DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Boost Your Certification Prep with PCNSE Mock Tests, Palo Alto Networks Certified | SPOTO

Elevate your PCNSE certification preparation with our comprehensive mock tests and exam materials. Access free test questions, online exam questions, sample questions, and exam dumps to assess your knowledge. Our exam questions and answers, covering real-world scenarios, provide invaluable exam practice, enabling you to identify areas for improvement. Leverage our latest practice tests, including mock exams, to gain in-depth knowledge and abilities required to design, install, configure, maintain, and troubleshoot Palo Alto Networks implementations. This intermediate PCNSE certification validates your expertise as a Palo Alto Networks Certified Network Security Engineer. Our up-to-date exam materials can help you succeed and pass the PCNSE certification exam with flying colors.
Take other online exams

Question #1
Which Public Key infrastructure component is used to authenticate users for GlobalProtect when the Connect Method is set to pre-logon?
A. Certificate revocation list
B. Trusted root certificate
C. Machine certificate
D. Online Certificate Status Protocol
View answer
Correct Answer: ABDF
Question #2
During SSL decryption which three factors affect resource consumption1? (Choose three )
A. TLS protocol version
B. transaction size
C. key exchange algorithm
D. applications that use non-standard ports
E. certificate issuer
View answer
Correct Answer: D
Question #3
Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?
A. PAN-OS integrated User-ID agent
B. LDAP Server Profile configuration
C. GlobalProtect
D. Windows-based User-ID agent
View answer
Correct Answer: D
Question #4
What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection?
A. link state
B. stateful firewall connection
C. certificates
D. profiles
View answer
Correct Answer: A
Question #5
An administrator has configured a QoS policy rule and a QoS profile that limits the maximum allowable bandwidth for the YouTube application. However , YouTube is consuming more than the maximum bandwidth allotment configured. Which configuration step needs to be configured to enable QoS?
A. Enable QoS Data Filtering Profile
B. Enable QoS monitor
C. Enable Qos interface
D. Enable Qos in the interface Management Profile
View answer
Correct Answer: D
Question #6
A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server. Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080.
A. application: web-browsing; service: application-default
B. application: web-browsing; service: service-https
C. application: ssl; service: any
D. application: web-browsing; service: (custom with destination TCP port 8080)
View answer
Correct Answer: C
Question #7
Which feature can provide NGFWs with User-ID mapping information?
A. GlobalProtect
B. Web Captcha
C. Native 802
D. Native 802
View answer
Correct Answer: C
Question #8
Match each type of DoS attack to an example of that type of attack
A. Mastered
B. Not Mastered
View answer
Correct Answer: CD
Question #9
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
A. check
B. find
C. test
D. sim
View answer
Correct Answer: B
Question #10
Which three split tunnel methods are supported by a globalProtect gateway? (Choose three.)
A. video streaming application
B. Client Application Process
C. Destination Domain
D. Source Domain
E. Destination user/group
F. URL Category
View answer
Correct Answer: B
Question #11
SD-WAN is designed to support which two network topology types? (Choose two.)
A. ring
B. point-to-point
C. hub-and-spoke
D. full-mesh
View answer
Correct Answer: DE
Question #12
Which three statements accurately describe Decryption Mirror? (Choose three.)
A. Decryption Mirror requires a tap interface on the firewall
B. Decryption, storage, inspection and use of SSL traffic are regulated in certain countries
C. Only management consent is required to use the Decryption Mirror feature
D. You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment
E. Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel
View answer
Correct Answer: A
Question #13
Which feature prevents the submission of corporate login information into website forms?
A. Data filtering
B. User-ID
C. File blocking
D. Credential phishing prevention
View answer
Correct Answer: C
Question #14
Starting with PAN-OS version 9.1, Global logging information is now recoded in which firewall log?
A. Authentication
B. Globalprotect
C. Configuration
D. System
View answer
Correct Answer: BD
Question #15
Place the steps in the WildFire process workflow in their correct order.
A. Mastered
B. Not Mastered
View answer
Correct Answer: D
Question #16
When you configure a Layer 3 interface what is one mandatory step?
A. Configure Security profiles, which need to be attached to each Layer 3 interface
B. Configure Interface Management profiles which need to be attached to each Layer 3 interface
C. Configure virtual routers to route the traffic for each Layer 3 interface
D. Configure service routes to route the traffic for each Layer 3 interface
View answer
Correct Answer: A
Question #17
An engineer must configure a new SSL decryption deployment Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?
A. There must be a certificate with both the Forward Trust option and Forward Untrust option selected
B. A Decryption profile must be attached to the Decryption policy that the traffic matches
C. A Decryption profile must be attached to the Security policy that the traffic matches
D. There must be a certificate with only the Forward Trust option selected
View answer
Correct Answer: A
Question #18
ESTION NO: 94 If an administrator wants to decrypt SMTP traffic and possesses the server’s certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?
A. TLS Bidirectional Inspection
B. SSL Inbound Inspection
C. SSH Forward Proxy
D. SMTP Inbound Decryption
View answer
Correct Answer: A
Question #19
Which four NGFW multi-factor authentication factors are supported by PAN-OS? (Choose four.)
A. Short message service
B. Push
C. User logon
D. Voice
E. SSH key
F. One-Time Password
View answer
Correct Answer: BD
Question #20
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers. Which VPN configuration would adapt to changes when deployed to the future site?
A. Preconfigured GlobalProtect satellite
B. Preconfigured GlobalProtect client
C. Preconfigured IPsec tunnels
D. Preconfigured PPTP Tunnels
View answer
Correct Answer: A
Question #21
An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same NGFW. The update contains an application that matches the same traffic signatures as the custom application. Which application should be used to identify traffic traversing the NGFW?
A. Custom application
B. System logs show an application error and neither signature is used
C. Downloaded application
D. Custom and downloaded application signature files are merged and both are used
View answer
Correct Answer: CD
Question #22
An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct? A) B) C) D)
A. Option A
B. Option B
C. Option C
D. Option D
View answer
Correct Answer: C
Question #23
Only two Trust to Untrust allow rules have been created in the Security policy Rule1 allows google-base Rule2 allows youtube-base The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found. Which action will allow youtube.com display in the browser correctly?
A. Add SSL App-ID to Rule1
B. Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to it
C. Add the DNS App-ID to Rule2
D. Add the Web-browsing App-ID to Rule2
View answer
Correct Answer: BE
Question #24
Which User-ID method maps IP address to usernames for users connecting through a web proxy that has already authenticated the user?
A. Client Probing
B. Port mapping
C. Server monitoring
D. Syslog listening
View answer
Correct Answer: A
Question #25
An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)
A. Configuration Logs
B. System Logs
C. Task Manager
D. Traffic Logs
View answer
Correct Answer: D
Question #26
Which Panorama objects restrict administrative access to specific device-groups?
A. templates
B. admin roles
C. access domains
D. authentication profiles
View answer
Correct Answer: C
Question #27
Which certificates can be used as a Forwarded Trust certificate?
A. Certificate from Default Trust Certificate Authorities
B. Domain Sub-CA
C. Forward_Trust
D. Domain-Root-Cert
View answer
Correct Answer: AC
Question #28
A firewall should be advertising the static route 10 2 0 0/24 into OSPF The configuration on the neighbor is correct but the route is not in the neighbor's routing tWabhliech two configurations should you check on the firewall'? (Choose two )
A. Within the redistribution profile ensure that Redist is selected
B. In the redistribution profile check that the source type is set to "ospf"
C. In the OSFP configuration ensure that the correct redistribution profile is selected in the OSPF Export Rules section
D. Ensure that the OSPF neighbor state is "2-Way"
View answer
Correct Answer: A
Question #29
Use the image below If the firewall has the displayed link monitoring configuration what will cause a failover?
A. ethernet1/3 and ethernet1/6 going down
B. etheme!1/3 going down
C. ethernet1/6 going down
D. ethernet1/3 or ethernet1/6 going down
View answer
Correct Answer: ACD
Question #30
An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator's home and experiencing issues completing the connection. The following is th output from the command: less mp-log ikemgr.log: What could be the cause of this problem?
A. The public IP addresse do not match for both the Palo Alto Networks Firewall and the ASA
B. The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the ASA
C. The shared secerts do not match between the Palo Alto firewall and the ASA
D. The deed peer detection settings do not match between the Palo Alto Networks Firewall and the ASA
View answer
Correct Answer: D
Question #31
Which Palo Alto Networks VM-Series firewall is valid?
A. VM-25
B. VM-800
C. VM-50
D. VM-400
View answer
Correct Answer: BC
Question #32
The following objects and policies are defined in a device group hierarchy A) B) C) Address Objects -Shared Address 1 -Branch Address2 Policies -Shared Polic1 l -Branch Policyl D) Address Objects -Shared Addressl -Shared Address2 -Branch Addressl Policies -Shared Policyl -Shared Policy2 -Branch Policyl
A. Option A
B. Option B
C. Option C
D. Option D
View answer
Correct Answer: ABC
Question #33
Given the following configuration, which route is used for destination 10.10.0.4?
A. Route 4
B. Route 3
C. Route 1
D. Route 3
View answer
Correct Answer: AC
Question #34
Which two actions are required to make Microsoft Active Directory users appear in a firewall traffic log? (Choose two.)
A. Run the User-ID Agent using an Active Directory account that has "event log viewer" permissions
B. Enable User-ID on the zone object for the destination zone
C. Run the User-ID Agent using an Active Directory account that has "domain administrator" permissions
D. Enable User-ID on the zone object for the source zone
E. Configure a RADIUS server profile to point to a domain controller
View answer
Correct Answer: D
Question #35
What are two characteristic types that can be defined for a variable? (Choose two )
A. zone
B. FQDN
C. path group
D. IP netmask
View answer
Correct Answer: A
Question #36
The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong?
A. A Certificate Profile that contains the client certificate needs to be selected
B. The source address supports only files hosted with an ftp://
C. External Dynamic Lists do not support SSL connections
D. A Certificate Profile that contains the CA certificate needs to be selected
View answer
Correct Answer: C
Question #37
Which certificate can be used as the Forward Trust certificate?
A. Domain Sub-CA
B. Domain-Root-Cert
C. Certificate from Default Trusted Certificate Authorities
D. Forward-Trust
View answer
Correct Answer: A
Question #38
An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required. Which interface type would support this business requirement?
A. Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ
B. Layer 3 or Aggregate Ethernet interfaces, but configuring EIGRP on subinterfaces only
C. Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel (with the GlobalProtect License to support LSVPN and EIGRPprotocols)
D. Layer 3 interfaces, but configuring EIGRP on the attached virtual router
View answer
Correct Answer: C
Question #39
The company's Panorama server (IP 10.10.10.5) is not able to manage a firewall that was recently deployed. The firewall's dedicated management port is being used to connect to the management network. Which two commands may be used to troubleshoot this issue from the CLI of the new firewall? (Choose two)
A. test panoramas-connect 10
B. show panoramas-status
C. show arp all I match 10
D. topdump filter "host 10
E. debug dataplane packet-diag set capture on
View answer
Correct Answer: D
Question #40
An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?
A. Enable and configure the Packet Buffer protection thresholds
B. Enable and then configure Packet Buffer thresholdsEnable Interface Buffer protection
C. Create and Apply Zone Protection Profiles in all ingress zones
D. Configure and apply Zone Protection Profiles for all egress zones
E. Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits
View answer
Correct Answer: B
Question #41
Which event will happen if an administrator uses an Application Override Policy?
A. Threat-ID processing time is decreased
B. The Palo Alto Networks NGFW stops App-ID processing at Layer 4
C. The application name assigned to the traffic by the security rule is written to the Traffic log
D. App-ID processing time is increased
View answer
Correct Answer: B
Question #42
An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing. The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL. Which action will stop the second and subsequent encrypted BitTorrent con
A. Create a decryption rule matching the encrypted BitTorrent traffic with action “No-Decrypt,” and place the rule at the top of the Decryption policy
B. Create a Security policy rule that matches application “encrypted BitTorrent” and place the rule at the top of the Security policy
C. Disable the exclude cache option for the firewall
D. Create a Decryption Profile to block traffic using unsupported cyphers, and attach the profile to the decryption rule
View answer
Correct Answer: A
Question #43
A network Administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects> Security Profiles> Anti-Spyware and select default profile. What should be done next?
A. Click the simple-critical rule and then click the Action drop-down list
B. Click the Exceptions tab and then click show all signatures
C. View the default actions displayed in the Action column
D. Click the Rules tab and then look for rules with "default" in the Action column
View answer
Correct Answer: C
Question #44
To more easily reuse templates and template slacks , you can create term plate variables in place of firewall-specific and appliance-specific IP literals in your configurations Which one is the correct configuration?
A. @Panorama
B. #Pancrama
C. &Panorama
D. $Panorama
View answer
Correct Answer: D
Question #45
As a best practice, which URL category should you target first for SSL decryption*?
A. Online Storage and Backup
B. High Risk
C. Health and Medicine
D. Financial Services
View answer
Correct Answer: A

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: