassified traffic.
Note: Besides checking for a specific application, you can also check for any unknown applications in the list of top applications. These are applications that did not match a defined App-ID signature and display as unknown-udp and unknown-tcp. To delve into these unknown applications, click on the name to drill down to the details for the unclassified traffic.
C: Rule 2 and Rule 3 apply to all any address in Trust-L3, and are not restricted to any specific ports.
References:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/create-best-practice-security- profiles
https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/reports-and-logging/log-forwarding- profiles.html
- Question List (106q)
- Question 1: The IT department has received complaints about VoIP call ji...
- Question 2: What are the three Security Policy Rule Type classifications...
- Question 3: A network design change requires an existing firewall to sta...
- 1 commentQuestion 4: In an enterprise deployment, a network security engineer wan...
- 1 commentQuestion 5: Which two statements accurately describe how DoS Protection ...
- 1 commentQuestion 6: A company has a pair of Palo Alto Networks firewalls configu...
- Question 7: Which command can be used to validate a Captive Portal polic...
- Question 8: A critical US-CERT notification is published regarding a new...
- Question 9: Support for which authentication method was added in PAN-OS ...
- 1 commentQuestion 10: A network security engineer has been asked to analyze WildFi...
- Question 11: Which three options does the WF-500 appliance support for lo...
- 1 commentQuestion 12: Which three fields can be included in a pcap filter? (Choose...
- Question 13: Which two actions are required to make Microsoft Active Dire...
- Question 14: A company has a web server behind a Palo Alto Networks next-...
- Question 15: A network security engineer for a large company has just ins...
- 1 commentQuestion 16: A logging infrastructure may need to handle more than 10,000...
- Question 17: Which device Group option is assigned by default in Panorama...
- Question 18: PAS-OS 7.0 introduced an automated correlation engine that a...
- Question 19: A network administrator needs to view the default action for...
- Question 20: A host attached to ethernet1/4 cannot ping the default gatew...
- Question 21: Which Panorama feature allows for logs generated by Panorama...
- Question 22: Ethernet1/1 has been configured with the following subinterf...
- 1 commentQuestion 23: Which three options are available when creating a security p...
- Question 24: Which Security Policy Rule configuration option disables ant...
- Question 25: A Network Administrator wants to deploy a Large Scale VPN so...
- 1 commentQuestion 26: Which two statements are correct for the out-of-box configur...
- Question 27: Site-A and Site-B need to use IKEv2 to establish a VPN conne...
- Question 28: When performing the "ping" test shown in this CLI output: (E...
- Question 29: Which interface configuration will accept specific VLAN IDs?...
- Question 30: What is the default behavior when a Certificate Profile is c...
- 1 commentQuestion 31: A company is upgrading its existing Palo Alto Networks firew...
- 1 commentQuestion 32: What are two prerequisites for configuring a pair of Palo Al...
- Question 33: YouTube videos are consuming too much bandwidth on the netwo...
- Question 34: Click the Exhibit button below. (Exhibit) A firewall has thr...
- Question 35: A company has started utilizing WildFire in its network. Whi...
- Question 36: Which two interface types can be used when configuring Globa...
- Question 37: After pushing a security policy from Panorama to a PA-3020 f...
- Question 38: When using the predefined default antivirus profile, the pol...
- Question 39: A client is deploying a pair of PA-5000 series firewalls usi...
- Question 40: How are IPv6 DNS queries configured to use interface etherne...
- 2 commentQuestion 41: The web server is configured to listen for HTTP traffic on p...
- Question 42: Which Public Key Infrastructure component is used to authent...
- Question 43: Server Message Block (SMB), a common file-sharing applicatio...
- 1 commentQuestion 44: An administrator is configuring an IPSec VPN to a Cisco ASA ...
- Question 45: What happens when the traffic log shows an internal host att...
- Question 46: A distributed log collection deployment has dedicated Log Co...
- Question 47: The GlobalProtect Portal interface and IP address have been ...
- Question 48: Given the following routing table: (Exhibit) Which configura...
- Question 49: Only two Trust to Untrust allow rules have been created in t...
- Question 50: When a malware-infected host attempts to resolve a known com...
- Question 51: When is it necessary to activate a license when provisioning...
- Question 52: Which CLI command displays the current management plane memo...
- 1 commentQuestion 53: Which setting will allow a DoS protection profile to limit t...
- 1 commentQuestion 54: A company hosts a publicly accessible web server behind a Pa...
- Question 55: A network security engineer is asked to provide a report on ...
- Question 56: Company.com wants to enable Application Override. Given the ...
- Question 57: Site-A and Site-В have a site-to-site VPN set up between th...
- Question 58: Which authentication source requires the installation of Pal...
- Question 59: Which three rule types are available when defining polices i...
- Question 60: How is the Forward Untrust Certificate used?...
- Question 61: People are having intermittent quality issues during a live ...
- Question 62: A network engineer has received a report of problems reachin...
- 1 commentQuestion 63: What are three valid actions in a File Blocking Profile? (Ch...
- Question 64: Given the following diagram: (Exhibit) A VPN connection has ...
- Question 65: Which URL Filtering Security Profile action logs the URL Fil...
- 1 commentQuestion 66: What are three valid options when creating a new security po...
- Question 67: For which two functions is the management plane responsible?...
- Question 68: A file sharing application is being permitted and no one kno...
- 1 commentQuestion 69: Given these tables: (Exhibit) SVR1 is a webserver hosted in ...
- Question 70: Which option is an IPv6 routing protocol?...
- Question 71: A network administrator uses Panorama to push security polic...
- Question 72: Which field is optional when creating a new Security Police ...
- Question 73: Several offices are connected with VPNs using static IPv4 ro...
- 1 commentQuestion 74: Which two virtualized environments support Active/Active Hig...
- 1 commentQuestion 75: Company.com has an in-house application that the Palo Alto N...
- Question 76: Firewall administrators cannot authenticate to a firewall GU...
- Question 77: What must be used in Security Policy Rules that contain addr...
- Question 78: Which two mechanisms help prevent a split brain scenario in ...
- Question 79: Click the Exhibit button. (Exhibit) An administrator has not...
- Question 80: A host attached to ethernet1/3 cannot access the Internet. T...
- Question 81: What can cause missing SSL packets when performing a packet ...
- Question 82: Which Palo Alto Networks VM-Series firewall is supported for...
- Question 83: On March 10, 2016, between 11:00 am and 11:30 am, users repo...
- Question 84: Which three log-forwarding destinations require a server pro...
- Question 85: Which three functions are found on the dataplane of a PA-505...
- Question 86: Which two methods can be used to mitigate resource exhaustio...
- Question 87: Site-A and Site-В have a site-to-site VPN set up between th...
- Question 88: Palo Alto Networks maintains a dynamic database of malicious...
- Question 89: Which client software can be used to connect remote Linux cl...
- Question 90: A network security engineer has a requirement to allow an ex...
- Question 91: Which two options are required on an M-100 appliance to conf...
- Question 92: A network security engineer needs to configure a virtual rou...
- Question 93: How does Panorama handle incoming logs when it reaches the m...
- Question 94: A Palo Alto Networks firewall is being targeted by an NTP Am...
- Question 95: The Network Security Administrator discovers that the compan...
- Question 96: What are three valid methods of user mapping? (Choose three....
- Question 97: A VPN connection is set up between Site-A and Site-B, but no...
- Question 98: The company's Panorama server (IP: 10.10.10.5) is not able t...
- Question 99: What are three possible verdicts that WildFire can provide f...
- Question 100: Site-A and Site-В have a site-to-site VPN set up between th...
- Question 101: A network design calls for a "router on a stick" implementat...
- Question 102: A network security engineer is asked to perform a Return Mer...
- Question 103: A firewall administrator is troubleshooting problems with tr...
- Question 104: How can a Palo Alto Networks firewall be configured to send ...
- Question 105: A firewall administrator has completed most of the steps req...
- Question 106: A company has a policy that denies all applications it class...
[×]
Download PDF File
Enter your email address to download PaloAltoNetworks.PCNSE7.v2018-04-11.q106.pdf