DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Pass Your PCNSE Certification Questions & Practice Tests, Palo Alto Networks Certified | SPOTO

Achieving success in the PCNSE certification exam requires diligent preparation and extensive practice. Our comprehensive range of resources, including practice tests, free test samples, online exam questions, exam dumps, and mock exams, provides you with all the necessary tools to excel. With our latest practice tests and exam materials, you can confidently tackle the challenging aspects of the exam and ensure your success in passing the certification. The PCNSE certification acknowledges individuals with profound expertise in designing, installing, configuring, maintaining, and troubleshooting Palo Alto Networks implementations. Serving as the essential exam for the Palo Alto Networks Certified Network Security Engineer (PCNSE) certification, it validates your proficiency in securing networks with Palo Alto's state-of-the-art technologies. Prepare effectively with our extensive collection of exam questions and answers, and embark on your journey to becoming an ultimate Palo Alto Networks expert.
Take other online exams

Question #1
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)
A. CRL
B. CRT
C. OCSP
D. Cert-Validation-Profile
E. SSL/TLS Service Profile
View answer
Correct Answer: A

View The Updated PCNSE Exam Questions

SPOTO Provides 100% Real PCNSE Exam Questions for You to Pass Your PCNSE Exam!

Question #2
A file sharing application is being permitted and no one knows what this application is used for. How should this application be blocked?
A. Block all unauthorized applications using a security policy
B. Block all known internal custom applications
C. Create a WildFire Analysis Profile that blocks Layer 4 and Layer 7 attacks
D. Create a File blocking profile that blocks Layer 4 and Layer 7 attacks
View answer
Correct Answer: C
Question #3
Support for which authentication method was added in PAN-OS 8.0?
A. RADIUS
B. LDAP
C. Diameter
D. TACACS+
View answer
Correct Answer: A
Question #4
In a firewall, which three decryption methods are valid? (Choose three )
A. SSL Inbound Inspection
B. SSL Outbound Proxyless Inspection
C. SSL Inbound Proxy
D. Decryption Mirror
E. SSH Proxy
View answer
Correct Answer: A
Question #5
A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Which statement is true about this deployment?
A. The two devices must share a routable floating IP address
B. The two devices may be different models within the PA-5000 series
C. The HA1 IP address from each peer must be on a different subnet
D. The management port may be used for a backup control connection
View answer
Correct Answer: DE
Question #6
Palo Alto Networks maintains a dynamic database of malicious domains. Which two Security Platform components use this database to prevent threats? (Choose two)
A. Brute-force signatures
B. BrightCloud Url Filtering
C. PAN-DB URL Filtering
D. DNS-based command-and-control signatures
View answer
Correct Answer: BC
Question #7
An engineer must configure the Decryption Broker feature Which Decryption Broker security chain supports bi-directional traffic flow?
A. Layer 2 security chain
B. Layer 3 security chain
C. Transparent Bridge security chain
D. Transparent Proxy security chain
View answer
Correct Answer: AC
Question #8
Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)
A. Create a no-decrypt Decryption Policy rule
B. Configure an EDL to pull IP addresses of known sites resolved from a CRL
C. Create a Dynamic Address Group for untrusted sites
D. Create a Security Policy rule with vulnerability Security Profile attached
E. Enable the “Block sessions with untrusted issuers” setting
View answer
Correct Answer: D
Question #9
In a Panorama template which three types of objects are configurable? (Choose three)
A. HIP objects
B. QoS profiles
C. interface management profiles
D. certificate profiles
E. security profiles
View answer
Correct Answer: A
Question #10
An administrator needs to implement an NGFW between their DMZ and Core network EIGRP Routing between the two environments is required Which interface type would support this business requirement?
A. Layer 3 interfaces but configuring EIGRP on the attached virtual router
B. Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ
C. Layer 3 or Aggregate Ethernet interfaces but configuring EIGRP on subinterfaces only
D. Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel {with the GlobalProtect License to support LSVPN and EIGRP protocols)
View answer
Correct Answer: D
Question #11
Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS 8.0? (Choose two.)
A. KVM
B. VMware ESX
C. VMware NSX
D. AWS
View answer
Correct Answer: A
Question #12
What are three possible verdicts that WildFire can provide for an analyzed sample? (Choose three)
A. Clean
B. Bengin
C. Adware
D. Suspicious
E. Grayware
F. Malware
View answer
Correct Answer: BD
Question #13
In the following image from Panorama, why are some values shown in red?
A. sg2 session count is the lowest compared to the other managed devices
B. us3 has a logging rate that deviates from the administrator-configured thresholds
C. uk3 has a logging rate that deviates from the seven-day calculated baseline
D. sg2 has misconfigured session thresholds
View answer
Correct Answer: C
Question #14
A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report?
A. Blocked Activity
B. Bandwidth Activity
C. Threat Activity
D. Network Activity
View answer
Correct Answer: A
Question #15
How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?
A. Use the debug dataplane packet-diag set capture stage firewall file command
B. Enable all four stages of traffic capture (TX, RX, DROP, Firewall)
C. Use the debug dataplane packet-diag set capture stage management file command
D. Use the tcpdump command
View answer
Correct Answer: D
Question #16
The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router. Which two options would help the administrator troubleshoot this issue? (Choose two.)
A. View the System logs and look for the error messages about BGP
B. Perform a traffic pcap on the NGFW to see any BGP problems
C. View the Runtime Stats and look for problems with BGP configuration
D. View the ACC tab to isolate routing issues
View answer
Correct Answer: AD
Question #17
A users traffic traversing a Palo Alto networks NGFW sometimes can reach http //www company com At other times the session times out. At other times the session times out The NGFW has been configured with a PBF rule that the user traffic matches when it goes to http://www.company.com goes to http://www company com How can the firewall be configured to automatically disable the PBF rule if the next hop goes down?
A. Create and add a monitor profile with an action of fail over in the PBF rule in question
B. Create and add a monitor profile with an action of wait recover in the PBF rule in question
C. Configure path monitoring for the next hop gateway on the default route in the virtual router
D. Enable and configure a link monitoring profile for the external interface of the firewall
View answer
Correct Answer: C
Question #18
What are three valid actions in a File Blocking Profile? (Choose three)
A. Forward
B. Block
C. Alret
D. Upload
E. Reset-both
F. Continue
View answer
Correct Answer: AC
Question #19
For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose two )
A. equal-cost multipath
B. ingress processing errors
C. rule match with action "allow"
D. rule match with action "deny"
View answer
Correct Answer: B
Question #20
When setting up a security profile which three items can you use? (Choose three )
A. Wildfire analysis
B. anti-ransom ware
C. antivirus
D. URL filtering
E. decryption profile
View answer
Correct Answer: A
Question #21
An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications. QoS natively integrates with which feature to provide service quality?
A. Port Inspection
B. Certificate revocation
C. Content-ID
D. App-ID
View answer
Correct Answer: AC
Question #22
How does Panorama handle incoming logs when it reaches the maximum storage capacity?
A. Panorama discards incoming logs when storage capacity full
B. Panorama stops accepting logs until licenses for additional storage space are applied
C. Panorama stops accepting logs until a reboot to clean storage space
D. Panorama automatically deletes older logs to create space for new ones
View answer
Correct Answer: AD
Question #23
Which operation will impact performance of the management plane?
A. DoS protection
B. WildFire submissions
C. generating a SaaS Application report
D. decrypting SSL sessions
View answer
Correct Answer: D
Question #24
What file type upload is supported as part of the basic WildFire service?
A. PE
B. BAT
C. VBS
D. ELF
View answer
Correct Answer: B
Question #25
Which three rule types are available when defining policies in Panorama? (Choose three.)
A. Pre Rules
B. Post Rules
C. Default Rules
D. Stealth Rules
E. Clean Up Rules
View answer
Correct Answer: BC
Question #26
Which option describes the operation of the automatic commit recovery feature?
A. It enables a firewall to revert to the previous configuration if rule shadowing is detected
B. It enables a firewall to revert to the previous configuration if a commit causes Panorama connectivity failure
C. It enables a firewall to revert to the previous configuration if application dependency errors are found
D. It enables a firewall to revert to the previous configuration if a commit causes HA partner connectivity failure
View answer
Correct Answer: AD
Question #27
In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)
A. wildcard server certificate
B. enterprise CA certificate
C. client certificate
D. server certificate
E. self-signed CA certificate
View answer
Correct Answer: D
Question #28
A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule. Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web- browsing traffic
A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow
B. Rule #1: application: web-browsing; service: service-https; action: allow Rule #2: application: ssl; service: application-default; action: allow
C. Rule # 1: application: ssl; service: application-default; action: allowRule #2: application: web-browsing; service: application-default; action: allow
D. Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl; service: application-default; action: allow
View answer
Correct Answer: B
Question #29
A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies. Which CLI command syntax will display the rule that matches the test?
A. test security -policy- match source destination destination port protocol
B. show security rule source destination destination port protocol
C. test security rule source destination destination port protocol
D. show security-policy-match source destination destination port protocol test security-policy- match source
View answer
Correct Answer: B
Question #30
Several offices are connected with VPNs using static IPv4 routes. An administrator has been tasked with implementing OSPF to replace static routing. Which step is required to accomplish this goal?
A. Assign an IP address on each tunnel interface at each site
B. Enable OSPFv3 on each tunnel interface and use Area ID 0
C. Assign OSPF Area ID 0
D. Create new VPN zones at each site to terminate each VPN connection
View answer
Correct Answer: ABC
Question #31
What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)
A. Rule Usage Hit counter will not be reset
B. Highlight Unused Rules will highlight all rules
C. Highlight Unused Rules will highlight zero rules
D. Rule Usage Hit counter will reset
View answer
Correct Answer: AB
Question #32
When overriding a template configuration locally on a firewall, what should you consider?
A. Only Panorama can revert the override
B. Panorama will lose visibility into the overridden configuration
C. Panorama will update the template with the overridden value
D. The firewall template will show that it is out of sync within Panorama
View answer
Correct Answer: D
Question #33
An administrator needs to gather information about the CPU utilization on both the management plane and the data plane Where does the administrator view the desired data?
A. Monitor > Utilization
B. Resources Widget on the Dashboard
C. Support > Resources
D. Application Command and Control Center
View answer
Correct Answer: AC
Question #34
A company is upgrading its existing Palo Alto Networks firewall from version 7.0.1 to 7.0.4. Which three methods can the firewall administrator use to install PAN-OS 8.0.4 across the enterprise?( Choose three)
A. Download PAN-OS 8
B. Download PAN-OS 8
C. Push the PAN-OS 8
D. Push the PAN-OS 8
E. Download and install PAN-OS 8
F. Download and push PAN-OS 8
View answer
Correct Answer: A
Question #35
A traffic log might list an application as "not-applicable" for which two reasons'? (Choose two )
A. 0The firewall did not install the session
B. The TCP connection terminated without identifying any application data
C. The firewall dropped a TCP SYN packet
D. There was not enough application data after the TCP connection was established
View answer
Correct Answer: B
Question #36
Which client software can be used to connect remote Linux client into a Palo Alto Networks Infrastructure without sacrificing the ability to scan traffic and protect against threats?
A. X-Auth IPsec VPN
B. GlobalProtect Apple IOS
C. GlobalProtect SSL
D. GlobalProtect Linux
View answer
Correct Answer: A
Question #37
What will be the source address in the ICMP packet?
A. 10
B. 10
C. 10
D. 192
View answer
Correct Answer: A
Question #38
An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing and preemption is disabled. What must be verified to upgrade the firewalls to the most recent version of PAN-OS software?
A. Wildfire update package
B. User-ID agent
C. Anti virus update package
D. Application and Threats update package
View answer
Correct Answer: ABC
Question #39
Which two options are required on an M-100 appliance to configure it as a Log Collector? (Choose two)
A. From the Panorama tab of the Panorama GUI select Log Collector mode and then commit changes
B. Enter the command request system system-mode logger then enter Y to confirm the change to Log Collector mode
C. From the Device tab of the Panorama GUI select Log Collector mode and then commit changes
D. Enter the command logger-mode enable the enter Y to confirm the change to Log Collector mode
E. Log in the Panorama CLI of the dedicated Log Collector
View answer
Correct Answer: C
Question #40
What can missing SSL packets when performing a packet capture on dataplane interfaces?
A. The packets are hardware offloaded to the offloaded processor on the dataplane
B. The missing packets are offloaded to the management plane CPU
C. The packets are not captured because they are encrypted
D. There is a hardware problem with offloading FPGA on the management plane
View answer
Correct Answer: ACE
Question #41
An administrator has left a firewall to use the data of port for all management service which there functions are performed by the data face? (Choose three.)
A. NTP
B. Antivirus
C. Wildfire updates
D. NAT
E. File tracking
View answer
Correct Answer: AD
Question #42
Which setting allow a DOS protection profile to limit the maximum concurrent sessions from a source IP address?
A. Set the type to Aggregate, clear the session’s box and set the Maximum concurrent Sessions to 4000
B. Set the type to Classified, clear the session’s box and set the Maximum concurrent Sessions to 4000
C. Set the type Classified, check the Sessions box and set the Maximum concurrent Sessions to 4000
D. Set the type to aggregate, check the Sessions box and set the Maximum concurrent Sessions to 4000
View answer
Correct Answer: D
Question #43
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall. Which priority is correct for the passive firewall?
A. 99
B. 1
C. 255
View answer
Correct Answer: B
Question #44
View the GlobalProtect configuration screen capture. What is the purpose of this configuration?
A. It configures the tunnel address of all internal clients to an IP address range starting at 192
B. It forces an internal client to connect to an internal gateway at IP address 192
C. It enables a client to perform a reverse DNS lookup on 192
D. It forces the firewall to perform a dynamic DNS update, which adds the internal gateway’s hostname and IP address to the DNS server
View answer
Correct Answer: B

View The Updated PALO-ALTO Exam Questions

SPOTO Provides 100% Real PALO-ALTO Exam Questions for You to Pass Your PALO-ALTO Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: