Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: clap70

PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Questions and Answers

Questions 4

Which three items must be configured to implement application override? (Choose three )

Options:

A.

Custom app

B.

Security policy rule

C.

Application override policy rule

D.

Decryption policy rule

E.

Application filter

Buy Now
Questions 5

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)

Options:

A.

Change the firewall management IP address

B.

Configure a device block list

C.

Add administrator accounts

D.

Rename a vsys on a multi-vsys firewall

E.

Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode

Buy Now
Questions 6

An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks.

Which sessions does Packet Buffer Protection apply to?

Options:

A.

It applies to existing sessions and is global.

B.

It applies to new sessions and is not global.

C.

It applies to existing sessions and is not global.

D.

It applies to new sessions and is global.

Buy Now
Questions 7

As a best practice, which URL category should you target first for SSL decryption?

Options:

A.

Online Storage and Backup

B.

High Risk

C.

Health and Medicine

D.

Financial Services

Buy Now
Questions 8

A network security administrator has been tasked with deploying User-ID in their organization.

What are three valid methods of collecting User-ID information in a network? (Choose three.)

Options:

A.

Windows User-ID agent

B.

GlobalProtect

C.

XMLAPI

D.

External dynamic list

E.

Dynamic user groups

Buy Now
Questions 9

As a best practice, logging at session start should be used in which case?

Options:

A.

While troubleshooting

B.

Only on Deny rules

C.

On all Allow rules

D.

Only when log at session end is enabled

Buy Now
Questions 10

What happens when an A/P firewall pair synchronizes IPsec tunnel security associations (SAs)?

Options:

A.

Phase 1 and Phase 2 SAs are synchronized over HA3 links.

B.

Phase 2 SAs are synchronized over HA2 links.

C.

Phase 1 and Phase 2 SAs are synchronized over HA2 links.

D.

Phase 1 SAs are synchronized over HA1 links.

Buy Now
Questions 11

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67

Options:

A.

The PanGPS process failed to connect to the PanGPA process on port 4767

B.

The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767

C.

The PanGPA process failed to connect to the PanGPS process on port 4767

D.

The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767

Buy Now
Questions 12

A security engineer needs to mitigate packet floods that occur on a RSF servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?

Options:

A.

DoS Protection profile

B.

Data Filtering profile

C.

Vulnerability Protection profile

D.

URL Filtering profile

Buy Now
Questions 13

An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices.

What should an administrator configure to route interesting traffic through the VPN tunnel?

Options:

A.

Proxy IDs

B.

GRE Encapsulation

C.

Tunnel Monitor

D.

ToS Header

Buy Now
Questions 14

An engineer is pushing configuration from Panorama to a managed firewall What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?

Options:

A.

The firewall ignores only the pushed objects that have the same name as the locally configured objects, and it will commit the rest of the pushed configuration.

B.

The firewall fully commits all of the pushed configuration and overwrites its locally configured objects

C.

The firewall rejects the pushed configuration, and the commit fails.

D.

The firewall renames the duplicate local objects with "-1" at the end signifying they are clones; it will update the references to the objects accordingly and fully commit the pushed configuration.

Buy Now
Questions 15

When you troubleshoot an SSL Decryption issue, which PAN-OS CL1 command do you use to check the details of the Forward Trust certificate. Forward Untrust certificate, and SSL Inbound Inspection certificate?

Options:

A.

show system setting ssl-decrypt certificate

B.

show system setting ssl-decrypt certs

C.

debug dataplane show ssl-decrypt ssl-certs

D.

show system setting ssl-decrypt certificate-cache

Buy Now
Questions 16

An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI Which CLI command can the engineer use?

Options:

A.

test vpn ike-sa

B.

test vpn gateway

C.

test vpn flow

D.

test vpn tunnel

Buy Now
Questions 17

Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?

Options:

A.

Log Collector

B.

Panorama

C.

Legacy

D.

Management Only

Buy Now
Questions 18

Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the firewall? (Choose three.)

Options:

A.

RADIUS

B.

TACACS+

C.

Kerberos

D.

LDAP

E.

SAML

Buy Now
Questions 19

Which protocol is natively supported by GlobalProtect Clientless VPN?

Options:

A.

HTP

B.

SSH

C.

HTTPS

D.

RDP

Buy Now
Questions 20

Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates. Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?

Options:

A.

debug dataplane internal vif route 255

B.

show routing route type management

C.

debug dataplane internal vif route 250

D.

show routing route type service-route

Buy Now
Questions 21

View the screenshots

A QoS profile and policy rules are configured as shown. Based on this information which two statements are correct?

Options:

A.

SMTP has a higher priority but lower bandwidth than Zoom.

B.

DNS has a higher priority and more bandwidth than SSH.

C.

google-video has a higher priority and more bandwidth than WebEx.

D.

Facetime has a higher priority but lower bandwidth than Zoom.

Buy Now
Questions 22

An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 sub-interface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.

Without changing the existing access to the management interface, how can the engineer fulfill this request?

Options:

A.

Specify the subinterface as a management interface in Setup > Device > Interfaces.

B.

Add the network segment's IP range to the Permitted IP Addresses list.

C.

Enable HTTPS in an Interface Management profile on the subinterface.

D.

Configure a service route for HTTP to use the subinterface.

Buy Now
Questions 23

A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose TWO)

Options:

A.

Exclude video traffic

B.

Enable decryption

C.

Block traffic that is not work-related

D.

Create a Tunnel Inspection policy

Buy Now
Questions 24

Refer to the exhibit.

Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?

Options:

A.

Click the hyperlink for the Zero Access.Gen threat.

B.

Click the left arrow beside the Zero Access.Gen threat.

C.

Click the source user with the highest threat count.

D.

Click the hyperlink for the hotport threat Category.

Buy Now
Questions 25

After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall After troubleshooting the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports

What can the engineer do to solve the VoIP traffic issue?

Options:

A.

Disable ALG under H.323 application

B.

Increase the TCP timeout under H.323 application

C.

Increase the TCP timeout under SIP application

D.

Disable ALG under SIP application

Buy Now
Questions 26

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?

Options:

A.

Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option

B.

Perform a template commit push from Panorama using the "Force Template Values" option

C.

Perform a commit force from the CLI of the firewall

D.

Reload the running configuration and perform a firewall local commit

Buy Now
Questions 27

A security team has enabled real-time WildFire signature lookup on all its firewalls. Which additional action will further reduce the likelihood of newly discovered malware being allowed through the firewalls?

Options:

A.

increase the frequency of the applications and threats dynamic updates.

B.

Increase the frequency of the antivirus dynamic updates

C.

Enable the "Hold Mode" option in Objects > Security Profiles > Antivirus.

D.

Enable the "Report Grayware Files" option in Device > Setup > WildFire.

Buy Now
Questions 28

What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection'?

Options:

A.

certificates

B.

profiles

C.

link state

D.

stateful firewall connection

Buy Now
Questions 29

Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.

What part of the configuration should the engineer verify?

Options:

A.

IKE Crypto Profile

B.

Security policy

C.

Proxy-IDs

D.

PAN-OS versions

Buy Now
Questions 30

Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)

Options:

A.

ECDSA

B.

ECDHE

C.

RSA

D.

DHE

Buy Now
Questions 31

An administrator has been tasked with configuring decryption policies,

Which decryption best practice should they consider?

Options:

A.

Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.

B.

Decrypt all traffic that traverses the firewall so that it can be scanned for threats.

C.

Place firewalls where administrators can opt to bypass the firewall when needed.

D.

Create forward proxy decryption rules without Decryption profiles for unsanctioned applications.

Buy Now
Questions 32

What happens when the log forwarding built-in action with tagging is used?

Options:

A.

Destination IP addresses of selected unwanted traffic are blocked. *

B.

Selected logs are forwarded to the Azure Security Center.

C.

Destination zones of selected unwanted traffic are blocked.

D.

Selected unwanted traffic source zones are blocked.

Buy Now
Questions 33

A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows

Options:

A.

Deploy the GlobalProtect as a lee data hub.

B.

Deploy Window User 0 agents on each domain controller.

C.

Deploys AILS integrated Use 10 agent on each vsys.

D.

Deploy a M.200 as a Users-ID collector.

Buy Now
Questions 34

A company has recently migrated their branch office's PA-220S to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama

They notice that commit times have drastically increased for the PA-220S after the migration

What can they do to reduce commit times?

Options:

A.

Disable "Share Unused Address and Service Objects with Devices" in Panorama Settings.

B.

Update the apps and threat version using device-deployment

C.

Perform a device group push using the "merge with device candidate config" option

D.

Use "export or push device config bundle" to ensure that the firewall is integrated with the Panorama config.

Buy Now
Questions 35

An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an interal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?

Options:

A.

Data Patterns within Objects > Custom Objects

B.

Custom Log Format within Device Server Profiles> Syslog

C.

Built-in Actions within Objects > Log Forwarding Profile

D.

Logging and Reporting Settings within Device > Setup > Management

Buy Now
Questions 36

Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

Options:

A.

ethernet1/6

B.

ethernet1/3

C.

ethernet1/7

D.

ethernet1/5

Buy Now
Questions 37

A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:

threat type: spyware category: dns-c2 threat ID: 1000011111

Which set of steps should the administrator take to configure an exception for this signature?

Options:

A.

Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions tabs Search related threat ID and click enable Commit

B.

Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile

Select the signature exceptions tab and then click show all signatures Search related threat ID and click enable Change the default action Commit

C.

Navigate to Objects > Security Profiles > Vulnerability Protection

Select related profile

Select the Exceptions lab and then click show all signatures

Search related threat ID and click enable

Commit

D.

Navigate to Objects > Security Profiles > Anti-Spyware

Select related profile

Select the Exceptions lab and then click show all signatures

Search related threat ID and click enable Commit

Buy Now
Questions 38

An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)

Options:

A.

/content

B.

/software

C.

/piugins

D.

/license

E.

/opt

Buy Now
Questions 39

A firewall engineer is tasked with defining signatures for a custom application. Which two sources can the engineer use to gather information about the application patterns'? (Choose two.)

Options:

A.

Traffic logs

B.

Data filtering logs

C.

Policy Optimizer

D.

Wireshark

Buy Now
Questions 40

SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www.important-website.com certificate. End-users are receiving the "security certificate is not trusted" warning. Without SSL decryption, the web browser shows that the website certificate is trusted and signed by a well-known certificate chain Well-Known-Intermediate and Well-Known-Root-CA. The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

    End-users must not get the warning for the https://www.very-important-website.com/ website

    End-users should get the warning for any other untrusted websiteWhich approach meets the two customer requirements?

Options:

A.

Install the Well-Known-Intermediate-CA and Well-Known-Root-CA certificates on all end-user systems in the user and local computer stores

B.

Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration

C.

Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate Authorities, import Well-Known-Intermediate-CA and Well-Known-Root-CA, select the Trusted Root CA check box, and commit the configuration

D.

Navigate to Device > Certificate Management > Certificates > Device Certificates, import Well-Known-Intermediate-CA and Well-Known-Root-CA, select the Trusted Root CA check box, and commit the configuration

Buy Now
Questions 41

An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.

Which three settings can be configured in this template? (Choose three.)

Options:

A.

Log Forwarding profile

B.

SSL decryption exclusion

C.

Email scheduler

D.

Login banner

E.

Dynamic updates

Buy Now
Questions 42

A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed.

How should email log forwarding be configured to achieve this goal?

Options:

A.

With the relevant configuration log filter inside Device > Log Settings

B.

With the relevant system log filter inside Objects > Log Forwarding

C.

With the relevant system log filter inside Device > Log Settings

D.

With the relevant configuration log filter inside Objects > Log Forwarding

Buy Now
Questions 43

Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?

Options:

A.

Yes, because the action is set to alert

B.

No, because this is an example from a defeated phishing attack

C.

No, because the severity is high and the verdict is malicious.

D.

Yes, because the action is set to allow.

Buy Now
Questions 44

A firewall administrator is configuring an IPSec tunnel between a company's HQ and a remote location. On the HQ firewall, the interface used to terminate the IPSec tunnel has a static IP. At the remote location, the interface used to terminate the IPSec tunnel has a DHCP assigned IP address.

Which two actions are required for this scenario to work? (Choose two.)

Options:

A.

On the HQ firewall select peer IP address type FQDN

B.

On the remote location firewall select peer IP address type Dynamic

C.

On the HQ firewall enable DDNS under the interface used for the IPSec tunnel

D.

On the remote location firewall enable DONS under the interface used for the IPSec tunnel

Buy Now
Questions 45

Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?

Options:

A.

Perform packet forwarding to the active-passive peer during session setup and asymmetric traffic flow.

B.

Perform synchronization of routes, IPSec security associations, and User-ID information.

C.

Perform session cache synchronization for all HA cluster members with the same cluster ID.

D.

Perform synchronization of sessions, forwarding tables, and IPSec security associations between firewalls in an HA pair.

Buy Now
Questions 46

A firewall administrator manages sets of firewalls which have two unique idle timeout values. Datacenter firewalls needs to be set to 20 minutes and BranchOffice firewalls need to be set to 30 minutes. How can the administrator assign these settings through the use of template stacks?

Options:

A.

Create one template stack and place the BranchOffice_Template in higher priority than Datacenter_Template.

B.

Create one template stack and place the Datanceter_Template in higher priority than BranchOffice_template.

C.

Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_Template and BranchOffice_template are at the bottom of their stack.

D.

Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_template are at the top of their stack

Buy Now
Questions 47

An enterprise network security team is deploying VM-Series firewalls in a multi-cloud environment. Some firewalls are deployed in VMware NSX-V, while others are in AWS, and all are centrally managed using Panorama with the appropriate plugins installed. The team wants to streamline policy management by organizing the firewalls into device groups in which the AWS-based firewalls act as a parent device group, while the NSX-V firewalls are configured as a child device group to inherit Security policies. However, after configuring the device group hierarchy and attempting to push configurations, the team receives errors, and policy inheritance is not functioning as expected. What is the most likely cause of this issue?

Options:

A.

Panorama must use the same plugin version numbers for both AWS and NSX-V environments before device group inheritance can function properly

B.

Panorama requires the objects to be overridden in the child device group before firewalls in different hypervisors can inherit Security policies

C.

Panorama by default does not allow different hypervisors in parent/child device groups, but this can be overridden with the command "set device-group allow-multi-hypervisor enable"

D.

Panorama does not support policy inheritance across device groups containing firewalls deployed in different hypervisors when using multiple plugins

Buy Now
Questions 48

An auditor is evaluating the configuration of Panorama and notices a discrepancy between the Panorama template and the local firewall configuration. When overriding the firewall configuration pushed from Panorama, what should you consider?

Options:

A.

The firewall template will show that it is out of sync within Panorama

B.

Only Panorama can revert the override

C.

The modification will not be visible in Panorama

D.

Panorama will update the template with the overridden value

Buy Now
Questions 49

Which action can be taken to immediately remediate the issue of application traffic with a valid use case triggering the decryption log message, "Received fatal alert UnknownCA from client"?

Options:

A.

Enable certificate revocation checking to deny access to sites with revoked certificates

B.

Add the certificate CN to the SSL Decryption Exclusion List to allow traffic without decryption

C.

Check for expired certificates and take appropriate actions to block or allow access based on business needs

D.

Contact the site administrator with the expired certificate to request updates or renewal

Buy Now
Questions 50

A firewall engineer at a company is researching the Device Telemetry feature of PAN-OS. Which two aspects of the feature require further action for the company to remain compliant with local laws regarding privacy and data storage? (Choose two.)

Options:

A.

Telemetry feature is automatically enabled during PAN-OS installation.

B.

Telemetry data is uploaded into Strata Logging Service.

C.

Telemetry feature is using Traffic logs and packet captures to collect data.

D.

Telemetry data is shared in real time with Palo Alto Networks.

Buy Now
Questions 51

A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.

Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)

Site A configuration:

Options:

A.

Enable NAT Traversal on Site B firewall

B.

Configure Local Identification on Site firewall

C.

Disable passive mode on Site A firewall

D.

Match IKE version on both firewalls.

Buy Now
Questions 52

Match the terms to their corresponding definitions

Options:

Buy Now
Questions 53

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.

The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?

Options:

A.

A web server certificate signed by the organization's PKI

B.

A self-signed certificate generated on the firewall

C.

A subordinate Certificate Authority certificate signed by the organization's PKI

D.

A web server certificate signed by an external Certificate Authority

Buy Now
Questions 54

A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time. How can they achieve this?

Options:

A.

Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices.

B.

Use the Scheduled Config Push to schedule Push to Devices and separately schedule an API call to commit all Panorama changes.

C.

Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to commit all Panorama changes

D.

Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices

Buy Now
Questions 55

Which configuration change will improve network reliability and ensure minimal disruption during tunnel failures?

Options:

A.

Set up high availability (HA) and increase the IPsec rekey interval to reduce the likelihood of tunnel disruptions

B.

Set up a backup tunnel and reduce the tunnel monitoring interval and threshold to detect failures quickly

C.

Set up high availability (HA) and disable tunnel monitoring to prevent unnecessary failovers due to temporary connectivity issues

D.

Set up a backup tunnel and change the tunnel monitoring profile from "Wait Recover" to "Fail Over"

Buy Now
Questions 56

A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any data. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.

Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?

Options:

A.

Create a custom application with specific timeouts and signatures based on patterns discovered in packet captures.

B.

Access the Palo Alto Networks website and raise a support request through the Customer Support Portal.

C.

Create a custom application with specific timeouts, then create an application override rule and reference the custom application.

D.

Access the Palo Alto Networks website and complete the online form to request that a new application be added to App-ID.

Buy Now
Questions 57

Forwarding of which two log types is configured in Objects -> Log Forwarding? (Choose two)

Options:

A.

GlobalProtect

B.

Authentication

C.

User-ID

D.

WildFire

Buy Now
Questions 58

Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)

Options:

A.

A Deny policy for the tagged traffic

B.

An Allow policy for the initial traffic

C.

A Decryption policy to decrypt the traffic and see the tag

D.

A Deny policy with the "tag" App-ID to block the tagged traffic

Buy Now
Questions 59

In which two scenarios would it be necessary to use Proxy IDs when configuring site-to-site VPN Tunnels? (Choose two.)

Options:

A.

Firewalls which support policy-based VPNs.

B.

The remote device is a non-Palo Alto Networks firewall.

C.

Firewalls which support route-based VPNs.

D.

The remote device is a Palo Alto Networks firewall.

Buy Now
Questions 60

Please match the terms to their corresponding definitions.

Options:

Buy Now
Questions 61

An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an internal syslog server.

Where can the firewall engineer define the data to be added into each forwarded log?

Options:

A.

Custom Log Format within Device > Server Profiles > Syslog

B.

Built-in Actions within Objects > Log Forwarding Profile

C.

Logging and Reporting Settings within Device > Setup > Management

D.

Data Patterns within Objects > Custom Objects

Buy Now
Questions 62

A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.

How does the firewall identify the New App-ID characteristic?

Options:

A.

It matches to the New App-IDs downloaded in the last 90 days.

B.

It matches to the New App-IDs in the most recently installed content releases.

C.

It matches to the New App-IDs downloaded in the last 30 days.

D.

It matches to the New App-IDs installed since the last time the firewall was rebooted.

Buy Now
Questions 63

An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.

What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?

Options:

A.

Configure a floating IP between the firewall pairs.

B.

Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.

C.

Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN.

D.

On one pair of firewalls, run the CLI command: set network interface vlan arp.

Buy Now
Questions 64

A security engineer has configured a GlobalProtect portal agent with four gateways Which GlobalProtect Gateway will users connect to based on the chart provided?

Options:

A.

South

B.

West

C.

East

D.

Central

Buy Now
Questions 65

What does the User-ID agent use to find login and logout events in syslog messages?

Options:

A.

Syslog Server profile

B.

Authentication log

C.

Syslog Parse profile

D.

Log Forwarding profile

Buy Now
Questions 66

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?

Options:

A.

No Direct Access to local networks

B.

Tunnel mode

C.

iPSec mode

D.

Satellite mode

Buy Now
Questions 67

Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)

Options:

A.

Voice

B.

Fingerprint

C.

SMS

D.

User certificate

E.

One-time password

Buy Now
Questions 68

Which CLI command displays the physical media that are connected to ethernet1/8?

Options:

A.

> show system state filter-pretty sys.si. p8. stats

B.

> show system state filter-pretty sys.sl.p8.phy

C.

> show system state filter-pretty sys.sl.p8.med

D.

> show interface ethernet1/8

Buy Now
Questions 69

The server team is concerned about the high volume of logs forwarded to their syslog server, it is determined that DNS is generating the most logs per second. The risk and compliance team requests that any Traffic logs indicating port abuse of port 53 must still be forwarded to syslog. All other DNS. Traffic logs can be exclude from syslog forwarding. How should syslog log forwarding be configured?

Options:

A.

With (port,dst neq 53)’ Traffic log filter Object > Log Forwarding.

B.

With ‘(port dst neq 53)’ Traffic log filter inside Device > log Settings.

C.

With ‘(app neq dns-base)’’ Traffic log filter inside Device> Log Settings.

D.

With ‘(app neq dns-base)’’ Traffic log filter inside Objects> Log Forwarding

Buy Now
Questions 70

Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?

Options:

A.

NAT

B.

DOS protection

C.

QoS

D.

Tunnel inspection

Buy Now
Questions 71

A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates.

What must occur to have Antivirus signatures update?

Options:

A.

An Antivirus license is needed first, then a Security profile for Antivirus needs to be created.

B.

An Antivirus license must be obtained before Dynamic Updates can be downloaded or installed.

C.

An Advanced Threat Prevention license is required to see the Dynamic Updates for Antivirus.

D.

Install the Application and Threats updates first, then refresh the Dynamic Updates.

Buy Now
Questions 72

Which two components are required to configure certificate-based authentication to the web Ul when an administrator needs firewall access on a trusted interface'? (Choose two.)

Options:

A.

Server certificate

B.

SSL/TLS Service Profile

C.

Certificate Profile

D.

CA certificate

Buy Now
Questions 73

A new application server 192.168.197.40 has been deployed in the DMZ. There are no public IP addresses available resulting in the server sharing MAT IP 198 51 100 B8 with another OMZ serve that uses IP address 192 168 19? 60 Firewall security and NAT rules have been configured The application team has confirmed mat the new server is able to establish a secure connection to an external database with IP address 203.0.113.40. The database team reports that they are unable to establish a secure connection to 196 51 100 88 from 203.0.113.40 However it confirm a successful prig test to 198 51 100 88 Referring to the MAT configuration and traffic logs provided how can the firewall engineer resolve the situation and ensure inbound and outbound connections work concurrently for both DMZ servers?

Options:

A.

Replace the two NAT rules with a single rule that has both DMZ servers as "Source Address." both external servers as "Destination Address." and Source Translation remaining as is with bidirectional option enabled

B.

Sharing a single NAT IP is possible for outbound connectivity not for inbound, therefore, a new public IP address must be obtained for the new DMZ server and used in the NAT rule 6 DMZ server 2.

C.

Configure separate source NAT and destination NAT rules for the two DMZ servers without using the bidirectional option.

D.

Move the NAT rule 6 DMZ server 2 above NAT rule 5 DMZ server 1.

Buy Now
Questions 74

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?

Options:

A.

Preview Changes

B.

Managed Devices Health

C.

Test Policy Match

D.

Policy Optimizer

Buy Now
Questions 75

An administrator is informed that the engineer who previously managed all the VPNs has left the company. According to company policies the administrator must update all the IPSec VPNs with new pre-shared keys Where are the pre-shared keys located on the firewall?

Options:

A.

Network/lPSec Tunnels

B.

Network/Network Profiles/IKE Gateways

C.

Network/Network ProfilesTlPSec Crypto

D.

Network/Network Profiles/IKE Crypto

Buy Now
Questions 76

An administrator plans to install the Windows User-ID agent on a domain member system.

What is a best practice for choosing where to install the User-ID agent?

Options:

A.

On the same RODC that is used for credential detection

B.

In close proximity to the firewall it will be providing User-ID to

C.

In close proximity to the servers it will be monitoring

D.

On the DC holding the Schema Master FSMO role

Buy Now
Questions 77

While troubleshooting an issue, a firewall administrator performs a packet capture with a specific filter. The administrator sees drops for packets with a source IP address of 10.1.1.1.

How can the administrator further investigate these packet drops by looking at the global counters for this packet capture filter?

Options:

A.

> show counter global filter packet-filter yes delta yes

B.

> show counter global filter severity drop

C.

> debug dataplane packet-diag set capture stage drop

D.

> show counter global filter delta yes I match 10.1.1-1

Buy Now
Questions 78

Why would a traffic log list an application as "not-applicable”?

Options:

A.

The firewall denied the traffic before the application match could be performed.

B.

The TCP connection terminated without identifying any application data

C.

There was not enough application data after the TCP connection was established

D.

The application is not a known Palo Alto Networks App-ID.

Buy Now
Questions 79

What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three

Options:

A.

Configure a URL profile to block the phishing category.

B.

Create a URL filtering profile

C.

Enable User-ID.

D.

Create an anti-virus profile.

E.

Create a decryption policy rule.

Buy Now
Questions 80

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections

What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?

Options:

A.

TCP Fast Open in the Strip TCP options

B.

Ethernet SGT Protection

C.

Stream ID in the IP Option Drop options

D.

Record Route in IP Option Drop options

Buy Now
Questions 81

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed.

What is one way the administrator can meet this requirement?

Options:

A.

Perform a commit force from the CLI of the firewall.

B.

Perform a template commit push from Panorama using the "Force Template Values" option.

C.

Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option.

D.

Reload the running configuration and perform a Firewall local commit.

Buy Now
Questions 82

For company compliance purposes, three new contractors will be working with different device groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?

Options:

A.

Create a Device Group and Template Admin

B.

Create a Dynamic Admin with the Panorama Administrator role

C.

Create a Dynamic Read-only Superuser

D.

Create a Custom Panorama Admin

Buy Now
Questions 83

An administrator has purchased WildFire subscriptions for 90 firewalls globally.

What should the administrator consider with regards to the WildFire infra-structure?

Options:

A.

To comply with data privacy regulations, WildFire signatures and ver-dicts are not shared globally.

B.

Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.

C.

Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.

D.

The WildFire Global Cloud only provides bare metal analysis.

Buy Now
Questions 84

A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is configure an applications and Threats update schedule with a new App-ID threshold of 48 hours. Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.)

Options:

A.

Create a Security policy rule with an application filter to always allow certain categories of new App-IDs.

B.

Click "Review Apps" after application updates are installed in order to assess how the changes might impact Security policy.

C.

Select the action "download-only" when configuring an Applications and Threats update schedule.

D.

Configure an Applications and Threats update schedule with a threshold of 24 to 48 hours

Buy Now
Questions 85

Which log type would provide information about traffic blocked by a Zone Protection profile?

Options:

A.

Data Filtering

B.

IP-Tag

C.

Traffic

D.

Threat

Buy Now
Questions 86

An engineer must configure a new SSL decryption deployment.

Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

Options:

A.

A Decryption profile must be attached to the Decryption policy that the traffic matches.

B.

A Decryption profile must be attached to the Security policy that the traffic matches.

C.

There must be a certificate with only the Forward Trust option selected.

D.

There must be a certificate with both the Forward Trust option and Forward Untrust option selected.

Buy Now
Questions 87

An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.

Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?

Options:

A.

An SSL/TLS Service profile with a certificate assigned.

B.

An Interface Management profile with HTTP and HTTPS enabled.

C.

A Certificate profile with a trusted root CA.

D.

An Authentication profile with the allow list of users.

Buy Now
Questions 88

Forwarding of which two log types is configured in Device > Log Settings? (Choose two.)

Options:

A.

Threat

B.

HIP Match

C.

Traffic

D.

Configuration

Buy Now
Questions 89

Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.

In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?

Options:

A.

NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Source Translation: Static IP / 172.16.15.1

Security Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Trust -

Destination IP: 172.16.15.10 -

Application: ssh

B.

NAT Rule:

Source Zone: Trust -

Source IP: 192.168.15.0/24 -

Destination Zone: Trust -

Destination IP: 192.168.15.1 -

Destination Translation: Static IP / 172.16.15.10

Security Rule:

Source Zone: Trust -

Source IP: 192.168.15.0/24 -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh

C.

NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Trust -

Destination IP: 192.168.15.1 -

Destination Translation: Static IP /172.16.15.10

Security Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh

D.

NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Source Translation: dynamic-ip-and-port / ethernet1/4

Security Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh

Buy Now
Questions 90

Review the images. A firewall policy that permits web traffic includes the global-logs policy is depicted

What is the result of traffic that matches the "Alert - Threats" Profile Match List?

Options:

A.

The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.

B.

The source address of traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.

C.

The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.

D.

The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.

Buy Now
Questions 91

Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.

Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution

How can Information Security extract and learn iP-to-user mapping information from authentication events for VPN and wireless users?

Options:

A.

Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users.

B.

Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS.

C.

Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution

D.

Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping.

Buy Now
Questions 92

A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.

Which set of steps should the engineer take to accomplish this objective?

Options:

A.

1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.

2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.

3. Place (NAT-Rule-1) above (NAT-Rule-2).

B.

1- Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23.

2. Check the box for negate option to negate this IP subnet from NAT translation.

C.

1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.

2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.

3. Place (NAT-Rule-2) above (NAT-Rule-1).

D.

1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/32.

2. Check the box for negate option to negate this IP from the NAT translation.

Buy Now
Questions 93

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory. What must be configured in order to select users and groups for those rules from Panorama? The Security rules must be targeted to a firewall in the device group and have Group Mapping configured.

Options:

A.

A master device with Group Mapping configured must be set in the device group where the Security rules are configured

B.

User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings

C.

A User-ID Certificate profile must be configured on Panorama

D.

N/A

Buy Now
Questions 94

Which template values will be configured on the firewall if each template has an SSL to be deployed. The template stack should consist of four templates arranged according to the diagram.

Which template values will be configured on the firewall if each template has an SSL/TLS Service profile configured named Management?

Options:

A.

Values in Datacenter

B.

Values in efwOlab.chi

C.

Values in Global Settings

D.

Values in Chicago

Buy Now
Questions 95

A company wants to deploy IPv6 on its network which requires that all company Palo Alto Networks firewalls process IPv6 traffic and to be configured with IPv6 addresses. Which consideration should the engineers take into account when planning to enable IPv6?

Options:

A.

Device > Setup Settings Do not enable on each interface

B.

Network > Zone Settings Do not enable on each interface

C.

Network > Zone Settings Enable on each interface

D.

Device > Setup Settings Enable on each interface

Buy Now
Questions 96

Which interface type should a firewall administrator configure as an upstream to the ingress trusted interface when configuring transparent web proxy on a Palo Alto Networks firewall?

Options:

A.

Tunnel

B.

Ethernet

C.

VLAN

D.

Lookback

Buy Now
Questions 97

Based on the graphic which statement accurately describes the output shown in the Server Monitoring panel?

Options:

A.

The User-ID agent is connected to a domain controller labeled lab-client

B.

The host lab-client has been found by a domain controller

C.

The host lab-client has been found by the User-ID agent.

D.

The User-ID aaent is connected to the firewall labeled lab-client

Buy Now
Questions 98

An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.

Which two actions could an administrator take to troubleshoot this issue? (Choose two.)

Options:

A.

Run the CLI command show advanced-routing ospf neighbor

B.

In the WebUI, view the Runtime Stats in the virtual router

C.

Look for configuration problems in Network > virtual router > OSPF

D.

In the WebUI, view Runtime Stats in the logical router

Buy Now
Questions 99

An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed.

Which Panorama tool can provide a solution?

Options:

A.

Application Groups

B.

Policy Optimizer

C.

Test Policy Match

D.

Config Audit

Buy Now
Questions 100

What must be taken into consideration when preparing a log forwarding design for all of a customer’s deployed Palo Alto Networks firewalls?

Options:

A.

The logs will not contain the names of the identified applications unless the "Enable enhanced application logging" option is selected

B.

Traffic and threat logs will not be forwarded unless the relevant Log Forwarding profile is attached to the security rules

C.

App-ID engine will not identify any application traffic unless the "Enable enhanced application logging" option is selected

D.

Traffic and threat logs will not be forwarded unless the relevant Log Forwarding profile is selected in "Logging and Reporting Settings"

Buy Now
Exam Code: PCNSE
Exam Name: Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0
Last Update: Apr 3, 2025
Questions: 294
PCNSE pdf

PCNSE PDF

$25.5  $84.99
PCNSE Engine

PCNSE Testing Engine

$30  $99.99
PCNSE PDF + Engine

PCNSE PDF + Testing Engine

$40.5  $134.99