DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

PCNSE Exam Prep: Study Materials & Mock Tests, Palo Alto Networks Certified | SPOTO

Prepare effectively for the PCNSE exam with our comprehensive study materials and mock tests. Our curated resources, including practice tests, free test samples, online exam questions, and exam dumps, facilitate thorough exam practice. Tailored specifically for the PCNSE certification, our study materials cover all essential aspects, from designing and installing to configuring, maintaining, and troubleshooting Palo Alto Networks implementations. As the crucial exam for obtaining the Palo Alto Networks Certified Network Security Engineer (PCNSE) certification, success relies on meticulous preparation. Utilize our exam materials, including sample questions and exam questions and answers, to enhance your understanding and proficiency. With SPOTO, accessing the latest practice tests becomes effortless, ensuring you're well-prepared to pass the certification exam with confidence. Trust in our mock tests and study materials to elevate your expertise in Palo Alto Networks technology and excel in your certification journey.
Take other online exams

Question #1
An administrator has users accessing network resources through Citrix XenApp 7 x. Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources?
A. Client Probing
B. Terminal Services agent
C. GlobalProtect
D. Syslog Monitoring
View answer
Correct Answer: B

View The Updated PCNSE Exam Questions

SPOTO Provides 100% Real PCNSE Exam Questions for You to Pass Your PCNSE Exam!

Question #2
Which three authentication services can administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.)
A. Kerberos
B. PAP
C. SAML
D. TACACS+ E
View answer
Correct Answer: C
Question #3
An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company’s proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats. Which option would achieve this result?
A. Create a custom App-ID and enable scanning on the advanced tab
B. Create an Application Override policy
C. Create a custom App-ID and use the “ordered conditions” check box
D. Create an Application Override policy and custom threat signature for the application
View answer
Correct Answer: B
Question #4
When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall?
A. When configuring Certificate Profiles
B. When configuring GlobalProtect portal
C. When configuring User Activity Reports
D. When configuring Antivirus Dynamic Updates
View answer
Correct Answer: A
Question #5
A distributed log collection deployment has dedicated log Collectors. A developer needs a device to send logs to Panorama instead of sending logs to the Collector Group. What should be done first?
A. Remove the cable from the management interface, reload the log Collector and then re-connect that cable
B. Contact Palo Alto Networks Support team to enter kernel mode commands to allow adjustments
C. remove the device from the Collector Group
D. Revert to a previous configuration
View answer
Correct Answer: CD
Question #6
Which method will dynamically register tags on the Palo Alto Networks NGFW?
A. Restful API or the VMWare API on the firewall or on the User-ID agent or the read-only domain controller (RODC)
B. Restful API or the VMware API on the firewall or on the User-ID agent
C. XML-API or the VMware API on the firewall or on the User-ID agent or the CLI
D. XML API or the VM Monitoring agent on the NGFW or on the User-ID agent
View answer
Correct Answer: C
Question #7
A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server. What can be done to simplify the NAT policy?
A. Configure ECMP to handle matching NAT traffic
B. Configure a NAT Policy rule with Dynamic IP and Port
C. Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi-directional option
D. Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bi- directional option
View answer
Correct Answer: A
Question #8
A user’s traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user’s traffic matches when it goes to http://www.company.com. How can the firewall be configured automatically disable the PBF rule if the next hop goes down?
A. Create and add a Monitor Profile with an action of Wait Recover in the PBF rule in question:
B. Create and add a Monitor Profile with an action of Fail Over in the PBF rule in question
C. Enable and configure a Link Monitoring Profile for the external interface of the firewall
D. Configure path monitoring for the next hop gateway on the default route in the virtual router
View answer
Correct Answer: D
Question #9
Only two Trust to Untrust allow rules have been created in the Security policy Rule1 allows google-base Rule2 allows youtube-base The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found. Which action will allow youtube.com display in the browser correctly?
A. Add SSL App-ID to Rule1
B. Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to it
C. Add the DNS App-ID to Rule2
D. Add the Web-browsing App-ID to Rule2
View answer
Correct Answer: A
Question #10
Several offices are connected with VPNs using static IPv4 routes. An administrator has been tasked with implementing OSPF to replace static routing. Which step is required to accomplish this goal?
A. Assign an IP address on each tunnel interface at each site
B. Enable OSPFv3 on each tunnel interface and use Area ID 0
C. Assign OSPF Area ID 0
D. Create new VPN zones at each site to terminate each VPN connection
View answer
Correct Answer: D
Question #11
Which three options are available when creating a security profile? (Choose three)
A. Anti-Malware
B. File Blocking
C. Url Filtering
D. IDS/ISP
E. Threat Prevention
F. Antivirus
View answer
Correct Answer: C
Question #12
The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?
A. 6-tuple match:Source IP Address, Destination IP Address, Source port, Destination Port, Protocol, and Source Security Zone
B. 5-tuple match:Source IP Address, Destination IP Address, Source port, Destination Port, Protocol
C. 7-tuple match:Source IP Address, Destination IP Address, Source port, Destination Port, Source User, URL Category, and Source Security Zone
D. 9-tuple match:Source IP Address, Destination IP Address, Source port, Destination Port, Source User, Source Security Zone,Destination Security Zone, Application, and URL Category
View answer
Correct Answer: D
Question #13
Which processing order will be enabled when a Panorama administrator selects the setting “Objects defined in ancestors will take higher precedence?”
A. Descendant objects will take precedence over other descendant objects
B. Descendant objects will take precedence over ancestor objects
C. Ancestor objects will have precedence over descendant objects
D. Ancestor objects will have precedence over other ancestor objects
View answer
Correct Answer: C
Question #14
YouTube videos are consuming too much bandwidth on the network, causing delays in mission- critical traffic. The administrator wants to throttle YouTube traffic. The following interfaces and zones are in use on the firewall: * ethernet1/1, Zone: Untrust (Internet-facing) * ethernet1/2, Zone: Trust (client-facing) A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface Ethernet1/1 has a QoS profile called Outbou
A. Outbound profile with Guaranteed Ingress
B. Outbound profile with Maximum Ingress
C. Inbound profile with Guaranteed Egress
D. Inbound profile with Maximum Egress
View answer
Correct Answer: C
Question #15
Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application?
A. GlobalProtect version 4
B. GlobalProtect version 4
C. GlobalProtect version 4
D. GlobalProtect version 4
View answer
Correct Answer: B
Question #16
Which menu item enables a firewall administrator to see details about traffic that is currently active through the NGFW?
A. App Scope
B. ACC
C. Session Browser
D. System Logs
View answer
Correct Answer: C
Question #17
Which Zone Pair and Rule Type will allow a successful connection for a user on the internet zone to a web server hosted in the DMZ zone? The web server is reachable using a destination Nat policy in the Palo Alto Networks firewall.
A. Zone Pair:Source Zone: Internet Destination Zone: DMZ Rule Type:“intrazone”
B. Zone Pair:Source Zone: Internet Destination Zone: DMZ Rule Type:“intrazone” or “universal”
C. Zone Pair:Source Zone: Internet Destination Zone: Internet Rule Type:“intrazone” or “universal”
D. Zone Pair:Source Zone: Internet Destination Zone: Internet Rule Type:“intrazone”
View answer
Correct Answer: D
Question #18
A Network Administrator wants to deploy a Large Scale VPN solution. The Network Administrator has chosen a GlobalProtect Satellite solution. This configuration needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations. How should this be accomplished?
A. Create a Template with the appropriate IKE Gateway settings
B. Create a Template with the appropriate IPSec tunnel settings
C. Create a Device Group with the appropriate IKE Gateway settings
D. Create a Device Group with the appropriate IPSec tunnel settings
View answer
Correct Answer: C
Question #19
Which two subscriptions are available when configuring panorama to push dynamic updates to connected devices? (Choose two.)
A. Content-ID
B. User-ID
C. Applications and Threats
D. Antivirus
View answer
Correct Answer: A
Question #20
Which feature can provide NGFWs with User-ID mapping information?
A. Web Captcha
B. Native 802
C. GlobalProtect
D. Native 802
View answer
Correct Answer: A
Question #21
A company hosts a publically accessible web server behind a Palo Alto Networks next generation firewall with the following configuration information. Users outside the company are in the "Untrust-L3" zone The web server physically resides in the "Trust-L3" zone. Web server public IP address: 23.54.6.10 Web server private IP address: 192.168.1.10 Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the web server? (Choose two)
A. Untrust-L3 for both Source and Destination zone
B. Destination IP of 192
C. Untrust-L3 for Source Zone and Trust-L3 for Destination Zone
D. Destination IP of 23
View answer
Correct Answer: CD
Question #22
Which data flow describes redistribution of user mappings?
A. User-ID agent to firewall
B. firewall to firewall
C. Domain Controller to User-ID agent
D. User-ID agent to Panorama
View answer
Correct Answer: A
Question #23
A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5-minute window for analysis. The firewall is configured to check for verdicts every 5 minutes. How quickly will the firewall receive back a verdict?
A. More than 15 minutes
B. 5 minutes
C. 10 to 15 minutes
D. 5 to 10 minutes
View answer
Correct Answer: BD
Question #24
The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to 10.1.1.100 on TCP Port 8080. Which NAT and security rules must be configured on the firewall? (Choose two)
A. A security policy with a source of any from untrust-I3 Zone to a destination of 10
B. A NAT rule with a source of any from untrust-I3 zone to a destination of 10
C. A NAT rule with a source of any from untrust-I3 zone to a destination of 1
D. A security policy with a source of any from untrust-I3 zone to a destination of 1
View answer
Correct Answer: B
Question #25
An administrator has configured the Palo Alto Networks NGFW’s management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself. Which configuration setting or step will allow the firewall to get automatic application signature updates?
A. A scheduler will need to be configured for application signatures
B. A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers
C. A Threat Prevention license will need to be installed
D. A service route will need to be configured
View answer
Correct Answer: A
Question #26
Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a “No Decrypt” action? (Choose two.)
A. Block sessions with expired certificates
B. Block sessions with client authentication
C. Block sessions with unsupported cipher suites
D. Block sessions with untrusted issuers
E. Block credential phishing
View answer
Correct Answer: A
Question #27
Refer to exhibit. An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN. How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?
A. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services
B. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW
C. Configure log compression and optimization features on all remote firewalls
D. Any configuration on an M-500 would address the insufficient bandwidth concerns
View answer
Correct Answer: D
Question #28
Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS? version, and serial number?
A. debug system details
B. show session info
C. show system info
D. show system details
View answer
Correct Answer: C
Question #29
How is the Forward Untrust Certificate used?
A. It issues certificates encountered on the Untrust security zone when clients attempt to connect to a site that has be decrypted/
B. It is used when web servers request a client certificate
C. It is presented to clients when the server they are connecting to is signed by a certificate authority that is not trusted by firewall
D. It is used for Captive Portal to identify unknown users
View answer
Correct Answer: BD
Question #30
Where can an administrator see both the management plane and data plane CPU utilization in the WebUI?
A. System log
B. CPU Utilization widget
C. Resources widget
D. System Utilization log
View answer
Correct Answer: B
Question #31
Which data flow describes redistribution of user mappings?
A. User-ID agent to firewall
B. firewall to firewall
C. Domain Controller to User-ID agent
D. User-ID agent to Panorama
View answer
Correct Answer: A
Question #32
Which option enables a Palo Alto Networks NGFW administrator to schedule Application and Threat updates while applying only new content-IDs to traffic?
A. Select download-and-install
B. Select download-and-install, with "Disable new apps in content update" selected
C. Select download-only
D. Select disable application updates and select "Install only Threat updates"
View answer
Correct Answer: ADE
Question #33
A customer wants to set up a VLAN interface for a Layer 2 Ethernet port. Which two mandatory options are used to configure a VLAN interface? (Choose two.)
A. Virtual router
B. Security zone
C. ARP entries
D. Netflow Profile
View answer
Correct Answer: AB
Question #34
A network engineer has revived a report of problems reaching 98.139.183.24 through vr1 on the firewall. The routing table on this firewall is extensive and complex. Which CLI command will help identify the issue?
A. test routing fib virtual-router vr1
B. show routing route type static destination 98
C. test routing fib-lookup ip 98
D. show routing interface
View answer
Correct Answer: B
Question #35
Which three firewall states are valid? (Choose three)
A. Active
B. Functional
C. Pending
D. Passive
E. Suspended
View answer
Correct Answer: AC
Question #36
What will be the source address in the ICMP packet?
A. 10
B. 10
C. 10
D. 192
View answer
Correct Answer: ACF
Question #37
The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?
A. 5-tuple matchSource IP Address, Destination IP Address, Source Port, Destination Port, Protocol
B. 7-tuple matchSource IP Address, Destination IP Address, Source Port, Destination Port ,Source User, URL Category and Source Security Zone
C. 6-tuple matchSource IP Address, Destination IP Address, Source Port, Destination Port, Protocol and Source Security Zone
D. 9-tuple matchSource IP Address, Destination IP Address, Source Port, Destination Port, Source User, Source Security Zone, Destination Security Zone, Application and URL Category
View answer
Correct Answer: DEF
Question #38
A host attached to Ethernet 1/4 cannot ping the default gateway. The widget on the dashboard shows Ethernet 1/1 and Ethernet 1/4 to be green. The IP address of Ethernet 1/1 is 192.168.1.7 and the IP address of Ethernet 1/4 is 10.1.1.7. The default gateway is attached to Ethernet 1/1. A default route is properly configured. What can be the cause of this problem?
A. No Zone has been configured on Ethernet 1/4
B. Interface Ethernet 1/1 is in Virtual Wire Mode
C. DNS has not been properly configured on the firewall
D. DNS has not been properly configured on the host
View answer
Correct Answer: ABC
Question #39
A network design change requires an existing firewall to start accessing Palo Alto Updates from a data plane interface address instead of the management interface. Which configuration setting needs to be modified?
A. Service route
B. Default route
C. Management profile
D. Authentication profile
View answer
Correct Answer: AB
Question #40
When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?
A. Load named configuration snapshot
B. Load configuration version
C. Save candidate config
D. Export device state
View answer
Correct Answer: C
Question #41
A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects. How would an administrator configure the interface to 1Gbps?
A. set deviceconfig interface speed-duplex 1Gbps-full-duplex
B. set deviceconfig system speed-duplex 1Gbps-duplex
C. set deviceconfig system speed-duplex 1Gbps-full-duplex
D. set deviceconfig Interface speed-duplex 1Gbps-half-duplex
View answer
Correct Answer: C
Question #42
When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?
A. To enable Gateway authentication to the Portal
B. To enable Portal authentication to the Gateway
C. To enable user authentication to the Portal
D. To enable client machine authentication to the Portal
View answer
Correct Answer: D
Question #43
A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Which statement is true about this deployment?
A. The two devices must share a routable floating IP address
B. The two devices may be different models within the PA-5000 series
C. The HA1 IP address from each peer must be on a different subnet
D. The management port may be used for a backup control connection
View answer
Correct Answer: CD

View The Updated PALO-ALTO Exam Questions

SPOTO Provides 100% Real PALO-ALTO Exam Questions for You to Pass Your PALO-ALTO Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: