DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

PCNSE Exam Practice Made Easy: Latest Mock Exams, Palo Alto Networks Certified | SPOTO

Mastering PCNSE exam preparation is simplified with our latest mock exams. Our comprehensive range of resources, including practice tests, free test samples, online exam questions, and exam dumps, ensures effective exam practice. Tailored to the PCNSE certification, our mock exams cover all aspects of designing, installing, configuring, maintaining, and troubleshooting Palo Alto Networks implementations. As the essential exam for earning the Palo Alto Networks Certified Network Security Engineer (PCNSE) certification, success hinges on thorough preparation. Our exam materials, including sample questions and exam questions and answers, provide the perfect platform to refine your skills and knowledge. With SPOTO, conquering the PCNSE exam becomes achievable. Trust our latest practice tests to guide you towards certification success and elevate your expertise in Palo Alto Networks technology.
Take other online exams

Question #1
After pushing a security policy from Panorama to a PA-3020 firwall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in Panorama’s traffic logs. What could be the problem?
A. A Server Profile has not been configured for logging to this Panorama device
B. Panorama is not licensed to receive logs from this particular firewall
C. The firewall is not licensed for logging to this Panorama device
D. None of the firwwall's policies have been assigned a Log Forwarding profile
View answer
Correct Answer: CE
Question #2
SAML SLO is supported for which two firewall features? (Choose two.)
A. GlobalProtect Portal
B. CaptivePortal
C. WebUI
D. CLI
View answer
Correct Answer: D
Question #3
Given the following table. Which configuration change on the firewall would cause it to use 10.66.24.88 as the next hop for the 192.168.93.0/30 network?
A. Configuring the administrative Distance for RIP to be lower than that of OSPF Int
B. Configuring the metric for RIP to be higher than that of OSPF Int
C. Configuring the administrative Distance for RIP to be higher than that of OSPF Ext
D. Configuring the metric for RIP to be lower than that OSPF Ext
View answer
Correct Answer: D
Question #4
Which Panorama administrator types require the configuration of at least one access domain? (Choose two)
A. Dynamic
B. Custom Panorama Admin
C. Role Based
D. Device Group
E. Template Admin
View answer
Correct Answer: B
Question #5
A network design change requires an existing firewall to start accessing Palo Alto Updates from a data plane interface address instead of the management interface. Which configuration setting needs to be modified?
A. Service route
B. Default route
C. Management profile
D. Authentication profile
View answer
Correct Answer: A
Question #6
Which three options are available when creating a security profile? (Choose three)
A. Anti-Malware
B. File Blocking
C. Url Filtering
D. IDS/ISP
E. Threat Prevention
F. Antivirus
View answer
Correct Answer: A
Question #7
An engineer is planning an SSL decryption implementation Which of the following statements is a best practice for SSL decryption?
A. Obtain an enterprise CA-signed certificate for the Forward Trust certificate
B. Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate
C. Use an enterprise CA-signed certificate for the Forward Untrust certificate
D. Use the same Forward Trust certificate on all firewalls in the network
View answer
Correct Answer: B
Question #8
A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (Cas)
A. Enterprise-Trusted-CA; which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system )i
B. Enterpnse-Untrusted-CA, which is verified as Forward Untrust Certificateii
C. Enterprise-lntermediate-CAi
D. Enterprise-Root-CA which is verified only as Trusted Root CAAn end-user visits https //www example-website com/ with a server certificate Common Name (CN) www example-website com The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewallThe end- user's browser will show that the certificate for www example-website com was issued by which of the following?
E. Enterprise-Untrusted-CA which is a self-signed CA
F. Enterprise-Trusted-CA which is a self-signed CA G
View answer
Correct Answer: D
Question #9
Based on the following image, what is the correct path of root, intermediate, and end-user certificate?
A. Palo Alto Networks > Symantec > VeriSign
B. Symantec > VeriSign > Palo Alto Networks
C. VeriSign > Palo Alto Networks > Symantec
D. VeriSign > Symantec > Palo Alto Networks
View answer
Correct Answer: AB
Question #10
Which CLI command displays the physical media that are connected to ethernetl/8?
A. > show system state filter-pretty sys
B. > show interface ethernetl/8
C. > show system state filter-pretty sys
D. > show system state filter-pretty sys
View answer
Correct Answer: A
Question #11
Which two features does PAN-OS? software use to identify applications? (Choose two)
A. port number
B. session number
C. transaction characteristics
D. application layer payload
View answer
Correct Answer: C
Question #12
A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server. Which solution in PAN-OS? software would help in this case?
A. Application override
B. Redistribution of user mappings
C. Virtual Wire mode
D. Content inspection
View answer
Correct Answer: B
Question #13
Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS? software?
A. XML API
B. Port Mapping
C. Client Probing
D. Server Monitoring
View answer
Correct Answer: DE
Question #14
What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)
A. the website matches a category that is not allowed for most users
B. the website matches a high-risk category
C. the web server requires mutual authentication
D. the website matches a sensitive category
View answer
Correct Answer: AC
Question #15
In a virtual router, which object contains all potential routes?
A. MIB
B. RIB
C. SIP
D. FIB
View answer
Correct Answer: B
Question #16
How does Panorama prompt VMWare NSX to quarantine an infected VM?
A. HTTP Server Profile
B. Syslog Server Profile
C. Email Server Profile
D. SNMP Server Profile
View answer
Correct Answer: DE
Question #17
If the firewall is configured for credential phishing prevention using the “Domain Credential Filter” method, which login will be detected as credential theft?
A. Mapping to the IP address of the logged-in user
B. First four letters of the username matching any valid corporate username
C. Using the same user’s corporate username and password
D. Marching any valid corporate username
View answer
Correct Answer: C
Question #18
Which feature can be configured on VM-Series firewalls?
A. aggregate interfaces
B. machine learning
C. multiple virtual systems
D. GlobalProtect
View answer
Correct Answer: AD
Question #19
Which three items are import considerations during SD-WAN configuration planning? (Choose three.)
A. link requirements
B. the name of the ISP
C. IP Addresses
D. branch and hub locations
View answer
Correct Answer: AD
Question #20
An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version What is considered best practice for this scenario?
A. Perform the Panorama and firewall upgrades simultaneously
B. Upgrade the firewall first wait at least 24 hours and then upgrade the Panorama version
C. Upgrade Panorama to a version at or above the target firewall version
D. Export the device state perform the update, and then import the device state
View answer
Correct Answer: C
Question #21
What are three valid method of user mapping? (Choose three)
A. Syslog
B. XML API
C. 802
D. WildFire
E. Server Monitoring
View answer
Correct Answer: ABC
Question #22
Which item enables a firewall administrator to see details about traffic that is currently active through the NGFW?
A. ACC
B. System Logs
C. App Scope
D. Session Browser
View answer
Correct Answer: AD
Question #23
An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) received HTTP traffic and host B(10.1.1.101) receives SSH traffic. Which two security policy rules will accomplish this configuration? (Choose two)
A. Untrust (Any) to Untrust (10
B. Untrust (Any) to DMZ (1
C. Untrust (Any) to DMZ (1
D. Untrust (Any) to Untrust (10
View answer
Correct Answer: B
Question #24
When you configure an active/active high availability pair which two links can you use? (Choose two)
A. HA2 backup
B. HA3
C. Console Backup
D. HSCI-C
View answer
Correct Answer: A
Question #25
A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5-minute window for analysis. The firewall is configured to check for verdicts every 5 minutes. How quickly will the firewall receive back a verdict?
A. More than 15 minutes
B. 5 minutes
C. 10 to 15 minutes
D. 5 to 10 minutes
View answer
Correct Answer: D
Question #26
In High Availability, which information is transferred via the HA data link?
A. session information
B. heartbeats
C. HA state information
D. User-ID information
View answer
Correct Answer: A
Question #27
Which operation will impact the performance of the management plane?
A. WildFire Submissions
B. DoS Protection
C. decrypting SSL Sessions
D. Generating a SaaS Application Report
View answer
Correct Answer: D
Question #28
An administrator has 750 firewalls The administrator's central-management Panorama instance deploys dynamic updates to the firewalls The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear what is the root cause?
A. Panorama has no connection to Palo Alto Networks update servers
B. Panorama does not have valid licenses to push the dynamic updates
C. No service route is configured on the firewalls to Palo Alto Networks update servers
D. Locally-defined dynamic update settings take precedence over the settings that Panorama pushed
View answer
Correct Answer: B
Question #29
Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.
A. Mastered
B. Not Mastered
View answer
Correct Answer: B
Question #30
A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks. How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)?
A. Define a custom App-ID to ensure that only legitimate application traffic reaches the server
B. Add a Vulnerability Protection Profile to block the attack
C. Add QoS Profiles to throttle incoming requests
D. Add a DoS Protection Profile with defined session count
View answer
Correct Answer: D
Question #31
Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two)
A. Configure the management interface as HA3 Backup
B. Configure Ethernet 1/1 as HA1 Backup
C. Configure Ethernet 1/1 as HA2 Backup
D. Configure the management interface as HA2 Backup
E. Configure the management interface as HA1 Backup
F. Configure ethernet1/1 as HA3 Backup
View answer
Correct Answer: AC
Question #32
A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled. Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?
A. Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole
B. File Blocking profiles applied to outbound security policies with action set to alert
C. Vulnerability Protection profiles applied to outbound security policies with action set to block
D. Antivirus profiles applied to outbound security policies with action set to alert
View answer
Correct Answer: BD
Question #33
Which Captive Portal mode must be configured to support MFA authentication?
A. NTLM
B. Redirect
C. Single Sign-On
D. Transparent
View answer
Correct Answer: B
Question #34
A company has a pair of Palo Alto Networks firewalls configured as an Acitve/Passive High Availability (HA) pair. What allows the firewall administrator to determine the last date a failover event occurred?
A. From the CLI issue use the show System log
B. Apply the filter subtype eq ha to the System log
C. Apply the filter subtype eq ha to the configuration log
D. Check the status of the High Availability widget on the Dashboard of the GUI
View answer
Correct Answer: C
Question #35
When configuring the firewall for packet capture, what are the valid stage types?
A. Receive, management , transmit , and drop
B. Receive , firewall, send , and non-syn
C. Receive management , transmit, and non-syn
D. Receive , firewall, transmit, and drop
View answer
Correct Answer: B
Question #36
An administrator has users accessing network resources through Citrix XenApp 7 x. Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources?
A. Client Probing
B. Terminal Services agent
C. GlobalProtect
D. Syslog Monitoring
View answer
Correct Answer: C
Question #37
Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two)
A. Successful GlobalProtect Connection Activity
B. Successful GlobalProtect Deployed Activity
C. GlobalProtect Quarantine Activity
D. GlobalProtect Deployment Activity
View answer
Correct Answer: D
Question #38
An administrator needs to troubleshoot a User-ID deployment The administrator believes that there is an issue related to LDAP authentication The administrator wants to create a packet capture on the management plane Which CLI command should the administrator use to obtain the packet capture for validating the configuration^
A. > ftp export mgmt-pcap from mgmt
B. > scp export mgmt-pcap from mgmt
C. > scp export pcap-mgmt from pcap
D. > scp export pcap from pcap to (usernameQhost:path)
View answer
Correct Answer: A
Question #39
An administrator needs to upgrade an NGFW to the most current version of PAN-OS? software. The following is occurring: ?Firewall has Internet connectivity through e1/1. ?Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone. ?Service route is configured, sourcing update traffic from e1/1. ?A communication error appears in the System logs when updates are performed. ?Download does not complete. What must be configured to enable the firewall to download the c
A. DNS settings for the firewall to use for resolution
B. scheduler for timed downloads of PAN-OS software
C. static route pointing application PaloAlto-updates to the update servers
D. Security policy rule allowing PaloAlto-updates as the application
View answer
Correct Answer: D
Question #40
Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?
A. Ye
B. because the action is set to "allow ''
C. No because WildFire categorized a file with the verdict "malicious"
D. Yes because the action is set to "alert"
E. No because WildFire classified the seventy as "high
View answer
Correct Answer: D
Question #41
A network design calls for a "router on a stick" implementation with a PA-5060 performing inter-VLAN routing All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk interface Which interface type and configuration setting will support this design?
A. Trunk interface type with specified tag
B. Layer 3 interface type with specified tag
C. Layer 2 interface type with a VLAN assigned
D. Layer 3 subinterface type with specified tag
View answer
Correct Answer: B
Question #42
Panorama provides which two SD_WAN functions? (Choose two.)
A. data plane
B. physical network links
C. network monitoring
D. control plane
View answer
Correct Answer: C
Question #43
If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?
A. The settings assigned to the template that is on top of the stack
B. The administrator will be promoted to choose the settings for that chosen firewall
C. All the settings configured in all templates
D. Depending on the firewall location, Panorama decides with settings to send
View answer
Correct Answer: D
Question #44
A host attached to Ethernet 1/4 cannot ping the default gateway. The widget on the dashboard shows Ethernet 1/1 and Ethernet 1/4 to be green. The IP address of Ethernet 1/1 is 192.168.1.7 and the IP address of Ethernet 1/4 is 10.1.1.7. The default gateway is attached to Ethernet 1/1. A default route is properly configured. What can be the cause of this problem?
A. No Zone has been configured on Ethernet 1/4
B. Interface Ethernet 1/1 is in Virtual Wire Mode
C. DNS has not been properly configured on the firewall
D. DNS has not been properly configured on the host
View answer
Correct Answer: D
Question #45
An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in “the cloud”). Bootstrapping is the most expedient way to perform this task. Which option describes deployment of a bootstrap package in an on-premise virtual environment?
A. Use config-drive on a USB stick
B. Use an S3 bucket with an ISO
C. Create and attach a virtual hard disk (VHD)
D. Use a virtual CD-ROM with an ISO
View answer
Correct Answer: CD
Question #46
Before you upgrade a Palo Alto Networks NGFW what must you do?
A. Make sure that the PAN-OS support contract is valid for at least another year
B. Export a device state of the firewall
C. Make sure that the firewall is running a version of antivirus software and a version of WildFire that support the licensed subscriptions
D. Make sure that the firewall is running a supported version of the app + threat update
View answer
Correct Answer: D
Question #47
An administrator is configuring an IPSec VPN to a Cisco ASA at the administrator's home and experiencing issues completing the connection. the following is the output from the command: What could be the cause of this problem?
A. The dead peer detection settings do not match between the Palo Alto Networks Firewall and the ASA
B. The Proxy IDs on the Palo Alto Networks Firewall do not match the setting on the ASA
C. The public IP addresses do not match for both the Palo Alto Networks Firewall and the ASA
D. The shared secrets do not match between the Palo Alto Networks Firewall and the ASA
View answer
Correct Answer: D
Question #48
A network administrator uses Panorama to push security polices to managed firewalls at branch offices. Which policy type should be configured on Panorama if the administrators at the branch office sites to override these products?
A. Pre Rules
B. Post Rules
C. Explicit Rules
D. Implicit Rules
View answer
Correct Answer: B
Question #49
What are three valid qualifiers for a Decryption Policy Rule match? (Choose three )
A. Destination Zone
B. App-ID
C. Custom URL Category
D. User-ID
E. Source Interface
View answer
Correct Answer: B
Question #50
An internal system is not functioning The firewall administrator has determined that the incorrect egress interface is being used After looking at the configuration, the administrator believes that the firewall is not using a static route What are two reasons why the firewall might not use a static route"? (Choose two.)
A. no install on the route
B. duplicate static route
C. path monitoring on the static route
D. disabling of the static route
View answer
Correct Answer: A
Question #51
Exhibit: What will be the egress interface if the traffic’s ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image?
A. ethernet1/7
B. ethernet1/5
C. ethernet1/6
D. ethernet1/3
View answer
Correct Answer: C
Question #52
Which PAN-OS? policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data?
A. Security policy
B. Decryption policy
C. Authentication policy
D. Application Override policy
View answer
Correct Answer: D
Question #53
Which rule type controls end user SSL traffic to external websites?
A. SSL Outbound Proxyless Inspection
B. SSL Forward Proxy
C. SSL Inbound Inspection
D. SSH Proxy
View answer
Correct Answer: B
Question #54
In which two types of deployment is active/active HA configuration supported? (Choose two.)
A. TAP mode
B. Layer 2 mode
C. Virtual Wire mode
D. Layer 3 mode
View answer
Correct Answer: CD

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: