Special Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Questions and Answers

Questions 4

An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.

The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.

Which profile is the engineer configuring?

Options:

A.

Packet Buffer Protection

B.

Zone Protection

C.

Vulnerability Protection

D.

DoS Protection

Buy Now
Questions 5

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing.

What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?

Options:

A.

Add the Evernote application to the Security policy rule, then add a second Security policy rule containing both HTTP and SSL.

B.

Create an Application Override using TCP ports 443 and 80.

C.

Add the HTTP. SSL. and Evernote applications to the same Security policy.

D.

Add only the Evernote application to the Security policy rule.

Buy Now
Questions 6

An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)

Options:

A.

Financial, health, and government traffic categories

B.

Known traffic categories

C.

Known malicious IP space

D.

Public-facing servers,

E.

Less-trusted internal IP subnets

Buy Now
Questions 7

View the screenshots

PCNSE Question 7

PCNSE Question 7

A QoS profile and policy rules are configured as shown. Based on this information which two statements are correct?

Options:

A.

SMTP has a higher priority but lower bandwidth than Zoom.

B.

DNS has a higher priority and more bandwidth than SSH.

C.

google-video has a higher priority and more bandwidth than WebEx.

D.

Facetime has a higher priority but lower bandwidth than Zoom.

Buy Now
Questions 8

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?

Options:

A.

A service route to the LDAP server

B.

A Master Device

C.

Authentication Portal

D.

A User-ID agent on the LDAP server

Buy Now
Questions 9

As a best practice, logging at session start should be used in which case?

Options:

A.

While troubleshooting

B.

Only on Deny rules

C.

On all Allow rules

D.

Only when log at session end is enabled

Buy Now
Questions 10

What happens when the log forwarding built-in action with tagging is used?

Options:

A.

Destination IP addresses of selected unwanted traffic are blocked. *

B.

Selected logs are forwarded to the Azure Security Center.

C.

Destination zones of selected unwanted traffic are blocked.

D.

Selected unwanted traffic source zones are blocked.

Buy Now
Questions 11

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances.

Which profile should be configured in order to achieve this?

Options:

A.

SSH Service profile

B.

SSL/TLS Service profile

C.

Certificate profile

D.

Decryption profile

Buy Now
Questions 12

Match the terms to their corresponding definitions

PCNSE Question 12

Options:

Buy Now
Questions 13

A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.

Which action is the most operationally efficient for the security engineer to find and implement the exception?

Options:

A.

Review high severity system logs to identify why the threat is missing in Vulnerability Profile Exceptions.

B.

Open a support case.

C.

Review traffic logs to add the exception from there.

D.

Select 'Show all signatures' within the Vulnerability Protection Profile under 'Exceptions'.

Buy Now
Questions 14

A firewall architect is attempting to install a new Palo Alto Networks NGFW. The company has previously had issues moving all administrative functions onto a data plane interface to meet the design limitations of the environment. The architect is able to access the device for HTTPS and SSH; however, the NGFW can neither validate licensing nor get updates. Which action taken by the architect will resolve this issue?

Options:

A.

Create a service route that sets the source interface to the data plane interface in question

B.

Validate that all upstream devices will allow and properly route the outbound traffic to the external destinations needed

C.

Create a loopback from the management interface to the data plane interface, then make a service route from the management interface to the data plane interface

D.

Enable OCSP for the data plane interface so the firewall will create a certificate with the data plane interface’s IP

Buy Now
Questions 15

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.

What must be configured in order to select users and groups for those rules from Panorama?

Options:

A.

A User-ID Certificate profile must be configured on Panorama.

B.

The Security rules must be targeted to a firewall in the device group and have Group Mapping configured.

C.

User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings.

D.

A master device with Group Mapping configured must be set in the device group where the Security rules are configured.

Buy Now
Questions 16

A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall

What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)

Options:

A.

Log Forwarding Profile is configured but not added to security rules in the data center firewall.

B.

HIP profiles are configured but not added to security rules in the data center firewall.

C.

User ID is not enabled in the Zone where the users are coming from in the data center firewall.

D.

HIP Match log forwarding is not configured under Log Settings in the device tab.

Buy Now
Questions 17

An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram

PCNSE Question 17

Which template values will be configured on the firewall If each template has an SSL/TLS Service profile configured named Management?

Options:

A.

Values in Chicago

B.

Values in efw01lab.chi

C.

Values in Datacenter

D.

Values in Global Settings

Buy Now
Questions 18

Refer to the exhibit.

PCNSE Question 18

Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?

Options:

A.

ethernet1/6

B.

ethernet1/3

C.

ethernet1/7

D.

ethernet1/5

Buy Now
Questions 19

A company wants to add threat prevention to the network without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)

Options:

A.

VirtualWire

B.

Layer3

C.

TAP

D.

Layer2

Buy Now
Questions 20

As a best practice, which URL category should you target first for SSL decryption?

Options:

A.

Online Storage and Backup

B.

High Risk

C.

Health and Medicine

D.

Financial Services

Buy Now
Questions 21

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?

Options:

A.

Deny

B.

Discard

C.

Allow

D.

Next VR

Buy Now
Questions 22

Which template values will be configured on the firewall if each template has an SSL to be deployed. The template stack should consist of four templates arranged according to the diagram.

Which template values will be configured on the firewall if each template has an SSL/TLS Service profile configured named Management?

Options:

A.

Values in Datacenter

B.

Values in efwOlab.chi

C.

Values in Global Settings

D.

Values in Chicago

Buy Now
Questions 23

A firewall engineer is tasked with defining signatures for a custom application. Which two sources can the engineer use to gather information about the application patterns'? (Choose two.)

Options:

A.

Traffic logs

B.

Data filtering logs

C.

Policy Optimizer

D.

Wireshark

Buy Now
Questions 24

How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?

Options:

A.

Configure a dynamic address group for the addresses to be blocked with the tag "malicious." Add a Log Forwarding profile to the other policies, which adds the "malicious" tag to these addresses when logs are generated in the threat log. Under Device > User Identification > Trusted Source Address, add the condition "NOT malicious."

B.

Configure a dynamic user group for the users to be blocked with the tag "malicious." Add a Log Forwarding profile to the other policies, which adds the "malicious" tag to these users when logs are generated in the threat log. Create policies to block traffic from this user group.

C.

Configure the appropriate security profiles for Antivirus, Anti-Spyware, and Vulnerability Prevention, create signature policies for the relevant signatures and/or severities. Under the "Actions" tab in "Signature Policies," select "block-user."

D.

N/A

Buy Now
Questions 25

Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates. Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?

Options:

A.

debug dataplane internal vif route 255

B.

show routing route type management

C.

debug dataplane internal vif route 250

D.

show routing route type service-route

Buy Now
Questions 26

Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?

Options:

A.

Log Collector

B.

Panorama

C.

Legacy

D.

Management Only

Buy Now
Questions 27

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?

Options:

A.

It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS.

B.

It stops the tunnel-establishment processing to the GlobalProtect gateway immediately.

C.

It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS.

D.

It keeps trying to establish an IPSec tun£el to the GlobalProtect gateway.

Buy Now
Questions 28

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)

Options:

A.

Inherit settings from the Shared group

B.

Inherit IPSec crypto profiles

C.

Inherit all Security policy rules and objects

D.

Inherit parent Security policy rules and objects

Buy Now
Questions 29

A company has recently migrated their branch office's PA-220S to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama

They notice that commit times have drastically increased for the PA-220S after the migration

What can they do to reduce commit times?

Options:

A.

Disable "Share Unused Address and Service Objects with Devices" in Panorama Settings.

B.

Update the apps and threat version using device-deployment

C.

Perform a device group push using the "merge with device candidate config" option

D.

Use "export or push device config bundle" to ensure that the firewall is integrated with the Panorama config.

Buy Now
Questions 30

After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?

Options:

A.

debug ike stat

B.

test vpn ipsec-sa tunnel

C.

show vpn ipsec-sa tunnel

D.

test vpn ike-sa gateway

Buy Now
Questions 31

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?

Options:

A.

Export device state

B.

Load configuration version

C.

Load named configuration snapshot

D.

Save candidate config

Buy Now
Questions 32

A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates.

What must occur to have Antivirus signatures update?

Options:

A.

An Antivirus license is needed first, then a Security profile for Antivirus needs to be created.

B.

An Antivirus license must be obtained before Dynamic Updates can be downloaded or installed.

C.

An Advanced Threat Prevention license is required to see the Dynamic Updates for Antivirus.

D.

Install the Application and Threats updates first, then refresh the Dynamic Updates.

Buy Now
Questions 33

Which type of zone will allow different virtual systems to communicate with each other?

Options:

A.

Tap

B.

External

C.

Virtual Wire

D.

Tunnel

Buy Now
Questions 34

What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

PCNSE Question 34

Options:

A.

IP Netmask

B.

IP Wildcard Mask

C.

IP Address

D.

IP Range

Buy Now
Questions 35

An administrator is troubleshooting application traffic that has a valid business use case, and observes the following decryption log message: "Received fatal alert UnknownCA from client."

How should the administrator remediate this issue?

Options:

A.

Contact the site administrator with the expired certificate to request updates or renewal.

B.

Enable certificate revocation checking to deny access to sites with revoked certificates. -"

C.

Add the server's hostname to the SSL Decryption Exclusion List to allow traffic without decryption.

D.

Check for expired certificates and take appropriate actions to block or allow access based on business needs.

Buy Now
Questions 36

A firewall engineer is migrating port-based rules to application-based rules by using the Policy Optimizer. The engineer needs to ensure that the new application-based rules are future-proofed, and that they will continue to match if the existing signatures for a specific application are expanded with new child applications. Which action will meet the requirement while ensuring that traffic unrelated to the specific application is not matched?

Options:

A.

Create a custom application and define it by the correct TCP and UDP ports

B.

Create an application filter based on the existing application category and risk

C.

Add specific applications that are seen when creating cloned rules

D.

Add the relevant container application when creating cloned rules

Buy Now
Questions 37

Review the screenshot of the Certificates page.

An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems.

When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings.

What is the cause of the unsecured website warnings?

Options:

A.

The forward untrust certificate has not been signed by the self-singed root CA certificate.

B.

The forward trust certificate has not been installed in client systems.

C.

The self-signed CA certificate has the same CN as the forward trust and untrust certificates.

D.

The forward trust certificate has not been signed by the self-singed root CA certificate.

Buy Now
Questions 38

Which three statements accurately describe Decryption Mirror? (Choose three.)

Options:

A.

Decryption Mirror requires a tap interface on the firewall

B.

Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel

C.

Only management consent is required to use the Decryption Mirror feature.

D.

Decryption, storage, inspection, and use of SSL traffic are regulated in certain countries.

E.

You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment.

Buy Now
Questions 39

Exhibit.

PCNSE Question 39

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms The network team has reported excessive traffic on the corporate WAN How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?

Options:

A.

Any configuration on an M-500 would address the insufficient bandwidth concerns

B.

Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW

C.

Configure log compression and optimization features on all remote firewalls

D.

Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.

Buy Now
Questions 40

An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.

Which three parts of a template an engineer can configure? (Choose three.)

Options:

A.

NTP Server Address

B.

Antivirus Profile

C.

Authentication Profile

D.

Service Route Configuration

E.

Dynamic Address Groups

Buy Now
Questions 41

An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI Which CLI command can the engineer use?

Options:

A.

test vpn ike-sa

B.

test vpn gateway

C.

test vpn flow

D.

test vpn tunnel

Buy Now
Questions 42

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?

Options:

A.

SSL/TLS Service Profile

B.

SSH Service Profile

C.

Certificate Profile

D.

Decryption Profile

Buy Now
Questions 43

An administrator has purchased WildFire subscriptions for 90 firewalls globally.

What should the administrator consider with regards to the WildFire infra-structure?

Options:

A.

To comply with data privacy regulations, WildFire signatures and ver-dicts are not shared globally.

B.

Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds.

C.

Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds.

D.

The WildFire Global Cloud only provides bare metal analysis.

Buy Now
Questions 44

Which log type is supported in the Log Forwarding profile?

Options:

A.

Configuration

B.

GlobalProtect

C.

Tunnel

D.

User-ID

Buy Now
Questions 45

What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three

Options:

A.

Configure a URL profile to block the phishing category.

B.

Create a URL filtering profile

C.

Enable User-ID.

D.

Create an anti-virus profile.

E.

Create a decryption policy rule.

Buy Now
Questions 46

An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.

Which three settings can be configured in this template? (Choose three.)

Options:

A.

Log Forwarding profile

B.

SSL decryption exclusion

C.

Email scheduler

D.

Login banner

E.

Dynamic updates

Buy Now
Questions 47

Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?

Options:

A.

Perform packet forwarding to the active-passive peer during session setup and asymmetric traffic flow.

B.

Perform synchronization of routes, IPSec security associations, and User-ID information.

C.

Perform session cache synchronization for all HA cluster members with the same cluster ID.

D.

Perform synchronization of sessions, forwarding tables, and IPSec security associations between firewalls in an HA pair.

Buy Now
Questions 48

A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panorama. In which section is this configured?

Options:

A.

Monitor > Logs > System

B.

Objects > Log Forwarding

C.

Panorama > Managed Devices

D.

Device > Log Settings

Buy Now
Questions 49

How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?

Options:

A.

Panorama provides information about system resources of the managed devices in the Managed Device > Health menu.

B.

Firewalls send SNMP traps to Panorama wen resource exhaustion is detected Panorama generates a system log and can send email alerts.

C.

Panorama monitors all firewalls using SNMP. It generates a system log and can send email alerts when resource exhaustion is detected on a managed firewall.

D.

Panorama provides visibility all the system and traffic logs received from firewalls it does not offer any ability to see or monitor resource utilization on managed firewalls

Buy Now
Questions 50

What must be taken into consideration when preparing a log forwarding design for all of a customer’s deployed Palo Alto Networks firewalls?

Options:

A.

The logs will not contain the names of the identified applications unless the "Enable enhanced application logging" option is selected

B.

Traffic and threat logs will not be forwarded unless the relevant Log Forwarding profile is attached to the security rules

C.

App-ID engine will not identify any application traffic unless the "Enable enhanced application logging" option is selected

D.

Traffic and threat logs will not be forwarded unless the relevant Log Forwarding profile is selected in "Logging and Reporting Settings"

Buy Now
Questions 51

An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when the link failed?

PCNSE Question 51

Options:

A.

The active firewall failed over to the passive HA member because "any" is selected for the Link Monitoring

B.

No action was taken because Path Monitoring is disabled

C.

No action was taken because interface ethernet1/1 did not fail

D.

The active firewall failed over to the passive HA member due to an AE1 Link Group failure

Buy Now
Questions 52

How is Perfect Forward Secrecy (PFS) enabled when troubleshooting a VPN Phase 2 mismatch?

Options:

A.

Enable PFS under the IKE Gateway advanced options

B.

Enable PFS under the IPsec Tunnel advanced options

C.

Select the appropriate DH Group under the IPsec Crypto profile

D.

Add an authentication algorithm in the IPsec Crypto profile

Buy Now
Questions 53

A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11 0 The client currently uses RADIUS authentication in their environment

Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.)

Options:

A.

Kerberos or SAML authentication need to be configured

B.

LDAP or TACACS+ authentication need to be configured

C.

RADIUS is only supported for a transparent Web Proxy.

D.

RADIUS is not supported for explicit or transparent Web Proxy

Buy Now
Questions 54

The UDP-4501 protocol-port is to between which two GlobalProtect components?

Options:

A.

GlobalProtect app and GiobalProtect satellite

B.

GlobalRrotect app and GlobalProtect gateway

C.

GlobalProtect portal and GlobalProtect gateway

D.

GlobalProtect app and GlobalProtect portal

Buy Now
Questions 55

Which protocol is natively supported by GlobalProtect Clientless VPN?

Options:

A.

HTP

B.

SSH

C.

HTTPS

D.

RDP

Buy Now
Questions 56

A firewall administrator has configured User-ID and deployed GlobalProtect, but there is no User-ID showing in the traffic logs.

How can the administrator ensure that User-IDs are populated in the traffic logs?

Options:

A.

Create a Group Mapping for the GlobalProtect Group.

B.

Enable Captive Portal on the expected source interfaces.

C.

Add the users to the proper Dynamic User Group.

D.

Enable User-ID on the expected trusted zones.

Buy Now
Questions 57

An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic.

Which three elements should the administrator configure to address this issue? (Choose three.)

Options:

A.

An Application Override policy for the SIP traffic

B.

QoS on the egress interface for the traffic flows

C.

QoS on the ingress interface for the traffic flows

D.

A QoS profile defining traffic classes

E.

A QoS policy for each application ID

Buy Now
Questions 58

A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?

Options:

A.

show routing protocol bgp summary

B.

show routing protocol bgp rib-out

C.

show routing protocol bgp state

D.

show routing protocol bgp peer

Buy Now
Questions 59

Which link is responsible for synchronizing sessions between high availability (HA) peers?

Options:

A.

HA1

B.

HA3

C.

HA4

D.

HA2

Buy Now
Questions 60

What should an engineer consider when setting up the DNS proxy for web proxy?

Options:

A.

A secondary DNS server in the DNS proxy is optional, and configuration commit to the firewall will succeed with only one DNS server.

B.

A maximum of two FQDNs can be mapped to an IP address in the static entries for DNS proxy.

C.

DNS timeout for web proxy can be configured manually, and it should be set to the highest value possible.

D.

Adjust the UDP queries for the DNS proxy to allow both DNS servers to be tried within 20 seconds.

Buy Now
Questions 61

An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an interal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?

Options:

A.

Data Patterns within Objects > Custom Objects

B.

Custom Log Format within Device Server Profiles> Syslog

C.

Built-in Actions within Objects > Log Forwarding Profile

D.

Logging and Reporting Settings within Device > Setup > Management

Buy Now
Questions 62

An engineer configures a destination NAT policy to allow inbound access to an internal server in the DMZ. The NAT policy is configured with the following values:

- Source zone: Outside and source IP address 1.2.2.2

- Destination zone: Outside and destination IP address 2.2.2.1

The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone.

Which destination IP address and zone should the engineer use to configure the security policy?

Options:

A.

Destination Zone Outside. Destination IP address 2.2.2.1

B.

Destination Zone DMZ, Destination IP address 10.10.10.1

C.

Destination Zone DMZ, Destination IP address 2.2.2.1

D.

Destination Zone Outside. Destination IP address 10.10.10.1

Buy Now
Questions 63

An administrator troubleshoots an issue that causes packet drops.

Which log type will help the engineer verify whether packet buffer protection was activated?

Options:

A.

Data Filtering

B.

Configuration

C.

Threat

D.

Traffic

Buy Now
Questions 64

An administrator wants to enable WildFire inline machine learning. Which three file types does WildFire inline ML analyze? (Choose three.)

Options:

A.

Powershell scripts

B.

VBscripts

C.

MS Office

D.

APK

E.

ELF

Buy Now
Questions 65

Which are valid ACC GlobalProtect Activity tab widgets? (Choose two.)

Options:

A.

Successful GlobalProtect Deployed Activity

B.

GlobalProtect Deployment Activity

C.

GlobalProtect Quarantine Activity

D.

Successful GlobalProtect Connection Activity

Buy Now
Questions 66

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections

What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?

Options:

A.

TCP Fast Open in the Strip TCP options

B.

Ethernet SGT Protection

C.

Stream ID in the IP Option Drop options

D.

Record Route in IP Option Drop options

Buy Now
Questions 67

Exhibit.

PCNSE Question 67

Given the screenshot, how did the firewall handle the traffic?

Options:

A.

Traffic was allowed by profile but denied by policy as a threat.

B.

Traffic was allowed by policy but denied by profile as a threat.

C.

Traffic was allowed by policy but denied by profile as encrypted.

D.

Traffic was allowed by policy but denied by profile as a nonstandard port.

Buy Now
Questions 68

An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks.

Which sessions does Packet Buffer Protection apply to?

Options:

A.

It applies to existing sessions and is global.

B.

It applies to new sessions and is not global.

C.

It applies to existing sessions and is not global.

D.

It applies to new sessions and is global.

Buy Now
Questions 69

Which three items must be configured to implement application override? (Choose three )

Options:

A.

Custom app

B.

Security policy rule

C.

Application override policy rule

D.

Decryption policy rule

E.

Application filter

Buy Now
Questions 70

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67

Options:

A.

The PanGPS process failed to connect to the PanGPA process on port 4767

B.

The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767

C.

The PanGPA process failed to connect to the PanGPS process on port 4767

D.

The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767

Buy Now
Questions 71

Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)

Options:

A.

Application filter

B.

Application override policy rule

C.

Security policy rule

D.

Custom app

Buy Now
Questions 72

What is the best definition of the Heartbeat Interval?

Options:

A.

The interval in milliseconds between hello packets

B.

The frequency at which the HA peers check link or path availability

C.

The frequency at which the HA peers exchange ping

D.

The interval during which the firewall will remain active following a link monitor failure

Buy Now
Questions 73

Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)

Options:

A.

A Deny policy for the tagged traffic

B.

An Allow policy for the initial traffic

C.

A Decryption policy to decrypt the traffic and see the tag

D.

A Deny policy with the "tag" App-ID to block the tagged traffic

Buy Now
Questions 74

Which source is the most reliable for collecting User-ID user mapping?

Options:

A.

Syslog Listener

B.

Microsoft Exchange

C.

Microsoft Active Directory

D.

GlobalProtect

Buy Now
Questions 75

PCNSE Question 75

Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?

Options:

A.

The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1.

B.

The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2.

C.

The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

D.

The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

Buy Now
Questions 76

All firewall at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a sylog server and forward all firewall logs to the syslog server and to the log collectors. There is known logging peak time during the day, and the security team has asked the firewall engineer to determined how many logs per second the current Palo Alto Networking log processing at that particular time. Which method is the most time-efficient to complete this task?

Options:

A.

Navigate to Panorama > Managed Collectors, and open the Statistics windows for each Log Collector during the peak time.

B.

Navigate to Monitor > Unified logs, set the filter to the peak time, and browse to the last page to find out how many logs have been received.

C.

Navigate to Panorama> Managed Devices> Health, open the Logging tab for each managed firewall and check the log rates during the peak time.

D.

Navigate to ACC> Network Activity, and determine the total number of sessions and threats during the peak time.

Buy Now
Questions 77

The server team is concerned about the high volume of logs forwarded to their syslog server, it is determined that DNS is generating the most logs per second. The risk and compliance team requests that any Traffic logs indicating port abuse of port 53 must still be forwarded to syslog. All other DNS. Traffic logs can be exclude from syslog forwarding. How should syslog log forwarding be configured?

Options:

A.

With (port,dst neq 53)’ Traffic log filter Object > Log Forwarding.

B.

With ‘(port dst neq 53)’ Traffic log filter inside Device > log Settings.

C.

With ‘(app neq dns-base)’’ Traffic log filter inside Device> Log Settings.

D.

With ‘(app neq dns-base)’’ Traffic log filter inside Objects> Log Forwarding

Buy Now
Questions 78

Which two are required by IPSec in transport mode? (Choose two.)

Options:

A.

Auto generated key

B.

NAT Traversal

C.

IKEv1

D.

DH-group 20 (ECP-384 bits)

Buy Now
Questions 79

A firewall engineer is investigating high dataplane CPU utilization. To decrease the load on this CPU, what should be reduced?

Options:

A.

The amount of decrypted traffic

B.

The timeout value for admin sessions

C.

The number of mapped User-ID groups

D.

The number of permitted IP addresses on the management interface

Buy Now
Questions 80

An administrator plans to install the Windows User-ID agent on a domain member system.

What is a best practice for choosing where to install the User-ID agent?

Options:

A.

On the same RODC that is used for credential detection

B.

In close proximity to the firewall it will be providing User-ID to

C.

In close proximity to the servers it will be monitoring

D.

On the DC holding the Schema Master FSMO role

Buy Now
Questions 81

An administrator pushes a new configuration from Panorama to a par of firewalls that are configured as an active/passive HA pair. Which NGFW receives the from Panorama?

Options:

A.

The active firewall which then synchronizes to the passive firewall

B.

The passive firewall, which then synchronizes to the active firewall

C.

Both the active and passive firewalls which then synchronize with each other

D.

Both the active and passive firewalls independently, with no synchronization afterward

Buy Now
Questions 82

An administrator needs to assign a specific DNS server to an existing template variable. Where would the administrator go to edit a template variable at the device level?

Options:

A.

"Managed Devices > Device Association"

B.

PDF Export under "Panorama > Templates"

C.

Variable CSV export under "Panorama > Templates"

D.

Manage variables under "Panorama > Templates"

Buy Now
Questions 83

A firewall administrator needs to check which egress interface the firewall will use to route the IP 10.2.5.3.

Which command should they use?

Options:

A.

test routing route ip 10.2.5.3 *

B.

test routing route ip 10.2.5.3 virtual-router default

C.

test routing fib-lookup ip 10.2.5.0/24 virtual-router default

D.

test routing fib-lookup ip 10.2.5.3 virtual-router default

Buy Now
Questions 84

An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration.

What type of service route can be used for this configuration?

Options:

A.

IPv6 Source or Destination Address

B.

Destination-Based Service Route

C.

IPv4 Source Interface

D.

Inherit Global Setting

Buy Now
Questions 85

Forwarding of which two log types is configured in Objects -> Log Forwarding? (Choose two)

Options:

A.

GlobalProtect

B.

Authentication

C.

User-ID

D.

WildFire

Buy Now
Questions 86

Four configuration choices are listed, and each could be used to block access to a specific URL.

If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?

Options:

A.

Custom URL category in URL Filtering profile

B.

EDL in URL Filtering profile

C.

PAN-DB URL category in URL Filtering profile

D.

Custom URL category in Security policy rule

Buy Now
Questions 87

A firewall engineer needs to patch the company’s Palo Alto Network firewalls to the latest version of PAN-OS. The company manages its firewalls by using panorama. Logs are forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire appliances for analysis. What must the engineer consider when planning deployment?

Options:

A.

Only Panorama and Dedicated Log Collectorss must be patched to the target PAN-OS version before updating the firewalls

B.

Panorama, Dedicated Log Collectors and WildFire appliances must be patched to the target PAN-OS version before updating the firewalls.

C.

Panorama, Dedicated Log Collectors and WildFire appliances must have the target PAN-OS version downloaded, after which the order of patching does not matter.

D.

Only Panorama must be patched to the PAN-OS version before updating the firewalls

Buy Now
Questions 88

During a routine security audit, the risk and compliance team notices a series of WildFire logs that contain a "malicious" verdict and the action "allow." Upon further inspection, the team confirms that these same threats are automatically blocked by the firewalls the following day. How can the existing configuration be adjusted to ensure that new threats are blocked within minutes instead of having to wait until the following day?

Options:

A.

Confirm the file types and direction are configured correctly in the WildFire analysis profile

B.

Configure the appropriate actions in the Antivirus security profile

C.

Configure the appropriate actions in the File Blocking profile

D.

Confirm the file size limits are configured correctly in the WildFire general settings

Buy Now
Questions 89

Which two statements correctly describe Session 380280? (Choose two.)

PCNSE Question 89

PCNSE Question 89

Options:

A.

The session went through SSL decryption processing.

B.

The session has ended with the end-reason unknown.

C.

The application has been identified as web-browsing.

D.

The session did not go through SSL decryption processing.

Buy Now
Questions 90

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.

Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

Options:

A.

Navigate to Network > Zone Protection Click Add

Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set "Asymmetric Path" to Bypass

B.

> set session tcp-reject-non-syn no

C.

Navigate to Network > Zone Protection Click Add

Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set "Asymmetric Path" to Global

D.

# set deviceconfig setting session tcp-reject-non-syn no

Buy Now
Questions 91

Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.)

Options:

A.

User logon

B.

Push

C.

One-Time Password

D.

SSH key

E.

Short message service

Buy Now
Questions 92

A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an interface Management profile to secure management access? (Choose three)

Options:

A.

HTTPS

B.

SSH

C.

Permitted IP Addresses

D.

HTTP

E.

User-IO

Buy Now
Questions 93

After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall After troubleshooting the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports

What can the engineer do to solve the VoIP traffic issue?

Options:

A.

Disable ALG under H.323 application

B.

Increase the TCP timeout under H.323 application

C.

Increase the TCP timeout under SIP application

D.

Disable ALG under SIP application

Buy Now
Questions 94

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?

Options:

A.

OSPFV3

B.

ECMP

C.

ASBR

D.

OSBF

Buy Now
Questions 95

An administrator plans to install the Windows-Based User-ID Agent.

What type of Active Directory (AD) service account should the administrator use?

Options:

A.

Dedicated Service Account

B.

System Account

C.

Domain Administrator

D.

Enterprise Administrator

Buy Now
Questions 96

A firewall administrator manages sets of firewalls which have two unique idle timeout values. Datacenter firewalls needs to be set to 20 minutes and BranchOffice firewalls need to be set to 30 minutes. How can the administrator assign these settings through the use of template stacks?

Options:

A.

Create one template stack and place the BranchOffice_Template in higher priority than Datacenter_Template.

B.

Create one template stack and place the Datanceter_Template in higher priority than BranchOffice_template.

C.

Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_Template and BranchOffice_template are at the bottom of their stack.

D.

Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_template are at the top of their stack

Buy Now
Questions 97

A network security administrator has been tasked with deploying User-ID in their organization.

What are three valid methods of collecting User-ID information in a network? (Choose three.)

Options:

A.

Windows User-ID agent

B.

GlobalProtect

C.

XMLAPI

D.

External dynamic list

E.

Dynamic user groups

Buy Now
Questions 98

Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)

Options:

A.

ECDSA

B.

ECDHE

C.

RSA

D.

DHE

Buy Now
Questions 99

Which GloDalProtecI gateway setting is required to enable split-tunneting by access route, destination domain and application?

Options:

A.

Tunnel mode

B.

Satellite mode

C.

IPSec mode

D.

No Direct Access to local networks

Buy Now
Questions 100

Which log type would provide information about traffic blocked by a Zone Protection profile?

Options:

A.

Data Filtering

B.

IP-Tag

C.

Traffic

D.

Threat

Buy Now
Exam Code: PCNSE
Exam Name: Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0
Last Update: Mar 29, 2025
Questions: 334

PDF + Testing Engine

$57.75  $164.99

Testing Engine

$43.75  $124.99
buy now PCNSE testing engine

PDF (Q&A)

$36.75  $104.99
buy now PCNSE pdf