How to use our free PDF

Our Free PDF is based on the full mock exams which is available on our Web Site. The PDF consists in an extract of questions and answers with detailed explanations that are available to be:

Palo Alto Networks PCNSE7
Palo Alto Networks Certified Network Security Engineer on PAN-OS 7
Palo Alto Networks PCNSE7 Dumps Available Here at:
Enrolling now you will get access to 104 questions in a unique set of PCNSE7 dumps
Question 1
A host attached to ethernet1/4 cannot ping the default gateway. The widget on the dashboard shows ethernet1/1 and ethernet1/4 to be green. The IP address of ethernet1/1 is and the IP address of ethernet1/4 is The default gateway is attached to ethernet1/l. A default route is properly configured.
What can be the cause of this problem?
A. No zone has been configured on ethernet1/4.
B. Interface ethernet1/1 is in Virtual Wire Mode
C. DNS has not been properly configured on the firewall. D. DNS has not been properly configured on the host. Answer: A
After you plan your zones and the corresponding interfaces, you can configure them on the device. Incorrect Answers:
B: In a virtual wire deployment, the firewall is installed transparently on a network segment by binding two ports together and should be used only when no switching or routing is needed.
C, D: DNS is not required to ping IP addresses.
References: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/getting-started/configure- interfaces-and-zones
Question 2
Site-A and Site-Ð’ have a site-to-site VPN set up between them. OSPF is configured to dynamically create the routes between the sites. The OSPF configuration in Site-Ð? is configured properly, but the route for the

Palo Alto Networks PCNSE7
tunnel is not being established. The Site-Ð’ interfaces in the graphic are using a broadcast Link Type. The administrator has determined that the OSPF configuration in Site-Ð’ is using the wrong Link Type for one of its interfaces.
Which Link Type setting will correct the error?
A. Set ethernet1/21 to p2p B. Set tunnel.10 to p2p
C. Set tunnel.10 to p2mp
D. Set ethernet1/21 to p2mp Answer: A
We should set p2p on the Ethernet interface to enable automatic discovery of neighbors.
Note: OSPF Link type " Choose Broadcast if you want all neighbors that are accessible through the interface to be discovered automatically by multicasting OSPF hello messages, such as an Ethernet interface. Choose p2p (point-to-point) to automatically discover the neighbor. Choose p2mp (point-to- multipoint) when neighbors must be defined manually. Defining neighbors manually is allowed only for p2mp mode.
References: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/networking/ospf
Question 3
Given the following routing table:

Palo Alto Networks PCNSE7
  Which configuration change on the firewall would cause it to use as the next hop for the network?
A. Configuring the Administrative Distance for RIP to be lower than that of OSPF Int B. Configuring the metric for RIP to be higher than that of OSPF Int
C. Configuring the Administrative Distance for RIP to be higher than that of OSPF Ext D. Configuring the metric for RIP to be lower than that of OSPF Ext
Answer: A
We see that the entry for with next hop is marked with an R, it is an RIP route. There is also an entry for with next hop with active OSPF intra-area route (Oi Int).
By lowering the Administrative Distance for RIP to a value lower than OSPF the entry with next hop will be preferred.
Note: The best route is then selected among them based on Administrative Distance (AD) value of routing protocols which routes came from and that route is marked with flag A, stating that it is the Active route. Administrative distance (AD) is an arbitrary numerical value assigned to dynamic routes, static routes and directly-connected routes. The value is used by vendor-specific routers to rank routes from most preferred to least preferred. When multiple paths to the same destination are available, the router uses the route with the lowest administrative distance and inserts the preferred route into its routing table.
References: https://live.paloaltonetworks.com/t5/Management-Articles/Routing-Table-has-Multiple- Prefixes-for-the-Same-Route/ta-p/54781

Palo Alto Networks PCNSE7
Question 4
A VPN connection is set up between Site-A and Site-B, but no traffic is passing. In the system log of Site- A, there is an event logged as ike-nego-p1-fail-psk.
What action will bring the VPN up and allow traffic to start passing between the sites?
A. Change the Site-Ð’ IKE Gateway profile version to match Site-A.
B. Change the Site-Ð? IKE Gateway profile exchange mode to aggressive mode. C. Enable NAT Traversal on the Site-Ð? IKE Gateway profile.
D. Change the pre-shared key of Site-Ð’ to match the pre-shared key of Site-A. Answer: D
The IKEp1 negation failed to due to the pre-shared key (psk).
Note: The IKE authentication can be performed using either pre-shared key (shared secret), signatures, or public key encryption.
References: https://en.wikipedia.org/wiki/Internet_Key_Exchange
Question 5
A company is upgrading its existing Palo Alto Networks firewalls from version 7.0.1 to 7.0.4.
Which three methods can the firewall administrator use to install PAN-OS 7.0.4 across the enterprise? (Choose three.)
A. Download PAN-OS 7.0.4 files from the support site and install them on each firewall after manually
B. Download PAN-OS 7.0.4 to a USB drive and the firewall will automatically update after the USB drive is
inserted in the firewall.
C. Push the PAN-OS 7.0.4 updates from the support site to install on each firewall.
D. Push the PAN-OS 7.0.4 update from one firewall to all of the other remaining after updating one

Palo Alto Networks PCNSE7
E. Download and install PAN-OS 7.0.4 directly on each firewall.
F. Download and push PAN-OS 7.0.4 from Panorama to each firewall. Answer: A, C, F
A: To manually download the software and install onto the device:
1. Navigate to the Palo Alto Networks Support Portal on a web browser.
2. Go to the Software Updates page and download the appropriate PAN-OS release for your device.
3. On the WebUI of the device, navigate to Device > Software and click "Upload." Browse to locate the downloaded software package, then click OK to upload the file to the device.
4. Click "Install from File" and select the uploaded file.
5. Click OK to initiate the upgrade.
CF: How to Upgrade PAN-OS on a Palo Alto Networks Device
1. From the WebGUI, go to Device > Software, or on Panorama, Panorama > Software on the left pane to open the software page.
2. In the lower left corner, click "Check Now" to update the list of latest software releases available from Palo Alto Networks.
3. Download and install the new release. Refer to the Base Version Note below about base versions.
1. To install a new release from the download site:
2. Click Download next to the release to be installed. When the download is complete, a check mark is displayed in the Downloaded column.
3. Click Install next to the release to initiate the installation. During installation, an option is available to have the device automatically reboot when installation is complete.
4. When the installation is complete, a prompt displays to restart the device.
References: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Upgrade-PAN-OS-on-a- Palo-Alto-Networks-Device/ta-p/53648 https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Install-Software-Image-that-was- Pushed-from-Panorama/ta-p/56713
Question 6
A logging infrastructure may need to handle more than 10,000 logs per second. Which two options support a dedicated log collector function? (Choose two.)
A. Panorama virtual appliance on ESX(i) only B. M-500
C. M-100 with Panorama installed
D. M-100
Answer: B, C

Palo Alto Networks PCNSE7
B: Each M-500 appliance can process up to 60,000 logs/second.
M-100 appliance in Log Collector Mode. Each M-100 appliance can process up to 30,000 logs/second and store up to 4TB of log data.
C: M-100 appliance in Log Collector Mode. Each M-100 appliance can process up to 30,000 logs/second. Note: To enable the Panorama management server (Panorama virtual appliance or M-Series appliance in Panorama mode) to manage a Log Collector, you must add it as a managed collector. The M-Series appliance in Panorama mode has a predefined (default) local Log Collector. However, switching from Panorama Mode to Log Collector Mode would remove the local Log Collector and would require you to re- configure the appliance as a Dedicated Log Collector (M-Series appliance in Log Collector mode). Incorrect Answers:
A: With only up to 10,000 logs/second recommended log collector:
Depends on the Panorama management server:
* Virtual appliance"Panorama collects logs without any Log Collector.
* M-Series appliance"Local default Log Collector
D: M-100 without Panorama installed, would use the Local default Log collector, and would handle maximum 10,000 logs per second.
References: https://www.paloaltonetworks.com/documentation/70/panorama/panorama_adminguide/ manage-log-collection/log-collection-deployments#18043
Question 7
Which three fields can be included in a pcap filter? (Choose three.)
A. Egress Interface B. Source IP
C. Rule number
D. Destination IP E. Ingress Interface Answer: B, C, D
BD: Following are few filter examples (though NOT limited solely to these options) which can be referenced/utilized/applied:
Filter By Port
> tcpdump filter "port 80"
Filter By Source IP
> tcpdump filter "src x.x.x.x" Filter By Destination IP
> tcpdump filter "dst x.x.x.x"

Palo Alto Networks PCNSE7
Filter By Host (src & dst) IP
> tcpdump filter "host x.x.x.x"
Filter By Host (src & dst) IP, excluding SSH traffic
> tcpdump filter "host x.x.x.x and not port 22"
C: pcap filter expression primitives include:
* rnr num
True if the packet was logged as matching the specified PF rule number (applies only to packets logged by OpenBSD's or FreeBSD's pf(4)).
* rulenum num
Synonymous with the rnr modifier.
References: https://live.paloaltonetworks.com/t5/Management-Articles/How-To-Packet-Capture-tcpdump-On- Management-Interface/ta-p/55415
Question 8
A company hosts a publicly accessible web server behind a Palo Alta Networks next-generation firewall with the following configuration information:
* Users outside the company are in the "Untrust-L3"? zone.
* The web server physically resides in the "Trust-L3"? zone.
* Web server public IP address:
* Web server private IP address:
Which two items must the NAT policy contain to allow users in the Untrust-L3 zone to access the web server? (Choose two.)
A. Untrust-L3 for both Source and Destination Zone
B. Destination IP of
C. Untrust-L3 for Source Zone and Trust-L3 for Destination Zone D. Destination IP of
Answer: C, D
C: Restrict access from the Internet to the servers on the DMZ to specific server IP addresses only.
For example, you might only allow users to access the webmail servers from outside.
Zone: Untrust to DMZ
D: Set the Destination Address to the Public web server address object you created earlier. The public web server address object references the public IP address""of the web server that is accessible
on the DMZ.
References: https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/getting-started/set-up- basic-security-policies

Palo Alto Networks PCNSE7
Question 9
A network engineer has received a report of problems reaching through vr1 on the firewall. The routing table on this firewall is extensive and complex.
Which CLI command will help identify the issue?
A. test routing fib virtual-router vrl
B. show routing route type static destination C. test routing fib"lookup ip virtual-router vrl D. show routing interface
Answer: C
This document explains how to perform a fib lookup for a particular destination within a particular virtual router on a Palo Alto Networks firewall.
1. Select the desired virtual router from the list of virtual routers configured with the command:
> test routing fib-lookup virtual-router 
2. Specify a destination IP address:
> test routing fib-lookup virtual-router default ip 
Note: A forwarding information base (FIB), also known as a forwarding table or MAC table, is most commonly used in network bridging, routing, and similar functions to find the proper interface to which the input interface should forward a packet.
References: https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Perform-FIB-Lookup-for-a- Particular-Destination/ta-p/52188
Question 10
A network administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects > Security Profiles > Anti-Spyware and selects the default profile.
What should be done next?
A. Click the simple-critical rule and then click the Action drop-down list.
B. Click the Exceptions tab and then click Show all signatures.
C. View the default actions displayed in the Action column.
D. Click the Rules tab and then look for rules with "default"? in the Action column. Answer: B

Palo Alto Networks PCNSE7
All Anti-spyware and Vulnerability Protection signatures have a default action defined by Palo Alto Networks. You can view the default action by navigating to Objects > Security Profiles > Anti-Spyware or Objects > Security Profiles >Vulnerability Protection and then selecting a profile. Click the Exceptions tab and then click Show all signatures and you will see a list of the signatures with the default action in the Action column. To change the default action, you must create a new profile and then create rules with a non-default action, and/or add individual signature exceptions to Exceptions in the profile.
References: https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/threat-prevention/set-up- antivirus-anti-spyware-and-vulnerability-protection.html
Would you like to see more? Don't miss our PCNSE7 PDF file at: http://blog.giftovus.com/?tell=palo-alto-networks-pdf/pcnse7-pdf.html