DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

PCNSE Exam Questions 2024 Updated: Get Ready for Exams, Palo Alto Networks Certified | SPOTO

Prepare thoroughly for your PCNSE exam with our updated 2024 exam questions. Our comprehensive resources, including practice tests, online exam questions, exam dumps, and mock exams, ensure effective exam preparation. Tailored specifically for the PCNSE certification, our exam materials cover all aspects of designing, installing, configuring, maintaining, and troubleshooting Palo Alto Networks implementations. As the essential exam for obtaining the Palo Alto Networks Certified Network Security Engineer (PCNSE) certification, success hinges on meticulous preparation. Utilize our sample questions and exam questions and answers to enhance your understanding and proficiency. With SPOTO, accessing the latest practice tests becomes effortless, ensuring you're well-equipped to pass the certification exam with confidence. Trust in our resources to guide you towards certification success and elevate your expertise in Palo Alto Networks technology.
Take other online exams

Question #1
Which three settings are defined within the Templates object of Panorama? (Choose three.)
A. Setup
B. Virtual Routers
C. Interfaces
D. Security
E. Application Override
View answer
Correct Answer: B
Question #2
Which two settings can be configured only locally on the firewall and not pushed from a Panorama template or template stack? (Choose two)
A. HA1 IP Address
B. Network Interface Type
C. Master Key
D. Zone Protection Profile
View answer
Correct Answer: B
Question #3
During the packet flow process, which two processes are performed in application identification? (Choose two.)
A. pattern based application identification
B. application changed from content inspection
C. session application identified
D. application override policy match
View answer
Correct Answer: A
Question #4
Click the Exhibit button below, A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address. He makes an HTTPS connection to 172.16.10.20. Which is the next hop IP address for the HTTPS traffic from Will's PC?
A. 172
B. 172
C. 172
D. 172
View answer
Correct Answer: D
Question #5
Which GlobalProtect Client connect method requires the distribution and use of machine certificates?
A. User-logon (Always on)
B. At-boot
C. On-demand
D. Pre-logon
View answer
Correct Answer: A
Question #6
Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to:
A. respond to changes in user behavior or potential threats using manual policy changes
B. respond to changes in user behavior or potential threats without automatic policy changes
C. respond to changes in user behavior and confirmed threats with manual policy changes
D. respond to changes in user behavior or potential threats without manual policy changes
View answer
Correct Answer: A
Question #7
Which is not a valid reason for receiving a decrypt-cert-validation error?
A. Unsupported HSM
B. Unknown certificate status
C. Client authentication
D. Untrusted issuer
View answer
Correct Answer: B
Question #8
To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?
A. Device>Setup>Services>AutoFocus
B. Device> Setup>Management >AutoFocus
C. AutoFocus is enabled by default on the Palo Alto Networks NGFW
D. Device>Setup>WildFire>AutoFocus
E. Device>Setup> Management> Logging and Reporting Settings
View answer
Correct Answer: D
Question #9
A network security engineer has been asked to analyze Wildfire activity. However, the Wildfire Submissions item is not visible form the Monitor tab. What could cause this condition?
A. The firewall does not have an active WildFire subscription
B. The engineer's account does not have permission to view WildFire Submissions
C. A policy is blocking WildFire Submission traffic
D. Though WildFire is working, there are currently no WildFire Submissions log entries
View answer
Correct Answer: D
Question #10
Which two events trigger the operation of automatic commit recovery? (Choose two.)
A. when an aggregate Ethernet interface component fails
B. when Panorama pushes a configuration
C. when a firewall HA pair fails over
D. when a firewall performs a local commit
View answer
Correct Answer: ABDF
Question #11
VPN traffic intended for an administrator’s Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?
A. Zone Protection
B. Replay
C. Web Application
D. DoS Protection
View answer
Correct Answer: D
Question #12
A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule. Given the following zone information: ?DMZ zone: DMZ-L3 ?Public zone: Untrust-L3 ?Guest zone: Guest-L3 ?Web server zone: Trust-L3 ?Public IP address (Untrust-L3): 1.1.1.1 ?Private IP address (Trust-L3): 192.168.1.50 What should be configured as the destination zone on the Original Packet tab of NAT Polic
A. Untrust-L3
B. DMZ-L3
C. Guest-L3
D. Trust-L3
View answer
Correct Answer: C
Question #13
A distributed log collection deployment has dedicated log Collectors. A developer needs a device to send logs to Panorama instead of sending logs to the Collector Group. What should be done first?
A. Remove the cable from the management interface, reload the log Collector and then re-connect that cable
B. Contact Palo Alto Networks Support team to enter kernel mode commands to allow adjustments
C. remove the device from the Collector Group
D. Revert to a previous configuration
View answer
Correct Answer: BC
Question #14
People are having intermittent quality issues during a live meeting via web application.
A. Use QoS profile to define QoS Classes
B. Use QoS Classes to define QoS Profile
C. Use QoS Profile to define QoS Classes and a QoS Policy
D. Use QoS Classes to define QoS Profile and a QoS Policy
View answer
Correct Answer: BD
Question #15
Which administrative authentication method supports authorization by an external service?
A. Certificates
B. LDAP
C. RADIUS
D. SSH keys
View answer
Correct Answer: D
Question #16
Which three authentication factors does PAN-OS? software support for MFA (Choose three.)
A. Push
B. Pull
C. Okta Adaptive
D. Voice
E. SMS
View answer
Correct Answer: C
Question #17
Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?
A. Deny application facebook-chat before allowing application facebook
B. Deny application facebook on top
C. Allow application facebook on top
D. Allow application facebook before denying application facebook-chat
View answer
Correct Answer: A
Question #18
How are IPV6 DNS queries configured to user interface ethernet1/3?
A. Network > Virtual Router > DNS Interface
B. Objects > CustomerObjects > DNS
C. Network > Interface Mgrnt
D. Device > Setup > Services > Service Route Configuration
View answer
Correct Answer: BE
Question #19
Click the Exhibit button An administrator has noticed a large increase in bittorrent activity. The administrator wants to determine where the traffic is going on the company. What would be the administrator's next step?
A. Right-Click on the bittorrent link and select Value from the context menu
B. Create a global filter for bittorrent traffic and then view Traffic logs
C. Create local filter for bittorrent traffic and then view Traffic logs
D. Click on the bittorrent application link to view network activity
View answer
Correct Answer: AC
Question #20
What must be used in Security Policy Rule that contain addresses where NAT policy applies?
A. Pre-NAT addresse and Pre-NAT zones
B. Post-NAT addresse and Post-Nat zones
C. Pre-NAT addresse and Post-Nat zones
D. Post-Nat addresses and Pre-NAT zones
View answer
Correct Answer: BDE
Question #21
An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?
A. Security policy rule allowing SSL to the target server
B. Firewall connectivity to a CRL
C. Root certificate imported into the firewall with “Trust” enabled
D. Importation of a certificate from an HSM
View answer
Correct Answer: B
Question #22
A network security engineer needs to configure a virtual router using IPv6 addresses. Which two routing options support these addresses? (Choose two)
A. BGP not sure
B. OSPFv3
C. RIP
D. Static Route
View answer
Correct Answer: A
Question #23
Which CLI command can be used to export the tcpdump capture?
A. scp export tcpdump from mgmt
B. scp extract mgmt-pcap from mgmt
C. scp export mgmt-pcap from mgmt
D. download mgmt
View answer
Correct Answer: D
Question #24
Which two interface types can be used when configuring GlobalProtect Portal?(Choose two)
A. Virtual Wire
B. Loopback
C. Layer 3
D. Tunnel
View answer
Correct Answer: A
Question #25
How can a candidate or running configuration be copied to a host external from Panorama?
A. Commit a running configuration
B. Save a configuration snapshot
C. Save a candidate configuration
D. Export a named configuration snapshot
View answer
Correct Answer: AC
Question #26
A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link aggregation. Which two formats are correct for naming aggregate interfaces? (Choose two.)
A. ae
B. aggregate
C. ae
D. aggregate
View answer
Correct Answer: C
Question #27
To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure.
A. BGP (Border Gateway Protocol)
B. PBP (Packet Buffer Protection)
C. PGP (Packet Gateway Protocol)
D. PBP (Protocol Based Protection)
View answer
Correct Answer: ADE
Question #28
Which method will dynamically register tags on the Palo Alto Networks NGFW?
A. Restful API or the VMWare API on the firewall or on the User-ID agent or the read-only domain controller (RODC)
B. Restful API or the VMware API on the firewall or on the User-ID agent
C. XML-API or the VMware API on the firewall or on the User-ID agent or the CLI
D. XML API or the VM Monitoring agent on the NGFW or on the User-ID agent
View answer
Correct Answer: CD
Question #29
Which CLI command displays the current management plan memory utilization?
A. > show system info
B. > show system resources
C. > debug management-server show
D. > show running resource-monitor
View answer
Correct Answer: B
Question #30
Which virtual router feature determines if a specific destination IP address is reachable?
A. Heartbeat Monitoring
B. Failover
C. Path Monitoring
D. Ping-Path
View answer
Correct Answer: D
Question #31
On the NGFW. how can you generate and block a private key from export and thus harden your security posture and prevent rogue administrators or other bad actors from misusing keys?
A. * 1
B. * 1 Select Device > Certificates * 2 Select Certificate Profile* 3 Generate the certificate* 4 Select Block Private Key Export
C. * 1 Select Device > Certificates * 2 Select Certificate Profile
D. * 1 Select Device > Certificate Management > Certificates > Device > Certificates * 2 Generate the certificate* 3 Select Block Private Key Export* 4 Click Genet ale to generate the new certificate
View answer
Correct Answer: C
Question #32
A session in the Traffic log is reporting the application as “incomplete.” What does “incomplete” mean?
A. The three-way TCP handshake was observed, but the application could not be identified
B. The three-way TCP handshake did not complete
C. The traffic is coming across UDP, and the application could not be identified
D. Data was received but was instantly discarded because of a Deny policy was applied before App-ID could be applied
View answer
Correct Answer: A
Question #33
Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?
A. Disable Server Response Inspection
B. Apply an Application Override
C. Disable HIP Profile
D. Add server IP Security Policy exception
View answer
Correct Answer: ABF
Question #34
Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?
A. Configure a Decryption Profile and select SSL/TLS services
B. Set up SSL/TLS under Polices > Service/URL Category>Service
C. Set up Security policy rule to allow SSL communication
D. Configure an SSL/TLS Profile
View answer
Correct Answer: C
Question #35
Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)
A. Red Hat Enterprise Virtualization (RHEV)
B. Kernel Virtualization Module (KVM)
C. Boot Strap Virtualization Module (BSVM)
D. Microsoft Hyper-V
View answer
Correct Answer: C
Question #36
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system. Which Security Profile type will prevent this attack?
A. Vulnerability Protection
B. Anti-Spyware
C. URL Filtering
D. Antivirus
View answer
Correct Answer: D
Question #37
A company hosts a publicly accessible web server behind a Palo Alto Networks next-generation firewall with the following configuration information: * Users outside the company are in the "Untrust-L3" zone. * The web server physically resides in the "Trust-L3" zone. * Web server public IP address: 23.54.6.10 * Web server private IP address: 192.168.1.10 Which two items must the NAT policy contain to allow users in the Untrust-L3 zone to access the web server? (Choose two.)
A. Destination IPof 23
B. UntrustL3 for both Source and Destination Zone
C. Destination IP of 192
D. UntrustL3 for Source Zone and Trust-L3 for Destination Zone
View answer
Correct Answer: ABC
Question #38
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?
A. Configure the option for “Threshold”
B. Disable automatic updates during weekdays
C. Automatically “download only” and then install Applications and Threats later, after the administratorapproves the update
D. Automatically “download and install” but with the “disable new applications” option used
View answer
Correct Answer: C
Question #39
When is the content inspection performed in the packet flow process?
A. after the application has been identified
B. before session lookup
C. before the packet forwarding process
D. after the SSL Proxy re-encrypts the packet
View answer
Correct Answer: A
Question #40
A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server. What can be done to simplify the NAT policy?
A. Configure ECMP to handle matching NAT traffic
B. Configure a NAT Policy rule with Dynamic IP and Port
C. Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi-directional option
D. Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bi-directional option
View answer
Correct Answer: B
Question #41
Which is the maximum number of samples that can be submitted to WildFire per day, based on wildfire subscription?
A. 15,000
B. 10,000
C. 75,00
D. 5,000
View answer
Correct Answer: AD
Question #42
How can an administrator configure the NGFW to automatically quarantine a device using GlobalProtect?
A. by adding the device's Host ID to a quarantine list and configure GlobalProtect to prevent users fromconnecting to the GlobalProtect gateway from a quarantined device
B. by using secunty policies, log forwarding profiles, and log settings
C. by exporting the list of quarantined devices to a pdf or csv file by selecting PDF/CSV at the bottom of the Device Quarantine page and leveraging the approbate XSOAR playbook
D. There is no native auto-quarantine feature so a custom script would need to be leveraged
View answer
Correct Answer: A
Question #43
Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall?
A. Master
B. Universal
C. Shared
D. Global
View answer
Correct Answer: D

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: