PCNSE Exam Dumps
Palo Alto Networks PCNSE Dumps - Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 PDF Sample Questions
Palo Alto Networks PCNSE This Week Result
They can't be wrong
Score in Real Exam at Testing Centre
Questions came word by word from this dumps
Best Palo Alto Networks PCNSE Dumps - pass your exam In First Attempt
Our PCNSE dumps are better than all other cheap PCNSE study material.
Only best way to pass your Palo Alto Networks PCNSE is that if you will get reliable exam study materials. We ensure you that realexamdumps is one of the most authentic website for Palo Alto Networks Palo Alto Certifications and Accreditations exam question answers. Pass your PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 with full confidence. You can get free Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 demo from realexamdumps. We ensure 100% your success in PCNSE Exam with the help of Palo Alto Networks Dumps. you will feel proud to become a part of realexamdumps family.
Our success rate from past 5 year very impressive. Our customers are able to build their carrier in IT field.
45000+ Exams
Desire Exam
Exam
Related Exam
Realexamdumps Providing most updated Palo Alto Certifications and Accreditations Question Answers. Here are a few exams:
Sample Questions
Realexamdumps Providing most updated Palo Alto Certifications and Accreditations Question Answers. Here are a few sample questions:
Palo Alto Networks PCNSE Sample Question 1
An engineer must configure the Decryption Broker feature Which Decryption Broker security chain supports bi-directional traffic flow?
Options:
Answer: B Explanation: Explanation: Together, the primary and secondary interfaces form a pair of decryption forwarding interfaces. Only interfaces that you have enabled to be Decrypt Forward interfaces are displayed here. Your security chain type (Layer 3 or Transparent Bridge) and the traffic flow direction (unidirectional or bidirectional) determine which of the two interfaces forwards allowed, clear text traffic to the security chain, and which interface receives the traffic back from the security chain after it has undergone additional enforcement.
Palo Alto Networks PCNSE Sample Question 2
When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?
Options:
Answer: E
Palo Alto Networks PCNSE Sample Question 3
What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an active/passive High Availability (HA) pair? (Choose two.)
Options:
Answer: A, E
Palo Alto Networks PCNSE Sample Question 4
How can packet butter protection be configured?
Options:
Answer: E
Palo Alto Networks PCNSE Sample Question 5
How are IPV6 DNS queries configured to user interface ethernet1/3?
Options:
Answer: E
Palo Alto Networks PCNSE Sample Question 6
Which Panorama objects restrict administrative access to specific device-groups?
Options:
Answer: C Explanation: Explanation: Access domains control administrative access to specific Device Groups and templates, and also control the ability to switch context to the web interface of managed firewalls. https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panor ama-overview/role-based-access-control/access-domains.htmm
Palo Alto Networks PCNSE Sample Question 7
A variable name must start with which symbol?
Options:
Answer: A Explanation: Explanation: https://docs.paloaltonetworks.com/panorama/8-1/panorama-adm in/manage-firewalls/manage-templates-and-template-stacks/configure-template-or-template-stack-variables.htmm
Palo Alto Networks PCNSE Sample Question 8
An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet gateway and wants to be sure of the functions that are supported on the vwire interface What are three supported functions on the VWire interface? (Choose three )
Options:
Answer: A, B, D
Palo Alto Networks PCNSE Sample Question 9
An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes?
Options:
Answer: A Explanation: Explanation: https://docs.paloaltonetworks.com/pan-os/8-1/pan -os-web-interface-help/panorama-web-interface/panorama-commit-operations.htmm
Palo Alto Networks PCNSE Sample Question 10
Which client software can be used to connect remote Linux client into a Palo Alto Networks Infrastructure without sacrificing the ability to scan traffic and protect against threats?
Options:
Answer: A Explanation: Explanation: ( http://blog.webernetz.net/2014/03/31/palo-alto-globalprotect-for-linux-with-vpnc/ )
Palo Alto Networks PCNSE Sample Question 11
NO: 56 A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall. Which method shows the global counters associated with the traffic after configuring the appropriate packet filters?
Options:
Answer: C
Palo Alto Networks PCNSE Sample Question 12
Which two logs on the firewall will contain authentication-related information useful for troubleshooting purpose (Choose two)
Options:
Answer: C, F
Palo Alto Networks PCNSE Sample Question 13
Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS 8.0? (Choose two.)
Options:
Answer: A, C
Palo Alto Networks PCNSE Sample Question 14
A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a firewall Which part of files needs to be imported back into the replacement firewall that is using Panorama?
Options:
Answer: B
Palo Alto Networks PCNSE Sample Question 15
A company has a pair of Palo Alto Networks firewalls configured as an Acitve/Passive High Availability (HA) pair. What allows the firewall administrator to determine the last date a failover event occurred?
Options:
Answer: C
Palo Alto Networks PCNSE Sample Question 16
When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?
Options:
Answer: D
Palo Alto Networks PCNSE Sample Question 17
A security engineer needs to mitigate packet floods that occur on a set of servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?
Options:
Answer: E
Palo Alto Networks PCNSE Sample Question 18
A superuser is tasked with creating administrator accounts for three contractors For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?
Options:
Answer: D
Palo Alto Networks PCNSE Sample Question 19
An administrator device-group commit push is tailing due to a new URL category How should the administrator correct this issue?
Options:
Answer: C Explanation: Explanation: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0 00000PNqx
Palo Alto Networks PCNSE Sample Question 20
Which Captive Portal mode must be configured to support MFA authentication?
Options:
Answer: B Explanation: Reference: [Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-multi-factor-authentication]
Palo Alto Networks PCNSE Sample Question 21
Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?
Options:
Answer: D Explanation: Reference: [Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-certificate-management- ssltls-service-profile]
Palo Alto Networks PCNSE Sample Question 22
Which is the maximum number of samples that can be submitted to WildFire per day, based on wildfire subscription?
Options:
Answer: B Explanation: Explanation: https://d ocs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/submit-files-for-wildfire-analysis/manually-upload-files-to-the-wildfire-portal.html#:~:text=All%20Palo%20Alto%20Networks%20customers,a%20day%20for%20WildFire%20analysis."The WildFire API supports up to 1,000 file submissions and up to 10,000 queries a day." https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/ wildfire-subscriptionhttps://docs.paloaltonetworks.com/wildfire/10-0/wildfire-admin/submit -files-for-wildfire-analysis/manually-upload-files-to-the-wildfire-portal.htmm
Palo Alto Networks PCNSE Sample Question 23
What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1 version?
Options:
Answer: A Explanation: Explanation: You are unable to downgrade from PAN-OS 8.1 to an earlier PAN-OS release if variables are used in your template or template stack configuration. Variables must be removed from the template and template stack configuration to downgrade.
Palo Alto Networks PCNSE Sample Question 24
An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?
Options:
Answer: B
Palo Alto Networks PCNSE Sample Question 25
Which virtual router feature determines if a specific destination IP address is reachable?
Options:
Answer: C Explanation: Reference: [Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/pbf, , https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/policy/policy-based-forwarding/pbf/path-monitoring-for-pbf, ]
Palo Alto Networks PCNSE Sample Question 26
Starling with PAN-OS version 9.1, GlobalProtect logging information is now recorded in which firewall log?
Options:
Answer: C
Palo Alto Networks PCNSE Sample Question 27
Which operation will impact the performance of the management plane?
Options:
Answer: D Explanation: Explanation: https://kno wledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAKDecrypting SSL Sessions is a dataplane task.DoS Protection is a Dataplane task.Wildfire submissions is a Dataplane task.Generating a SaaS Application report is a Management Plane function.
Palo Alto Networks PCNSE Sample Question 28
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers. Which VPN configuration would adapt to changes when deployed to the future site?
Options:
Answer: A Explanation: Explanation: https://docs.paloaltonetworks.com/pan-os/10-0/pan-o s-admin/large-scale-vpn-lsvpn/configure-the-globalprotect-portal-for-lsvpn/define-the-satellite-configurations.htmm
Palo Alto Networks PCNSE Sample Question 29
A client has a sensitive application server in their data center and is particularly concerned about session flooding because of denial of-service attacks. How can the Palo Alto Networks NGFW be configured to specifically protect this server against session floods originating from a single IP address?
Options:
Answer: C Explanation: Explanation: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id= kA10g000000ClmTCASDoS Protection Profiles set the protection thresholds to provide DoS protection against flooding of new sessions for IP floods (CPS limits) to provide resource protection (maximum concurrent session limits for specified endpoints and resources) and to configure whether the profile applies to aggregate or classified traffic. DoS Protection policy rules control where to apply DoS protection and which action to take when traffic matches the criteria defined in the rule.Unlike a Zone Protection Profile, which protects only the ingress zone, DoS Protection Profiles and policy rules can protect specific resources inside a zone and traffic flowing between different endpoints and areas. Unlike the case with a Zone Protection Profile, which supports only aggregate traffic, you can configure aggregate or classified DoS Protection Profiles and policy rules.
Palo Alto Networks PCNSE Sample Question 30
What file type upload is supported as part of the basic WildFire service?
Options:
Answer: A Explanation: Explanation: https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire-overview/wildfire-subscription.htmm
Palo Alto Networks PCNSE Sample Question 31
A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule. Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web- browsing traffic to this server on tcp/443.
Options:
Answer: D Explanation: Explanation: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10 g000000ClEyCAK"...behavior when selecting the Application as web-browsing and the Service to application-default. Web-browsing will be allowed over both its standard and secure port. The security policy will allow web-browsing over both port 80 and 443." https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm dLCAT
Palo Alto Networks PCNSE Sample Question 32
Which log file can be used to identify SSL decryption failures?
Options:
Answer: D Explanation: Explanation: https://knowledg ebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClboCAD
Palo Alto Networks PCNSE Sample Question 33
A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects. How would an administrator configure the interface to 1Gbps?
Options:
Answer: C Explanation: Reference: [Reference: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-Speed-and-Duplex-of-the-Management- Port/ta-p/59034, user@PA# set deviceconfig system speed-duplex100Mbps-full-duplex 100Mbps-full-duplex100Mbps-half-duplex 100Mbps-half-duplex10Mbps-full-duplex 10Mbps-full-duplex10Mbps-half-duplex 10Mbps-half-duplex1Gbps-full-duplex 1Gbps-full-duplex1Gbps-half-duplex 1Gbps-half-duplexauto-negotiate auto-negotiate, ]
Palo Alto Networks PCNSE Sample Question 34
An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port. Which log entry can the administrator use to verify that sessions are being decrypted?
Options:
Answer: A Explanation: Reference: [Reference: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption/ta-p/59719, https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClboCAC, The Question is simply asking how to verify if traffic was being decrypted. There are (2) ways to see this in the traffic logs:, 1. To confirm that the traffic is decrypted inside the WebGUI > Monitor > Logs > Traffic. Click the magnifying glass icon in the traffic log entries to confirm that the connections were decrypted., 2. Another way to validate the decrypted session is by enabling the column "Decrypted" as below Traffic logs . This can be done by clicking on the arrow down next to any column title and selecting the Columns > Decrypted. This shows decrypted status in regular traffic log view., , ]
Palo Alto Networks PCNSE Sample Question 35
An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors. How would the administrator establish the chain of trust?
Options:
Answer: A Explanation: Reference: [Reference: https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/panorama-overview/plan-your- panorama-deployment]
Palo Alto Networks PCNSE Sample Question 36
An administrator has left a firewall to use the default port for all management services. Which three functions are performed by the dataplane? (Choose three.)
Options:
Answer: B, D, F
Palo Alto Networks PCNSE Sample Question 37
Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)
Options:
Answer: B, C Explanation: Reference: [Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/take-packet-captures/disable-hardware- offload, ]
Palo Alto Networks PCNSE Sample Question 38
Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to:
Options:
Answer: D Explanation: Explanation: https:// docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-groups#:~:text=Because%20updates%20to%20dynamic%20user,threats%20without%20manual%20policy%20changes.
Palo Alto Networks PCNSE Sample Question 39
Which four NGFW multi-factor authentication factors are supported by PAN-OS? (Choose four.)
Options:
Answer: A, B, D, F Explanation: Explanation: https://d ocs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/authentication/authentication-types/multi-factor-authenticationPush - An endpoint device (such as a phone or tablet) prompts the user to allow or deny authentication.Short message service (SMS) - An SMS message on the endpoint device prompts the user to allow or deny authentication. In some cases, the endpoint device provides a code that the user must enter in the MFA login page.Voice - An automated phone call prompts the user to authenticate by pressing a key on the phone or entering a code in the MFA login page.One-time password (OTP) - An endpoint device provides an automatically generated alphanumeric string, which the user enters in the MFA login page to enable authentication for a single transaction or session.https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication-types/multi-factor-authentication.html#idbc927952-a47e-4bec-ab80-0605a47b4874
Palo Alto Networks PCNSE Sample Question 40
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall. Which priority is correct for the passive firewall?
Options:
Answer: D Explanation: Reference: [Reference: https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/71/pan-os/pan-os/section_5.pdf (page 9) , , https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/10-0/pan-os-admin/pan-os-admin.pdf page 315, ]
Palo Alto Networks PCNSE Sample Question 41
Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site A connects directly to the internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect to the internet. How should NAT Traversal be implemented for the VPN connection to be established between Site-A and Site-B?
Options:
Answer: E
Palo Alto Networks PCNSE Sample Question 42
Which CLI command enables an administrator to check the CPU utilization of the dataplane?
Options:
Answer: A Explanation: Explanation: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXwCAKhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail? id=kA10g000000CluDCAT
Palo Alto Networks PCNSE Sample Question 43
What must be used in Security Policy Rule that contain addresses where NAT policy applies?
Options:
Answer: D
Palo Alto Networks PCNSE Sample Question 44
How is the Forward Untrust Certificate used?
Options:
Answer: D
Palo Alto Networks PCNSE Sample Question 45
Which CLI command displays the current management plan memory utilization?
Options:
Answer: B Explanation: Explanation: https://live.paloaltonetworks.com/t5/Management-Articles/Show-System-Resource-Command-Displays-CPU-Utilization-of-9999/ta-p/58150
Palo Alto Networks PCNSE Sample Question 46
Which three items are import considerations during SD-WAN configuration planning? (Choose three.)
Options:
Answer: A, C, D Explanation: Explanation: https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/plan-sd-wan-configuratioo
Palo Alto Networks PCNSE Sample Question 47
What are three valid method of user mapping? (Choose three)
Options:
Answer: A, B, F
Palo Alto Networks PCNSE Sample Question 48
An enterprise information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems However a recent phisning campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets For users that need to access these systems Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA. What should the enterprise do to use PAN-OS MFA1?
Options:
Answer: B
Palo Alto Networks PCNSE Sample Question 49
The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate and set them as such The admin has not yet installed the root certificate onto client systems What effect would this have on decryption functionality?
Options:
Answer: E
Palo Alto Networks PCNSE Sample Question 50
A network security engineer wants to prevent resource-consumption issues on the firewall. Which strategy is consistent with decryption best practices to ensure consistent performance?
Options:
Answer: C
Palo Alto Networks PCNSE Sample Question 51
A host attached to ethernet1/3 cannot access the internet. The default gateway is attached to ethernet1/4. After troubleshooting. It is determined that traffic cannot pass from the ethernet1/3 to ethernet1/4. What can be the cause of the problem?
Options:
Answer: C
Palo Alto Networks PCNSE Sample Question 52
A users traffic traversing a Palo Alto networks NGFW sometimes can reach http //www company com At other times the session times out. At other times the session times out The NGFW has been configured with a PBF rule that the user traffic matches when it goes to http://www.company.com goes to http://www company com How can the firewall be configured to automatically disable the PBF rule if the next hop goes down?
Options:
Answer: B
Palo Alto Networks PCNSE Sample Question 53
Which Panorama feature allows for logs generated by Panorama to be forwarded to an external Security Information and Event Management(SIEM) system?
Options:
Answer: A Explanation: Explanation: https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/manage-log-collection/enable-log-forwarding-from-panorama-to-external-destinationt
Palo Alto Networks PCNSE Sample Question 54
Which CLI command displays the current management plane memory utilization?
Options:
Answer: D Explanation: Explanation: https:// live.paloaltonetworks.com/t5/Learning-Articles/How-to-Interpret-show-system-resources/ta-p/59364"The command show system resources gives a snapshot of Management Plane (MP) resource utilization including memory and CPU. This is similar to the âtopâ command in Linux."https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Interpret-show-system-resources/ta-p/59364Â
Palo Alto Networks PCNSE Sample Question 55
An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three remote networks. What is the minimum amount of bandwidth the administrator could configure at the compute location?
Options:
Answer: D Explanation: Explanation: The number you specify for the bandwidth applies to both the egress and ingress traffic for the remote network connection. If you specify a bandwidth of 50 Mbps, Prisma Access provides you with a remote network connection with 50 Mbps of bandwidth on ingress and 50 Mbps on egress. Your bandwidth speeds can go up to 10% over the specified amount without traffic being dropped; for a 50 Mbps connection, the maximum bandwidth allocation is 55 Mbps on ingress and 55 Mbps on egress (50 Mbps plus 10% overage allocation).https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-for-networks/how-to-calculate-network-bandwidti
Palo Alto Networks PCNSE Sample Question 56
Which three fields can be included in a pcap filter? (Choose three)
Options:
Answer: B, C, D Explanation: Explanation: (https://live.paloaltonetworks.com /t5/Featured-Articles/Getting-Started-Packet-Capture/ta-p/72069)
Palo Alto Networks PCNSE Sample Question 57
Which setting allow a DOS protection profile to limit the maximum concurrent sessions from a source IP address?
Options:
Answer: D
Palo Alto Networks PCNSE Sample Question 58
What are three reasons for excluding a site from SSL decryption? (Choose three.)
Options:
Answer: B, C, E Explanation: Explanation: Reasons that sites break decryption technically include pinned certificates, client authentication, incomplete certificate chains, and unsupported ciphers. https://docs.pal oaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-exclusions/exclude-a-server-from-decryption.htmm
Palo Alto Networks PCNSE Sample Question 59
Which URL Filtering Security Profile action togs the URL Filtering category to the URL Filtering log?
Options:
Answer: C