2017 June New Updated PCNSE7 Exam Dumps with PDF and VCE Free Shared in www.Braindump2go.com Today!
100% Real Exam Questions! 100% Exam Pass Guaranteed!
1.|2017 New PCNSE7 PDF and PCNSE7 VCE 131Q&As Download:
2.|2017 New PCNSE7 Questions and Answers PDF Download:
A network design change requires an existing firewall to start accessing Palo Alto Updates from a dataplane interface address instead of the management interface.
Which configuration setting needs to be modified?
A. Authentication profile
B. Default route
C. Service route
D. Management profile
The firewall uses the management (MGT) interface by default to access external services, such as DNS servers, external authentication servers, Palo Alto Networks services such as software, URL updates, licenses and AutoFocus. An alternative to using the MGT interface is to configure a data port (a regular interface) to access these services. The path from the interface to the service on a server is known as a service route. The service packets exit the firewall on the port assigned for the external service and the server sends its response to the configured source interface and source IP address.
You can configure service routes globally for the firewall or Customize Service Routes for a Virtual System on a firewall enabled for multiple virtual systems so that you have the flexibility to use interfaces associated with a virtual system.
A network security engineer needs to configure a virtual router using IPv6 addresses.
Which two routing options support these addresses? (Choose two.)
A. Static Route
C: OSPFv3 provides support for the OSPF routing protocol within an IPv6 network. As such, it provides support for IPv6 addresses and prefixes.
A: How to Set Default Route for IPv6 Traffic
1. Go to Network > Virtual Router
2. Add a Virtual Router and go to Static Routes > IPv6.
3. Add a Static Route:
E. Set destination (example, IPV4 0.0.0.0/0) as ::0/
F. Select the Interface
G. Set the Next Hop IP address
A Network Administrator wants to deploy a Large Scale VPN solution. The Network Administrator has chosen a GlobalProtect Satellite solution. This configuration needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations.
How should this be accomplished?
A. Create a Template with the appropriate lKE Gateway settings.
B. Create a Device Group with the appropriate lPSec tunnel settings.
C. Create a Device Group with the appropriate IKE Gateway settings.
D. Create a Template with the appropriate lPSec tunnel settings.
Note: The administrator of the satellite must enter the credentials when the satellite connects to the portal.
This is done on the satellite by navigating to Network > IPSec Tunnels and choosing “gateway info” and then clicking on “Enter Credentials”.
People are having intermittent quality issues during a live meeting via a web application.
How can the performance of this application be improved?
A. Use QoS Profile to define QoS Classes and a QoS Policy
B. Use QoS Classes to define QoS Profile
C. Use QoS Classes to define QoS Profile and QoS Policy
D. Use QoS Profile to define QoS Classes
When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall?
A. When configuring GlobalProtect portal
B. When configuring User Activity Reports
C. When configuring Certificate Profiles
D. When configuring Antivirus Dynamic Updates
A file sharing application is being permitted and no one knows what this application is used for.
How should this application be blocked?
A. Block all unauthorized applications using a security policy.
B. Block all known internal custom applications.
C. Create a File Blocking Profile that blocks Layer 4 and Layer 7 attacks.
D. Create a WildFire Analysis Profile that blocks Layer4 and Layer 7 attacks.
The firewall uses file blocking profiles two ways: to forward files to WildFire for analysis or to block specified file types over specified applications and in the specified session flow direction (inbound/outbound/both).
You can set the profile to alert or block on upload and/or download and you can specify which applications will be subject to the file blocking profile. You can also configure custom block pages that will appear when a user attempts to download the specified file type. This allows the user to take a moment to consider whether or not they want to download a file.
D: Use a WildFire analysis profile to enable the firewall to forward unknown files or email links for WildFire analysis. Specify files to be forwarded for analysis based on application, file type, and transmission direction (upload or download).
YouTube videos are consuming too much bandwidth on the network, causing delays in mission-critical traffic. The administrator wants to throttle YouTube traffic.
The following interfaces and zones are in use on the firewall:
– ethernet 1/1, Zone: Untrust (Internet-facing)
– ethernet 1/2, Zone: Trust (client-facing)
A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface Ethernet 1/1 has a QoS profile called Outbound, and interface Ethernet 1/21 has a QoS profile called Inbound.
Which setting for Class 6 will throttle YouTube traffic?
A. Outbound profile with Guaranteed Ingress
B. Inbound profile with Maximum Egress
C. Inbound profile with Guaranteed Egress
D. Outbound profile with Maximum Ingress
Identify the egress interface for applications that you identified as needing QoS treatment.
The egress interface for traffic depends on the traffic flow. If you are shaping incoming traffic, the egress interface is the internal-facing interface. If you are shaping outgoing traffic, the egress interface is the external-facing interface.
Which field is optional when creating a new Security Police rule?
B. Destination Zone
E. Source Zone
The optional fields are: Description, Tag, Source IP Address and Destionation IP Address.
When using the predefined default antivirus profile, the policy will inspect for viruses on the decoders.
Match each decoder with its default action. Answer options may be used more than once or not at all. (select four)
A. IMAP – Alert
B. IMAP – Reset-both
C. HTTP – Alert
D. HTTP – Reset-both
E. FTP, SMB – Alert
F. FTP, SMB – Reset-both
G. POP3, SMTP – Alert
H. POP3, SMTP – Reset-both
The default profile inspects all of the listed protocol decoders for viruses, and generates alerts for SMTP, IMAP, and POP3 protocols while blocking for FTP, HTTP, and SMB protocols.
When a malware-infected host attempts to resolve a known command-and-control server, the traffic matches a security policy with DNS sinkhole enabled, generating a traffic log.
What will be the destination IP address in that log entry?
A. The IP address specified in the sinkhole configuration.
B. The IP address of the command-and-control server.
C. The IP address of sinkhole.paloaltonetworks.com
D. The IP address of one of the external DNS servers identified in the anti-spyware database.
Change the “Action on DNS queries” to ‘sinkhole’.
Click in the Sinkhole IPv4 field and type in the fake IP. The example here shows using 220.127.116.11 for simplicity, but as long as this fake IP is not used inside of the network, then it should be Ok. Alternatively, you can also use either a Loopback IP (127.0.0.1) or Palo Alto Networks Sinkhole IP (18.104.22.168).
How can a Palo Alto Networks firewall be configured to send syslog messages in a format compatible with non-standard syslog servers?
A. Select a non-standard syslog server profile
B. Check the custom-format check box in the syslog server profile.
C. Enable support for non-standard syslog messages under device management.
D. Create a custom log format under the syslog server profile.
To customize the format of the syslog messages that the firewall sends, select the Custom Log Format tab.
For details on how to create custom formats for the various log types, refer to the Common Event Format Configuration Guide.
What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an active/passive High Availability (HA) pair? (Choose two.)
A. The management interfaces must be on the same network.
B. The firewalls must have the same set of licenses.
C. The peer HA1 IP address must be the same on both firewalls.
D. HA1 should be connected to HA1, either directly or with an intermediate Layer 2 device.
To set up high availability on your Palo Alto Networks firewalls, you need a pair of firewalls that meet the following requirements:
The same set of licenses –Licenses are unique to each firewall and cannot be shared between the firewalls. Therefore, you must license both firewalls identically. If both firewalls do not have an identical set of licenses, they cannot synchronize configuration information and maintain parity for a seamless failover.
The same type of interfaces –Dedicated HA links, or a combination of the management port and in-band ports that are set to interface type HA.
Determine the IP address for the HA1 (control) connection between the HA peers. The HA1 IP address for both peers must be on the same subnet if they are directly connected or are connected to the same switch.
Which device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?
Select the Parent Device Group (default is Shared) that will be just above the device group you are creating in the device group hierarchy.
1.|2017 New PCNSE7 PDF and PCNSE7 VCE 131Q&As Download:
2.|2017 New PCNSE7 Study Guide Video: