Weekend Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: netbudy65

PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Questions and Answers

Questions 4

An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two.)

Options:

A.

DNS Proxy

B.

SSL/TLS profiles

C.

address groups

D.

URL Filtering profiles

Buy Now
Questions 5

What type of NAT is required to configure transparent proxy?

Options:

A.

Source translation with Dynamic IP and Port

B.

Destination translation with Static IP

C.

Source translation with Static IP

D.

Destination translation with Dynamic IP

Buy Now
Questions 6

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

Options:

A.

Export device state

B.

Load configuration version

C.

Load named configuration snapshot

D.

Save candidate config

Buy Now
Questions 7

An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy

Which PAN-OS proxy method should be configured to maintain this type of traffic flow?

Options:

A.

DNS proxy

B.

Explicit proxy

C.

SSL forward proxy

D.

Transparent proxy

Buy Now
Questions 8

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?

Options:

A.

Command line > debug dataplane packet-diag clear filter-marked-session all

B.

In the GLH under Monitor > Packet Capture > Manage Filters under Ingress Interface select an interface

C.

Command line> debug dataplane packet-diag clear filter all

D.

In the GUI under Monitor > Packet Capture > Manage Filters under the Non-IP field, select "exclude"

Buy Now
Questions 9

Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?

Options:

A.

NAT

B.

DOS protection

C.

QoS

D.

Tunnel inspection

Buy Now
Questions 10

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing.

What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?

Options:

A.

Add the Evernote application to the Security policy rule, then add a second Security policy rule containing both HTTP and SSL.

B.

Create an Application Override using TCP ports 443 and 80.

C.

Add the HTTP. SSL. and Evernote applications to the same Security policy.

D.

Add only the Evernote application to the Security policy rule.

Buy Now
Questions 11

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67

Options:

A.

The PanGPS process failed to connect to the PanGPA process on port 4767

B.

The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767

C.

The PanGPA process failed to connect to the PanGPS process on port 4767

D.

The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767

Buy Now
Questions 12

An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.

The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.

Which profile is the engineer configuring?

Options:

A.

Packet Buffer Protection

B.

Zone Protection

C.

Vulnerability Protection

D.

DoS Protection

Buy Now
Questions 13

With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?

PCNSE Question 13

Options:

A.

Incomplete

B.

unknown-tcp

C.

Insufficient-data

D.

not-applicable

Buy Now
Questions 14

What happens when an A/P firewall pair synchronizes IPsec tunnel security associations (SAs)?

Options:

A.

Phase 1 and Phase 2 SAs are synchronized over HA3 links.

B.

Phase 2 SAs are synchronized over HA2 links.

C.

Phase 1 and Phase 2 SAs are synchronized over HA2 links.

D.

Phase 1 SAs are synchronized over HA1 links.

Buy Now
Questions 15

A company wants to add threat prevention to the network without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)

Options:

A.

VirtualWire

B.

Layer3

C.

TAP

D.

Layer2

Buy Now
Questions 16

Which statement about High Availability timer settings is true?

Options:

A.

Use the Critical timer for faster failover timer settings.

B.

Use the Aggressive timer for faster failover timer settings

C.

Use the Moderate timer for typical failover timer settings

D.

Use the Recommended timer for faster failover timer settings.

Buy Now
Questions 17

An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.

PCNSE Question 17

What could an administrator do to troubleshoot the issue?

Options:

A.

Go to Device > High Availability> General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup

B.

Check peer IP address In the permit list In Device > Setup > Management > Interfaces > Management Interface Settings

C.

Go to Device > High Availability > HA Communications> General> and check the Heartbeat Backup under Election Settings

D.

Check peer IP address for heartbeat backup to Device > High Availability > HA Communications > Packet Forwarding settings.

Buy Now
Questions 18

A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks.

The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.

What else should the administrator do to stop packet buffers from being overflowed?

Options:

A.

Apply DOS profile to security rules allow traffic from outside.

B.

Add the default Vulnerability Protection profile to all security rules that allow traffic from outside.

C.

Enable packet buffer protection for the affected zones.

D.

Add a Zone Protection profile to the affected zones.

Buy Now
Questions 19

What is the benefit of the Artificial Intelligence Operations (AIOps) Plugin for Panorama?

Options:

A.

It automatically pushes the configuration to Panorama after strengthening the overall security posture

B.

It proactively enforces best practices by validating new commits and advising if a policy needs work before pushing it to Panorama

C.

The AIOps plugin in Panorama auto-corrects the security rules that failed the Best Practice Assessment

D.

The AIOps plugin in Panorama retroactively checks the policy changes during the commits

Buy Now
Questions 20

An administrator wants to add User-ID information for their Citrix MetaFrame Presentation Server (MPS) users.

Which option should the administrator use?

Options:

A.

Terminal Server Agent for User Mapping

B.

Windows-Based User-ID Agent

C.

PAN-OS Integrated User-ID Agent

D.

PAN-OS XML API

Buy Now
Questions 21

A company wants to deploy IPv6 on its network which requires that all company Palo Alto Networks firewalls process IPv6 traffic and to be configured with IPv6 addresses. Which consideration should the engineers take into account when planning to enable IPv6?

Options:

A.

Device > Setup Settings Do not enable on each interface

B.

Network > Zone Settings Do not enable on each interface

C.

Network > Zone Settings Enable on each interface

D.

Device > Setup Settings Enable on each interface

Buy Now
Questions 22

An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors. What is the recommended order of operational steps when upgrading?

Options:

A.

Upgrade the firewalls, upgrade log collectors, upgrade Panorama

B.

Upgrade the firewalls, upgrade Panorama, upgrade the log collectors

C.

Upgrade Panorama, upgrade the log collectors, upgrade the firewalls

D.

Upgrade the log collectors, upgrade the firewalls, upgrade Panorama

Buy Now
Questions 23

A decryption policy has been created with an action of "No Decryption." The decryption profile is configured in alignment to best practices.

What protections does this policy provide to the enterprise?

Options:

A.

It allows for complete visibility into certificate data, ensuring secure connections to all websites.

B.

It ensures that the firewall checks its certificate store, enabling sessions with trusted self-signed certificates even when an alternative trust anchor exists.

C.

It encrypts all certificate information to maintain privacy and compliance with local regulations.

D.

It enhances security by actively blocking access to potentially insecure sites with expired certificates or untrusted issuers.

Buy Now
Questions 24

An administrator is troubleshooting application traffic that has a valid business use case, and observes the following decryption log message: "Received fatal alert UnknownCA from client."

How should the administrator remediate this issue?

Options:

A.

Contact the site administrator with the expired certificate to request updates or renewal.

B.

Enable certificate revocation checking to deny access to sites with revoked certificates. -"

C.

Add the server's hostname to the SSL Decryption Exclusion List to allow traffic without decryption.

D.

Check for expired certificates and take appropriate actions to block or allow access based on business needs.

Buy Now
Questions 25

During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.

Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

Options:

A.

Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.

B.

Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.

C.

Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust

D.

Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.

Buy Now
Questions 26

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?

Options:

A.

Preview Changes

B.

Managed Devices Health

C.

Test Policy Match

D.

Policy Optimizer

Buy Now
Questions 27

In a template, which two objects can be configured? (Choose two.)

Options:

A.

SD-WAN path quality profile

B.

Monitor profile

C.

IPsec tunnel

D.

Application group

Buy Now
Questions 28

An engineer must configure a new SSL decryption deployment.

Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

Options:

A.

A Decryption profile must be attached to the Decryption policy that the traffic matches.

B.

A Decryption profile must be attached to the Security policy that the traffic matches.

C.

There must be a certificate with only the Forward Trust option selected.

D.

There must be a certificate with both the Forward Trust option and Forward Untrust option selected.

Buy Now
Questions 29

An engineer is pushing configuration from Panorama to a managed firewall What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?

Options:

A.

The firewall ignores only the pushed objects that have the same name as the locally configured objects, and it will commit the rest of the pushed configuration.

B.

The firewall fully commits all of the pushed configuration and overwrites its locally configured objects

C.

The firewall rejects the pushed configuration, and the commit fails.

D.

The firewall renames the duplicate local objects with "-1" at the end signifying they are clones; it will update the references to the objects accordingly and fully commit the pushed configuration.

Buy Now
Questions 30

A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any data. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.

Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?

Options:

A.

Create a custom application with specific timeouts and signatures based on patterns discovered in packet captures.

B.

Access the Palo Alto Networks website and raise a support request through the Customer Support Portal.

C.

Create a custom application with specific timeouts, then create an application override rule and reference the custom application.

D.

Access the Palo Alto Networks website and complete the online form to request that a new application be added to App-ID.

Buy Now
Questions 31

Based on the routing and interface information below, what should the NAT rule destination zone be set to?

PCNSE Question 31

Options:

A.

Outside

B.

Inside

C.

DMZ

D.

None

Buy Now
Questions 32

A network security engineer needs to ensure that virtual systems can communicate with one another within a Palo Alto Networks firewall. Separate virtual routers (VRs) are created for each virtual system.

In addition to confirming security policies, which three configuration details should the engineer focus on to ensure communication between virtual systems? (Choose three.)

Options:

A.

External zones with the virtual systems added.

B.

Layer 3 zones for the virtual systems that need to communicate.

C.

Add a route with next hop set to none, and use the interface of the virtual systems that need to communicate.

D.

Add a route with next hop next-vr by using the VR configured in the virtual system.

E.

Ensure the virtual systems are visible to one another.

Buy Now
Questions 33

Which interface type should a firewall administrator configure as an upstream to the ingress trusted interface when configuring transparent web proxy on a Palo Alto Networks firewall?

Options:

A.

Tunnel

B.

Ethernet

C.

VLAN

D.

Lookback

Buy Now
Questions 34

A firewall administrator manages sets of firewalls which have two unique idle timeout values. Datacenter firewalls needs to be set to 20 minutes and BranchOffice firewalls need to be set to 30 minutes. How can the administrator assign these settings through the use of template stacks?

Options:

A.

Create one template stack and place the BranchOffice_Template in higher priority than Datacenter_Template.

B.

Create one template stack and place the Datanceter_Template in higher priority than BranchOffice_template.

C.

Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_Template and BranchOffice_template are at the bottom of their stack.

D.

Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_template are at the top of their stack

Buy Now
Questions 35

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?

Options:

A.

Deny

B.

Discard

C.

Allow

D.

Next VR

Buy Now
Questions 36

A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL.

When creating a new rule, what is needed to allow the application to resolve dependencies?

Options:

A.

Add SSL and web-browsing applications to the same rule.

B.

Add web-browsing application to the same rule.

C.

Add SSL application to the same rule.

D.

SSL and web-browsing must both be explicitly allowed.

Buy Now
Questions 37

An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration.

What type of service route can be used for this configuration?

Options:

A.

IPv6 Source or Destination Address

B.

Destination-Based Service Route

C.

IPv4 Source Interface

D.

Inherit Global Setting

Buy Now
Questions 38

Given the following snippet of a WildFire submission log, did the end user successfully download a file?

PCNSE Question 38

Options:

A.

No, because the URL generated an alert.

B.

Yes, because both the web-browsing application and the flash file have the 'alert" action.

C.

Yes, because the final action is set to "allow.''

D.

No, because the action for the wildfire-virus is "reset-both."

Buy Now
Questions 39

Refer to the exhibit.

PCNSE Question 39

Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

Options:

A.

ethernet1/6

B.

ethernet1/3

C.

ethernet1/7

D.

ethernet1/5

Buy Now
Questions 40

A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.

What should the engineer do to complete the configuration?

Options:

A.

Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to 1.1.1.10 with the destination port equal to UDP/53.

B.

Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward.

C.

Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Reverse.

D.

Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to 192.168.1.10 with the destination port equal to UDP/53.

Buy Now
Questions 41

Which action can be taken to immediately remediate the issue of application traffic with a valid use case triggering the decryption log message, "Received fatal alert UnknownCA from client"?

Options:

A.

Enable certificate revocation checking to deny access to sites with revoked certificates

B.

Add the certificate CN to the SSL Decryption Exclusion List to allow traffic without decryption

C.

Check for expired certificates and take appropriate actions to block or allow access based on business needs

D.

Contact the site administrator with the expired certificate to request updates or renewal

Buy Now
Questions 42

A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS (Perfect Forward Secrecy) needs to be enabled. What action should the engineer take?

Options:

A.

Enable PFS under the IKE gateway advanced options.

B.

Enable PFS under the IPSec Tunnel advanced options.

C.

Add an authentication algorithm in the IPSec Crypto profile.

D.

Select the appropriate DH Group under the IPSec Crypto profile.

Buy Now
Questions 43

An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic.

Which three elements should the administrator configure to address this issue? (Choose three.)

Options:

A.

An Application Override policy for the SIP traffic

B.

QoS on the egress interface for the traffic flows

C.

QoS on the ingress interface for the traffic flows

D.

A QoS profile defining traffic classes

E.

A QoS policy for each application ID

Buy Now
Questions 44

A firewall administrator wants to be able at to see all NAT sessions that are going ‘through a firewall with source NAT. Which CLI command can the administrator use?

Options:

A.

show session all filter nat-rule-source

B.

show running nat-rule-ippool rule "rule_name

C.

show running nat-policy

D.

show session all filter nat source

Buy Now
Questions 45

Users have reported an issue when they are trying to access a server on your network. The requests aren’t taking the expected route. You discover that there are two different static routes on the firewall for the server. What is used to determine which route has priority?

Options:

A.

The first route installed

B.

The route with the lowest administrative distance

C.

Bidirectional Forwarding Detection

D.

The route with the highest administrative distance

Buy Now
Questions 46

Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.)

Options:

A.

Check dependencies

B.

Schedules

C.

Verify

D.

Revert content

E.

Install

Buy Now
Questions 47

Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)

Options:

A.

Configure the decryption profile.

B.

Define a Forward Trust Certificate.

C.

Configure SSL decryption rules.

D.

Configure a SSL/TLS service profile.

Buy Now
Questions 48

An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed.

Which Panorama tool can provide a solution?

Options:

A.

Application Groups

B.

Policy Optimizer

C.

Test Policy Match

D.

Config Audit

Buy Now
Questions 49

What is the best description of the Cluster Synchronization Timeout (min)?

Options:

A.

The maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing

B.

The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

C.

The timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional

D.

The maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational

Buy Now
Questions 50

A network security engineer is going to enable Zone Protection on several security zones How can the engineer ensure that Zone Protection events appear in the firewall's logs?

Options:

A.

Select the check box "Log packet-based attack events" in the Zone Protection profile

B.

No action is needed Zone Protection events appear in the threat logs by default

C.

Select the check box "Log Zone Protection events" in the Content-ID settings of the firewall

D.

Access the CLI in each firewall and enter the command set system setting additional-threat-log on

Buy Now
Questions 51

The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.

When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?

Options:

A.

Outdated plugins

B.

Global Protect agent version

C.

Expired certificates

D.

Management only mode

Buy Now
Questions 52

What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

PCNSE Question 52

Options:

A.

IP Netmask

B.

IP Wildcard Mask

C.

IP Address

D.

IP Range

Buy Now
Questions 53

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."

Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?'

Options:

A.

Active-Secondary

B.

Non-functional

C.

Passive

D.

Active

Buy Now
Questions 54

A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.

Which path should the engineer follow to deploy the PAN-OS images to the firewalls?

Options:

A.

Upload the image to Panorama > Software menu, and deploy it to the firewalls. *

B.

Upload the image to Panorama > Device Deployment > Dynamic Updates menu, and deploy it to the firewalls.

C.

Upload the image to Panorama > Dynamic Updates menu, and deploy it to the firewalls.

D.

Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls.

Buy Now
Questions 55

Match the terms to their corresponding definitions

PCNSE Question 55

Options:

Buy Now
Questions 56

An organization wants to begin decrypting guest and BYOD traffic.

Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?

Options:

A.

Authentication Portal

B.

SSL Decryption profile

C.

SSL decryption policy

D.

comfort pages

Buy Now
Questions 57

A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules.

What is the engineer's next step?

Options:

A.

Create a Group Mapping with 800 groups in the Group Include List.

B.

Create two Group Include Lists, each with 400 Active Directory groups.

C.

Create a Group Include List with the 800 Active Directory groups.

D.

Create two Group Mappings, each with 400 groups in the Group Include List.

Buy Now
Questions 58

When configuring explicit proxy on a firewall, which interface should be selected under the Listening interface option?

Options:

A.

ingress for the outgoing traffic to the internet

B.

Loopback for the proxy

C.

Firewall management

D.

ingress for the client traffic

Buy Now
Questions 59

Please match the terms to their corresponding definitions.

PCNSE Question 59

Options:

Buy Now
Questions 60

You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.

For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)

Options:

A.

Low

B.

High

C.

Critical

D.

Informational

E.

Medium

Buy Now
Questions 61

An administrator wants to enable WildFire inline machine learning. Which three file types does WildFire inline ML analyze? (Choose three.)

Options:

A.

Powershell scripts

B.

VBscripts

C.

MS Office

D.

APK

E.

ELF

Buy Now
Questions 62

Which three statements accurately describe Decryption Mirror? (Choose three.)

Options:

A.

Decryption Mirror requires a tap interface on the firewall

B.

Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel

C.

Only management consent is required to use the Decryption Mirror feature.

D.

Decryption, storage, inspection, and use of SSL traffic are regulated in certain countries.

E.

You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment.

Buy Now
Questions 63

Four configuration choices are listed, and each could be used to block access to a specific URL.

If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?

Options:

A.

Custom URL category in URL Filtering profile

B.

EDL in URL Filtering profile

C.

PAN-DB URL category in URL Filtering profile

D.

Custom URL category in Security policy rule

Buy Now
Questions 64

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)

Options:

A.

Inherit settings from the Shared group

B.

Inherit IPSec crypto profiles

C.

Inherit all Security policy rules and objects

D.

Inherit parent Security policy rules and objects

Buy Now
Questions 65

Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)

Options:

A.

Application filter

B.

Application override policy rule

C.

Security policy rule

D.

Custom app

Buy Now
Questions 66

An administrator plans to install the Windows-Based User-ID Agent to prevent credential phishing.

Which installer package file should the administrator download from the support site?

Options:

A.

UaCredlnstall64-11.0.0.msi

B.

GlobalProtect64-6.2.1.msi

C.

Talnstall-11.0.0.msi

D.

Ualnstall-11.0.0msi

Buy Now
Questions 67

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.

Options:

A.

Add the tool IP address to the reconnaissance protection source address exclusion in the DoS Protection profile.

B.

Add the tool IP address to the reconnaissance protection source address exclusion in the Zone protection profile.

C.

Change the TCP port scan action from Block to Alert in the Zone Protection profile.

D.

Remove the Zone protection profile from the zone setting.

Buy Now
Questions 68

An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover event.

PCNSE Question 68

Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?

Options:

A.

Monitor Fail Hold Up Time

B.

Promotion Hold Time

C.

Heartbeat Interval

D.

Hello Interval

Buy Now
Questions 69

A security engineer needs firewall management access on a trusted interface.

Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)

Options:

A.

Minimum TLS version

B.

Certificate

C.

Encryption Algorithm

D.

Maximum TLS version

E.

Authentication Algorithm

Buy Now
Questions 70

Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.

What part of the configuration should the engineer verify?

Options:

A.

IKE Crypto Profile

B.

Security policy

C.

Proxy-IDs

D.

PAN-OS versions

Buy Now
Questions 71

All firewall at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a sylog server and forward all firewall logs to the syslog server and to the log collectors. There is known logging peak time during the day, and the security team has asked the firewall engineer to determined how many logs per second the current Palo Alto Networking log processing at that particular time. Which method is the most time-efficient to complete this task?

Options:

A.

Navigate to Panorama > Managed Collectors, and open the Statistics windows for each Log Collector during the peak time.

B.

Navigate to Monitor > Unified logs, set the filter to the peak time, and browse to the last page to find out how many logs have been received.

C.

Navigate to Panorama> Managed Devices> Health, open the Logging tab for each managed firewall and check the log rates during the peak time.

D.

Navigate to ACC> Network Activity, and determine the total number of sessions and threats during the peak time.

Buy Now
Questions 72

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.

Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

Options:

A.

Navigate to Network > Zone Protection Click AddSelect Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set "Asymmetric Path" to Bypass

B.

> set session tcp-reject-non-syn no

C.

Navigate to Network > Zone Protection Click AddSelect Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set "Asymmetric Path" to Global

D.

# set deviceconfig setting session tcp-reject-non-syn no

Buy Now
Questions 73

A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.

PCNSE Question 73

What should the NAT rule destination zone be set to?

Options:

A.

None

B.

Outside

C.

DMZ

D.

Inside

Buy Now
Questions 74

Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?

Options:

A.

Perform packet forwarding to the active-passive peer during session setup and asymmetric traffic flow.

B.

Perform synchronization of routes, IPSec security associations, and User-ID information.

C.

Perform session cache synchronization for all HA cluster members with the same cluster ID.

D.

Perform synchronization of sessions, forwarding tables, and IPSec security associations between firewalls in an HA pair.

Buy Now
Questions 75

When an engineer configures an active/active high availability pair, which two links can they use? (Choose two)

Options:

A.

HSCI-C

B.

Console Backup

C.

HA3

D.

HA2 backup

Buy Now
Questions 76

In which two scenarios would it be necessary to use Proxy IDs when configuring site-to-site VPN Tunnels? (Choose two.)

Options:

A.

Firewalls which support policy-based VPNs.

B.

The remote device is a non-Palo Alto Networks firewall.

C.

Firewalls which support route-based VPNs.

D.

The remote device is a Palo Alto Networks firewall.

Buy Now
Questions 77

An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.

Which three parts of a template an engineer can configure? (Choose three.)

Options:

A.

NTP Server Address

B.

Antivirus Profile

C.

Authentication Profile

D.

Service Route Configuration

E.

Dynamic Address Groups

Buy Now
Questions 78

Which protocol is supported by GlobalProtect Clientless VPN?

Options:

A.

FTP

B.

RDP

C.

SSH

D.

HTTPS

Buy Now
Questions 79

Review the screenshot of the Certificates page.

An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems.

When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings.

What is the cause of the unsecured website warnings?

Options:

A.

The forward untrust certificate has not been signed by the self-singed root CA certificate.

B.

The forward trust certificate has not been installed in client systems.

C.

The self-signed CA certificate has the same CN as the forward trust and untrust certificates.

D.

The forward trust certificate has not been signed by the self-singed root CA certificate.

Buy Now
Questions 80

A firewall architect is attempting to install a new Palo Alto Networks NGFW. The company has previously had issues moving all administrative functions onto a data plane interface to meet the design limitations of the environment. The architect is able to access the device for HTTPS and SSH; however, the NGFW can neither validate licensing nor get updates. Which action taken by the architect will resolve this issue?

Options:

A.

Create a service route that sets the source interface to the data plane interface in question

B.

Validate that all upstream devices will allow and properly route the outbound traffic to the external destinations needed

C.

Create a loopback from the management interface to the data plane interface, then make a service route from the management interface to the data plane interface

D.

Enable OCSP for the data plane interface so the firewall will create a certificate with the data plane interface’s IP

Buy Now
Questions 81

A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.

Which set of steps should the engineer take to accomplish this objective?

Options:

A.

1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.3. Place (NAT-Rule-1) above (NAT-Rule-2).

B.

1- Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23.2. Check the box for negate option to negate this IP subnet from NAT translation.

C.

1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.3. Place (NAT-Rule-2) above (NAT-Rule-1).

D.

1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/32.2. Check the box for negate option to negate this IP from the NAT translation.

Buy Now
Questions 82

For company compliance purposes, three new contractors will be working with different device-groups in their hierarchy to deploy policies and objects.

Which type of role-based access is most appropriate for this project?

Options:

A.

Create a Device Group and Template Admin.

B.

Create a Custom Panorama Admin.

C.

Create a Dynamic Admin with the Panorama Administrator role.

D.

Create a Dynamic Read only superuser.

Buy Now
Questions 83

For company compliance purposes, three new contractors will be working with different device groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?

Options:

A.

Create a Device Group and Template Admin

B.

Create a Dynamic Admin with the Panorama Administrator role

C.

Create a Dynamic Read-only Superuser

D.

Create a Custom Panorama Admin

Buy Now
Questions 84

An administrator configures HA on a customer's Palo Alto Networks firewalls with path monitoring by using the default configuration values.

What are the default values for ping interval and ping count before a failover is triggered?

Options:

A.

Ping interval of 200 ms and ping count of three failed pings

B.

Ping interval of 5000 ms and ping count of 10 failed pings

C.

Ping interval of 200 ms and ping count of 10 failed pings

D.

Ping interval of 5000 ms and ping count of three failed pings

Buy Now
Questions 85

Which log type would provide information about traffic blocked by a Zone Protection profile?

Options:

A.

Data Filtering

B.

IP-Tag

C.

Traffic

D.

Threat

Buy Now
Questions 86

A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?

Options:

A.

IPSec Tunnel settings

B.

IKE Crypto profile

C.

IPSec Crypto profile

D.

IKE Gateway profile

Buy Now
Questions 87

An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an interal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?

Options:

A.

Data Patterns within Objects > Custom Objects

B.

Custom Log Format within Device Server Profiles> Syslog

C.

Built-in Actions within Objects > Log Forwarding Profile

D.

Logging and Reporting Settings within Device > Setup > Management

Buy Now
Questions 88

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?

PCNSE Question 88

PCNSE Question 88

Options:

A.

Change destination NAT zone to Trust_L3.

B.

Change destination translation to Dynamic IP (with session distribution) using firewall ethI/2 address.

C.

Change Source NAT zone to Untrust_L3.

D.

Add source Translation to translate original source IP to the firewall eth1/2 interface translation.

Buy Now
Questions 89

Which two are required by IPSec in transport mode? (Choose two.)

Options:

A.

Auto generated key

B.

NAT Traversal

C.

IKEv1

D.

DH-group 20 (ECP-384 bits)

Buy Now
Questions 90

Which three items must be configured to implement application override? (Choose three )

Options:

A.

Custom app

B.

Security policy rule

C.

Application override policy rule

D.

Decryption policy rule

E.

Application filter

Buy Now
Questions 91

A firewall administrator is configuring an IPSec tunnel between a company's HQ and a remote location. On the HQ firewall, the interface used to terminate the IPSec tunnel has a static IP. At the remote location, the interface used to terminate the IPSec tunnel has a DHCP assigned IP address.

Which two actions are required for this scenario to work? (Choose two.)

Options:

A.

On the HQ firewall select peer IP address type FQDN

B.

On the remote location firewall select peer IP address type Dynamic

C.

On the HQ firewall enable DDNS under the interface used for the IPSec tunnel

D.

On the remote location firewall enable DONS under the interface used for the IPSec tunnel

Buy Now
Questions 92

Which type of zone will allow different virtual systems to communicate with each other?

Options:

A.

Tap

B.

External

C.

Virtual Wire

D.

Tunnel

Buy Now
Questions 93

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?

Options:

A.

A self-signed Certificate Authority certificate generated by the firewall

B.

A Machine Certificate for the firewall signed by the organization's PKI

C.

A web server certificate signed by the organization's PKI

D.

A subordinate Certificate Authority certificate signed by the organization's PKI

Buy Now
Questions 94

A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates.

What must occur to have Antivirus signatures update?

Options:

A.

An Antivirus license is needed first, then a Security profile for Antivirus needs to be created.

B.

An Antivirus license must be obtained before Dynamic Updates can be downloaded or installed.

C.

An Advanced Threat Prevention license is required to see the Dynamic Updates for Antivirus.

D.

Install the Application and Threats updates first, then refresh the Dynamic Updates.

Buy Now
Questions 95

When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port?

Options:

A.

HA1

B.

HA3

C.

HA2

D.

HA4

Buy Now
Questions 96

While troubleshooting an issue, a firewall administrator performs a packet capture with a specific filter. The administrator sees drops for packets with a source IP address of 10.1.1.1.

How can the administrator further investigate these packet drops by looking at the global counters for this packet capture filter?

Options:

A.

> show counter global filter packet-filter yes delta yes

B.

> show counter global filter severity drop

C.

> debug dataplane packet-diag set capture stage drop

D.

> show counter global filter delta yes I match 10.1.1-1

Buy Now
Questions 97

An administrator is troubleshooting why video traffic is not being properly classified.

If this traffic does not match any QoS classes, what default class is assigned?

Options:

A.

1

B.

2

C.

3

D.

4

Buy Now
Questions 98

A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11 0 The client currently uses RADIUS authentication in their environment

Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.)

Options:

A.

Kerberos or SAML authentication need to be configured

B.

LDAP or TACACS+ authentication need to be configured

C.

RADIUS is only supported for a transparent Web Proxy.

D.

RADIUS is not supported for explicit or transparent Web Proxy

Buy Now
Questions 99

Which two components are required to configure certificate-based authentication to the web UI when firewall access is needed on a trusted interface? (Choose two.)

Options:

A.

Server certificate

B.

Certificate Profile

C.

CA certificate

D.

SSL/TLS Service Profile

Buy Now
Questions 100

Panorama is being used to upgrade the PAN-OS version on a pair of firewalls in an active/passive high availability (HA) configuration. The Palo Alto Networks best practice upgrade steps have been completed in Panorama (Panorama upgraded, backups made, content updates, and disabling "Preemptive" pushed), and the firewalls are ready for upgrade. What is the next best step to minimize downtime and ensure a smooth transition?

Options:

A.

Upgrade both HA peers at the same time using Panorama’s "Group HA Peers" option to ensure version consistency

B.

Suspend the active firewall, upgrade it first, and reboot to verify it comes back online before upgrading the passive peer

C.

Perform the upgrade on the active firewall first while keeping the passive peer online to maintain failover capability

D.

Upgrade only the passive peer first, reboot it, restore HA functionality, and then upgrade the active peer

Buy Now
Questions 101

After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?

Options:

A.

Ensure Force Template Values is checked when pushing configuration.

B.

Push the Template first, then push Device Group to the newly managed firewall.

C.

Perform the Export or push Device Config Bundle to the newly managed firewall.

D.

Push the Device Group first, then push Template to the newly managed firewall

Buy Now
Questions 102

A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.

How does the firewall identify the New App-ID characteristic?

Options:

A.

It matches to the New App-IDs downloaded in the last 90 days.

B.

It matches to the New App-IDs in the most recently installed content releases.

C.

It matches to the New App-IDs downloaded in the last 30 days.

D.

It matches to the New App-IDs installed since the last time the firewall was rebooted.

Buy Now
Questions 103

When using certificate authentication for firewall administration, which method is used for authorization?

Options:

A.

Local

B.

Radius

C.

Kerberos

D.

LDAP

Buy Now
Exam Code: PCNSE
Exam Name: Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0
Last Update: Jul 17, 2025
Questions: 346

PDF + Testing Engine

$134.99

Testing Engine

$99.99

PDF (Q&A)

$84.99