Palo Alto Networks PCNSE Dumps - Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 PDF Sample Questions

discount banner
Exam Code:
PCNSE
Exam Name:
Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0
250 Questions
Last Update Date : 09 October, 2024
PDF + Test Engine
$60 $78
Test Engine Only Demo
$50 $65
PDF Only Demo
$35 $45.5

Palo Alto Networks PCNSE This Week Result

0

They can't be wrong

0

Score in Real Exam at Testing Centre

0

Questions came word by word from this dumps

Best Palo Alto Networks PCNSE Dumps - pass your exam In First Attempt

Our PCNSE dumps are better than all other cheap PCNSE study material.

Only best way to pass your Palo Alto Networks PCNSE is that if you will get reliable exam study materials. We ensure you that realexamdumps is one of the most authentic website for Palo Alto Networks Palo Alto Certifications and Accreditations exam question answers. Pass your PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 with full confidence. You can get free Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 demo from realexamdumps. We ensure 100% your success in PCNSE Exam with the help of Palo Alto Networks Dumps. you will feel proud to become a part of realexamdumps family.

Our success rate from past 5 year very impressive. Our customers are able to build their carrier in IT field.

Owl
Search

45000+ Exams

Buy

Desire Exam

Download

Exam

and pass your exam...

Related Exam

Realexamdumps Providing most updated Palo Alto Certifications and Accreditations Question Answers. Here are a few exams:


Sample Questions

Realexamdumps Providing most updated Palo Alto Certifications and Accreditations Question Answers. Here are a few sample questions:

Palo Alto Networks PCNSE Sample Question 1

An engineer must configure the Decryption Broker feature

Which Decryption Broker security chain supports bi-directional traffic flow?


Options:

A. Layer 2 security chain
B. Layer 3 security chain
C. Transparent Bridge security chain
D. Transparent Proxy security chain

Answer: B Explanation: Explanation: Together, the primary and secondary interfaces form a pair of decryption forwarding interfaces. Only interfaces that you have enabled to be Decrypt Forward interfaces are displayed here. Your security chain type (Layer 3 or Transparent Bridge) and the traffic flow direction (unidirectional or bidirectional) determine which of the two interfaces forwards allowed, clear text traffic to the security chain, and which interface receives the traffic back from the security chain after it has undergone additional enforcement.

Palo Alto Networks PCNSE Sample Question 2

When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?


Options:

A. The interface must be used for traffic to the required services
B. You must enable DoS and zone protection
C. You must set the interface to Layer 2 Layer 3. or virtual wire
D. You must use a static IP address

Answer: E

Palo Alto Networks PCNSE Sample Question 3

What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an active/passive High Availability (HA) pair? (Choose two.)


Options:

A. The firewalls must have the same set of licenses.
B. The management interfaces must to be on the same network.
C. The peer HA1 IP address must be the same on both firewalls.
D. HA1 should be connected to HA1. Either directly or with an intermediate Layer 2 device.

Answer: A, E

Palo Alto Networks PCNSE Sample Question 4

How can packet butter protection be configured?


Options:

A. at me device level (globally to protect firewall resources and ingress zones, but not at the zone level
B. at the device level (globally) and it enabled globally, at the zone level
C. at the interlace level to protect firewall resources
D. at zone level to protect firewall resources and ingress zones but not at the device level

Answer: E

Palo Alto Networks PCNSE Sample Question 5

How are IPV6 DNS queries configured to user interface ethernet1/3?


Options:

A. Network > Virtual Router > DNS Interface
B. Objects > CustomerObjects > DNS
C. Network > Interface Mgrnt
D. Device > Setup > Services > Service Route Configuration

Answer: E

Palo Alto Networks PCNSE Sample Question 6

Which Panorama objects restrict administrative access to specific device-groups?


Options:

A. templates
B. admin roles
C. access domains
D. authentication profiles

Answer: C Explanation: Explanation: Access domains control administrative access to specific Device Groups and templates, and also control the ability to switch context to the web interface of managed firewalls. https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panor ama-overview/role-based-access-control/access-domains.htmm

Palo Alto Networks PCNSE Sample Question 7

A variable name must start with which symbol?


Options:

A. $
B. &
C. !
D. #

Answer: A Explanation: Explanation: https://docs.paloaltonetworks.com/panorama/8-1/panorama-adm in/manage-firewalls/manage-templates-and-template-stacks/configure-template-or-template-stack-variables.htmm

Palo Alto Networks PCNSE Sample Question 8

An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet gateway and wants to be sure of the functions that are supported on the vwire interface

What are three supported functions on the VWire interface? (Choose three )


Options:

A. NAT
B. QoS
C. IPSec
D. OSPF
E. SSL Decryption

Answer: A, B, D

Palo Alto Networks PCNSE Sample Question 9

An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group.

How should the administrator identify the configuration changes?


Options:

A. review the configuration logs on the Monitor tab
B. click Preview Changes under Push Scope
C. use Test Policy Match to review the policies in Panorama
D. context-switch to the affected firewall and use the configuration audit tool

Answer: A Explanation: Explanation: https://docs.paloaltonetworks.com/pan-os/8-1/pan -os-web-interface-help/panorama-web-interface/panorama-commit-operations.htmm

Palo Alto Networks PCNSE Sample Question 10

Which client software can be used to connect remote Linux client into a Palo Alto Networks Infrastructure without sacrificing the ability to scan traffic and protect against threats?


Options:

A. X-Auth IPsec VPN
B. GlobalProtect Apple IOS
C. GlobalProtect SSL
D. GlobalProtect Linux

Answer: A Explanation: Explanation: ( http://blog.webernetz.net/2014/03/31/palo-alto-globalprotect-for-linux-with-vpnc/ )

Palo Alto Networks PCNSE Sample Question 11

NO: 56

A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall. Which method shows the global counters associated with the traffic after configuring the appropriate packet filters?


Options:

A. From the CLI, issue the show counter global filter pcap yes command.
B. From the CLI, issue the show counter global filter packet-filter yes command.
C. From the GUI, select show global counters under the monitor tab.
D. From the CLI, issue the show counter interface command for the ingress interface.

Answer: C

Palo Alto Networks PCNSE Sample Question 12

Which two logs on the firewall will contain authentication-related information useful for troubleshooting purpose (Choose two)


Options:

A. ms.log
B. traffic.log
C. system.log
D. dp-monitor.log
E. authd.log

Answer: C, F

Palo Alto Networks PCNSE Sample Question 13

Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS 8.0? (Choose two.)


Options:

A. KVM
B. VMware ESX
C. VMware NSX
D. AWS

Answer: A, C

Palo Alto Networks PCNSE Sample Question 14

A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a firewall

Which part of files needs to be imported back into the replacement firewall that is using Panorama?


Options:

A. Device state and license files
B. Configuration and serial number files
C. Configuration and statistics files
D. Configuration and Large Scale VPN (LSVPN) setups file

Answer: B

Palo Alto Networks PCNSE Sample Question 15

A company has a pair of Palo Alto Networks firewalls configured as an Acitve/Passive High Availability (HA) pair.

What allows the firewall administrator to determine the last date a failover event occurred?


Options:

A. From the CLI issue use the show System log
B. Apply the filter subtype eq ha to the System log
C. Apply the filter subtype eq ha to the configuration log
D. Check the status of the High Availability widget on the Dashboard of the GUI

Answer: C

Palo Alto Networks PCNSE Sample Question 16

When configuring forward error correction (FEC) for PAN-OS SD-WAN, an administrator would turn on the feature inside which type of SD-WAN profile?


Options:

A. Certificate profile
B. Path Quality profile
C. SD-WAN Interface profile
D. Traffic Distribution profile

Answer: D

Palo Alto Networks PCNSE Sample Question 17

A security engineer needs to mitigate packet floods that occur on a set of servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?


Options:

A. URL Filtering profile
B. Vulnerability Protection profile
C. Data Filtering profile
D. DoS Protection profile

Answer: E

Palo Alto Networks PCNSE Sample Question 18

A superuser is tasked with creating administrator accounts for three contractors For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects.

Which type of role-based access is most appropriate for this project?


Options:

A. Create a Dynamic Admin with the Panorama Administrator role
B. Create a Custom Panorama Admin
C. Create a Device Group and Template Admin
D. Create a Dynamic Read only superuser

Answer: D

Palo Alto Networks PCNSE Sample Question 19

An administrator device-group commit push is tailing due to a new URL category

How should the administrator correct this issue?


Options:

A. verify that the URL seed Tile has been downloaded and activated on the firewall
B. change the new category action to alert" and push the configuration again
C. update the Firewall Apps and Threat version to match the version of Panorama
D. ensure that the firewall can communicate with the URL cloud

Answer: C Explanation: Explanation: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0 00000PNqx

Palo Alto Networks PCNSE Sample Question 20

Which Captive Portal mode must be configured to support MFA authentication?


Options:

A. NTLM
B. Redirect
C. Single Sign-On
D. Transparent

Answer: B Explanation: Reference: [Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-multi-factor-authentication]

Palo Alto Networks PCNSE Sample Question 21

Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?


Options:

A. Configure a Decryption Profile and select SSL/TLS services.
B. Set up SSL/TLS under Polices > Service/URL Category>Service.
C. Set up Security policy rule to allow SSL communication.
D. Configure an SSL/TLS Profile.

Answer: D Explanation: Reference: [Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-certificate-management- ssltls-service-profile]

Palo Alto Networks PCNSE Sample Question 22

Which is the maximum number of samples that can be submitted to WildFire per day, based on wildfire subscription?


Options:

A. 15,000
B. 10,000
C. 75,00
D. 5,000

Answer: B Explanation: Explanation: https://d ocs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/submit-files-for-wildfire-analysis/manually-upload-files-to-the-wildfire-portal.html#:~:text=All%20Palo%20Alto%20Networks%20customers,a%20day%20for%20WildFire%20analysis."The WildFire API supports up to 1,000 file submissions and up to 10,000 queries a day." https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/ wildfire-subscriptionhttps://docs.paloaltonetworks.com/wildfire/10-0/wildfire-admin/submit -files-for-wildfire-analysis/manually-upload-files-to-the-wildfire-portal.htmm

Palo Alto Networks PCNSE Sample Question 23

What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1 version?


Options:

A. Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or template stacks.
B. An administrator must use the Expedition tool to adapt the configuration to the pre-PAN-OS 8.1 state.
C. When Panorama is reverted to an earlier PAN-OS release, variables used in templates or template stacks will be removed automatically.
D. Administrators need to manually update variable characters to those used in pre-PAN-OS 8.1.

Answer: A Explanation: Explanation: You are unable to downgrade from PAN-OS 8.1 to an earlier PAN-OS release if variables are used in your template or template stack configuration. Variables must be removed from the template and template stack configuration to downgrade.

Palo Alto Networks PCNSE Sample Question 24

An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?


Options:

A. Enable and configure the Packet Buffer protection thresholds.Enable Packet Buffer Protection per ingress zone.
B. Enable and then configure Packet Buffer thresholdsEnable Interface Buffer protection.
C. Create and Apply Zone Protection Profiles in all ingress zones.Enable Packet Buffer Protection per ingress zone.
D. Configure and apply Zone Protection Profiles for all egress zones.Enable Packet Buffer Protection pre egress zone.
E. Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits.Enable Zone Buffer Protection per zone.

Answer: B

Palo Alto Networks PCNSE Sample Question 25

Which virtual router feature determines if a specific destination IP address is reachable?


Options:

A. Heartbeat Monitoring
B. Failover
C. Path Monitoring
D. Ping-Path

Answer: C Explanation: Reference: [Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/pbf, , https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/policy/policy-based-forwarding/pbf/path-monitoring-for-pbf, ]

Palo Alto Networks PCNSE Sample Question 26

Starling with PAN-OS version 9.1, GlobalProtect logging information is now recorded in which firewall log?


Options:

A. Configuration
B. GlobalProtect
C. Authentication
D. System

Answer: C

Palo Alto Networks PCNSE Sample Question 27

Which operation will impact the performance of the management plane?


Options:

A. WildFire Submissions
B. DoS Protection
C. decrypting SSL Sessions
D. Generating a SaaS Application Report.

Answer: D Explanation: Explanation: https://kno wledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAKDecrypting SSL Sessions is a dataplane task.DoS Protection is a Dataplane task.Wildfire submissions is a Dataplane task.Generating a SaaS Application report is a Management Plane function.

Palo Alto Networks PCNSE Sample Question 28

A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.

Which VPN configuration would adapt to changes when deployed to the future site?


Options:

A. Preconfigured GlobalProtect satellite
B. Preconfigured GlobalProtect client
C. Preconfigured IPsec tunnels
D. Preconfigured PPTP Tunnels

Answer: A Explanation: Explanation: https://docs.paloaltonetworks.com/pan-os/10-0/pan-o s-admin/large-scale-vpn-lsvpn/configure-the-globalprotect-portal-for-lsvpn/define-the-satellite-configurations.htmm

Palo Alto Networks PCNSE Sample Question 29

A client has a sensitive application server in their data center and is particularly concerned about session flooding because of denial of-service attacks.

How can the Palo Alto Networks NGFW be configured to specifically protect this server against session floods originating from a single IP address?


Options:

A. Define a custom App-ID to ensure that only legitimate application traffic reaches the server
B. Add QoS Profiles to throttle incoming requests
C. Add a tuned DoS Protection Profile
D. Add an Anti-Spyware Profile to block attacking IP address

Answer: C Explanation: Explanation: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id= kA10g000000ClmTCASDoS Protection Profiles set the protection thresholds to provide DoS protection against flooding of new sessions for IP floods (CPS limits) to provide resource protection (maximum concurrent session limits for specified endpoints and resources) and to configure whether the profile applies to aggregate or classified traffic. DoS Protection policy rules control where to apply DoS protection and which action to take when traffic matches the criteria defined in the rule.Unlike a Zone Protection Profile, which protects only the ingress zone, DoS Protection Profiles and policy rules can protect specific resources inside a zone and traffic flowing between different endpoints and areas. Unlike the case with a Zone Protection Profile, which supports only aggregate traffic, you can configure aggregate or classified DoS Protection Profiles and policy rules.

Palo Alto Networks PCNSE Sample Question 30

What file type upload is supported as part of the basic WildFire service?


Options:

A. PE
B. BAT
C. VBS
D. ELF

Answer: A Explanation: Explanation: https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/wildfire-overview/wildfire-subscription.htmm

Palo Alto Networks PCNSE Sample Question 31

A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.

Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web- browsing traffic to this server on tcp/443.


Options:

A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow
B. Rule #1: application: web-browsing; service: service-https; action: allow Rule #2: application: ssl; service: application-default; action: allow
C. Rule # 1: application: ssl; service: application-default; action: allowRule #2: application: web-browsing; service: application-default; action: allow
D. Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl; service: application-default; action: allow

Answer: D Explanation: Explanation: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10 g000000ClEyCAK"...behavior when selecting the Application as web-browsing and the Service to application-default. Web-browsing will be allowed over both its standard and secure port. The security policy will allow web-browsing over both port 80 and 443." https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm dLCAT

Palo Alto Networks PCNSE Sample Question 32

Which log file can be used to identify SSL decryption failures?


Options:

A. Configuration
B. Threats
C. ACC
D. Traffic

Answer: D Explanation: Explanation: https://knowledg ebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClboCAD

Palo Alto Networks PCNSE Sample Question 33

A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects. How would an administrator configure the interface to 1Gbps?


Options:

A. set deviceconfig interface speed-duplex 1Gbps-full-duplex
B. set deviceconfig system speed-duplex 1Gbps-duplex
C. set deviceconfig system speed-duplex 1Gbps-full-duplex
D. set deviceconfig Interface speed-duplex 1Gbps-half-duplex

Answer: C Explanation: Reference: [Reference: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-Speed-and-Duplex-of-the-Management- Port/ta-p/59034, user@PA# set deviceconfig system speed-duplex100Mbps-full-duplex 100Mbps-full-duplex100Mbps-half-duplex 100Mbps-half-duplex10Mbps-full-duplex 10Mbps-full-duplex10Mbps-half-duplex 10Mbps-half-duplex1Gbps-full-duplex 1Gbps-full-duplex1Gbps-half-duplex 1Gbps-half-duplexauto-negotiate auto-negotiate, ]

Palo Alto Networks PCNSE Sample Question 34

An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port. Which log entry can the administrator use to verify that sessions are being decrypted?


Options:

A. In the details of the Traffic log entries
B. Decryption log
C. Data Filtering log
D. In the details of the Threat log entries

Answer: A Explanation: Reference: [Reference: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption/ta-p/59719, https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClboCAC, The Question is simply asking how to verify if traffic was being decrypted. There are (2) ways to see this in the traffic logs:, 1. To confirm that the traffic is decrypted inside the WebGUI > Monitor > Logs > Traffic. Click the magnifying glass icon in the traffic log entries to confirm that the connections were decrypted., 2. Another way to validate the decrypted session is by enabling the column "Decrypted" as below Traffic logs . This can be done by clicking on the arrow down next to any column title and selecting the Columns > Decrypted. This shows decrypted status in regular traffic log view., , ]

Palo Alto Networks PCNSE Sample Question 35

An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors.

How would the administrator establish the chain of trust?


Options:

A. Use custom certificates
B. Enable LDAP or RADIUS integration
C. Set up multi-factor authentication
D. Configure strong password authentication

Answer: A Explanation: Reference: [Reference: https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/panorama-overview/plan-your- panorama-deployment]

Palo Alto Networks PCNSE Sample Question 36

An administrator has left a firewall to use the default port for all management services. Which three functions are performed by the dataplane? (Choose three.)


Options:

A. WildFire updates
B. NAT
C. NTP
D. antivirus
E. File blocking

Answer: B, D, F

Palo Alto Networks PCNSE Sample Question 37

Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)


Options:

A. The firewall is in multi-vsys mode.
B. The traffic is offloaded.
C. The traffic does not match the packet capture filter.
D. The firewall’s DP CPU is higher than 50%.

Answer: B, C Explanation: Reference: [Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/take-packet-captures/disable-hardware- offload, ]

Palo Alto Networks PCNSE Sample Question 38

Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to:


Options:

A. respond to changes in user behavior or potential threats using manual policy changes
B. respond to changes in user behavior or potential threats without automatic policy changes
C. respond to changes in user behavior and confirmed threats with manual policy changes
D. respond to changes in user behavior or potential threats without manual policy changes

Answer: D Explanation: Explanation: https:// docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user-groups#:~:text=Because%20updates%20to%20dynamic%20user,threats%20without%20manual%20policy%20changes.

Palo Alto Networks PCNSE Sample Question 39

Which four NGFW multi-factor authentication factors are supported by PAN-OS? (Choose four.)


Options:

A. Short message service
B. Push
C. User logon
D. Voice
E. SSH key
F. One-Time Password

Answer: A, B, D, F Explanation: Explanation: https://d ocs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/authentication/authentication-types/multi-factor-authenticationPush - An endpoint device (such as a phone or tablet) prompts the user to allow or deny authentication.Short message service (SMS) - An SMS message on the endpoint device prompts the user to allow or deny authentication. In some cases, the endpoint device provides a code that the user must enter in the MFA login page.Voice - An automated phone call prompts the user to authenticate by pressing a key on the phone or entering a code in the MFA login page.One-time password (OTP) - An endpoint device provides an automatically generated alphanumeric string, which the user enters in the MFA login page to enable authentication for a single transaction or session.https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication-types/multi-factor-authentication.html#idbc927952-a47e-4bec-ab80-0605a47b4874

Palo Alto Networks PCNSE Sample Question 40

An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.

Which priority is correct for the passive firewall?


Options:

A. 0
B. 99
C. 1
D. 255

Answer: D Explanation: Reference: [Reference: https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/71/pan-os/pan-os/section_5.pdf (page 9) , , https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/10-0/pan-os-admin/pan-os-admin.pdf page 315, ]

Palo Alto Networks PCNSE Sample Question 41

Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site A connects directly to the internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect to the internet.

How should NAT Traversal be implemented for the VPN connection to be established between Site-A and Site-B?


Options:

A. Enable on Site-A only
B. Enable on Site-B only
C. Enable on Site-B only with passive mode
D. Enable on Site-A and Site-B

Answer: E

Palo Alto Networks PCNSE Sample Question 42

Which CLI command enables an administrator to check the CPU utilization of the dataplane?


Options:

A. show running resource-monitor
B. debug data-plane dp-cpu
C. show system resources
D. debug running resources

Answer: A Explanation: Explanation: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXwCAKhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail? id=kA10g000000CluDCAT

Palo Alto Networks PCNSE Sample Question 43

What must be used in Security Policy Rule that contain addresses where NAT policy applies?


Options:

A. Pre-NAT addresse and Pre-NAT zones
B. Post-NAT addresse and Post-Nat zones
C. Pre-NAT addresse and Post-Nat zones
D. Post-Nat addresses and Pre-NAT zones

Answer: D

Palo Alto Networks PCNSE Sample Question 44

How is the Forward Untrust Certificate used?


Options:

A. It issues certificates encountered on the Untrust security zone when clients attempt to connect to a site that has be decrypted/
B. It is used when web servers request a client certificate.
C. It is presented to clients when the server they are connecting to is signed by a certificate authority that is not trusted by firewall.
D. It is used for Captive Portal to identify unknown users.

Answer: D

Palo Alto Networks PCNSE Sample Question 45

Which CLI command displays the current management plan memory utilization?


Options:

A. > show system info
B. > show system resources
C. > debug management-server show
D. > show running resource-monitor

Answer: B Explanation: Explanation: https://live.paloaltonetworks.com/t5/Management-Articles/Show-System-Resource-Command-Displays-CPU-Utilization-of-9999/ta-p/58150

Palo Alto Networks PCNSE Sample Question 46

Which three items are import considerations during SD-WAN configuration planning? (Choose three.)


Options:

A. link requirements
B. the name of the ISP
C. IP Addresses
D. branch and hub locations

Answer: A, C, D Explanation: Explanation: https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/plan-sd-wan-configuratioo

Palo Alto Networks PCNSE Sample Question 47

What are three valid method of user mapping? (Choose three)


Options:

A. Syslog
B. XML API
C. 802.1X
D. WildFire
E. Server Monitoring

Answer: A, B, F

Palo Alto Networks PCNSE Sample Question 48

An enterprise information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems However a recent phisning campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets For users that need to access these systems Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What should the enterprise do to use PAN-OS MFA1?


Options:

A. Configure a Captive Porta1 authentication policy that uses an authentication profile that references a RADIUS profile
B. Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy
C. Configure a Captive Portal authentication policy that uses an authentication sequence
D. Use a Credential Phishing agent to detect prevent and mitigate credential phishing campaigns

Answer: B

Palo Alto Networks PCNSE Sample Question 49

The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate and set them as such

The admin has not yet installed the root certificate onto client systems

What effect would this have on decryption functionality?


Options:

A. Decryption will function and there will be no effect to end users
B. Decryption will not function because self-signed root certificates are not supported
C. Decryption will not function until the certificate is installed on client systems
D. Decryption will function but users will see certificate warnings for each SSL site they visit

Answer: E

Palo Alto Networks PCNSE Sample Question 50

A network security engineer wants to prevent resource-consumption issues on the firewall.

Which strategy is consistent with decryption best practices to ensure consistent performance?


Options:

A. Use RSA in a Decryption profile tor higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for lower-risk traffic
B. Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for tower-risk traffic
C. Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that are less processor-intensive
D. Use Decryption profiles to drop traffic that uses processor-intensive ciphers

Answer: C

Palo Alto Networks PCNSE Sample Question 51

A host attached to ethernet1/3 cannot access the internet. The default gateway is attached to ethernet1/4. After troubleshooting. It is determined that traffic cannot pass from the ethernet1/3 to ethernet1/4. What can be the cause of the problem?


Options:

A. DHCP has been set to Auto.
B. Interface ethernet1/3 is in Layer 2 mode and interface ethernet1/4 is in Layer 3 mode.
C. Interface ethernet1/3 and ethernet1/4 are in Virtual Wire Mode.
D. DNS has not been properly configured on the firewall

Answer: C

Palo Alto Networks PCNSE Sample Question 52

A users traffic traversing a Palo Alto networks NGFW sometimes can reach http //www company com At other times the session times out. At other times the session times out The NGFW has been configured with a PBF rule that the user traffic matches when it goes to http://www.company.com

goes to http://www company com

How can the firewall be configured to automatically disable the PBF rule if the next hop goes down?


Options:

A. Create and add a monitor profile with an action of fail over in the PBF rule in question
B. Create and add a monitor profile with an action of wait recover in the PBF rule in question
C. Configure path monitoring for the next hop gateway on the default route in the virtual router
D. Enable and configure a link monitoring profile for the external interface of the firewall

Answer: B

Palo Alto Networks PCNSE Sample Question 53

Which Panorama feature allows for logs generated by Panorama to be forwarded to an external Security Information and Event Management(SIEM) system?


Options:

A. Panorama Log Settings
B. Panorama Log Templates
C. Panorama Device Group Log Forwarding
D. Collector Log Forwarding for Collector Groups

Answer: A Explanation: Explanation: https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/manage-log-collection/enable-log-forwarding-from-panorama-to-external-destinationt

Palo Alto Networks PCNSE Sample Question 54

Which CLI command displays the current management plane memory utilization?


Options:

A. > debug management-server show
B. > show running resource-monitor
C. > show system info
D. > show system resources

Answer: D Explanation: Explanation: https:// live.paloaltonetworks.com/t5/Learning-Articles/How-to-Interpret-show-system-resources/ta-p/59364"The command show system resources gives a snapshot of Management Plane (MP) resource utilization including memory and CPU. This is similar to the ‘top’ command in Linux."https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Interpret-show-system-resources/ta-p/59364 

Palo Alto Networks PCNSE Sample Question 55

An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three remote networks.

What is the minimum amount of bandwidth the administrator could configure at the compute location?


Options:

A. 90Mbps
B. 300 Mbps
C. 75Mbps
D. 50Mbps

Answer: D Explanation: Explanation: The number you specify for the bandwidth applies to both the egress and ingress traffic for the remote network connection. If you specify a bandwidth of 50 Mbps, Prisma Access provides you with a remote network connection with 50 Mbps of bandwidth on ingress and 50 Mbps on egress. Your bandwidth speeds can go up to 10% over the specified amount without traffic being dropped; for a 50 Mbps connection, the maximum bandwidth allocation is 55 Mbps on ingress and 55 Mbps on egress (50 Mbps plus 10% overage allocation).https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-for-networks/how-to-calculate-network-bandwidti

Palo Alto Networks PCNSE Sample Question 56

Which three fields can be included in a pcap filter? (Choose three)


Options:

A. Egress interface
B. Source IP
C. Rule number
D. Destination IP
E. Ingress interface

Answer: B, C, D Explanation: Explanation: (https://live.paloaltonetworks.com /t5/Featured-Articles/Getting-Started-Packet-Capture/ta-p/72069)

Palo Alto Networks PCNSE Sample Question 57

Which setting allow a DOS protection profile to limit the maximum concurrent sessions from a source IP address?


Options:

A. Set the type to Aggregate, clear the session’s box and set the Maximum concurrent Sessions to 4000.
B. Set the type to Classified, clear the session’s box and set the Maximum concurrent Sessions to 4000.
C. Set the type Classified, check the Sessions box and set the Maximum concurrent Sessions to 4000.
D. Set the type to aggregate, check the Sessions box and set the Maximum concurrent Sessions to 4000.

Answer: D

Palo Alto Networks PCNSE Sample Question 58

What are three reasons for excluding a site from SSL decryption? (Choose three.)


Options:

A. the website is not present in English
B. unsupported ciphers
C. certificate pinning
D. unsupported browser version
E. mutual authentication

Answer: B, C, E Explanation: Explanation: Reasons that sites break decryption technically include pinned certificates, client authentication, incomplete certificate chains, and unsupported ciphers. https://docs.pal oaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-exclusions/exclude-a-server-from-decryption.htmm

Palo Alto Networks PCNSE Sample Question 59

Which URL Filtering Security Profile action togs the URL Filtering category to the URL Filtering log?


Options:

A. Log
B. Alert
C. Allow
D. Default

Answer: C


and so much more...