Special Summer Sale - 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dm70dm

PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Questions and Answers

Questions 4

An administrator receives the following error message:

"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192.168 33 33/24 type IPv4 address protocol 0 port 0, received remote id 172.16 33.33/24 type IPv4 address protocol 0 port 0."

How should the administrator identify the root cause of this error message?

Options:

A.

In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate

B.

Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure

C.

Check whether the VPN peer on one end is set up correctly using policy-based VPN

D.

In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.

Buy Now
Questions 5

Which sessions does Packet Buffer Protection apply to when used on ingress zones to protect against single-session DoS attacks?

Options:

A.

New sessions and is global

B.

New sessions and is not global

C.

Existing sessions and is not global

D.

Existing sessions and is global

Buy Now
Questions 6

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?

Options:

A.

Command line > debug dataplane packet-diag clear filter-marked-session all

B.

In the GLH under Monitor > Packet Capture > Manage Filters under Ingress Interface select an interface

C.

Command line> debug dataplane packet-diag clear filter all

D.

In the GUI under Monitor > Packet Capture > Manage Filters under the Non-IP field, select "exclude"

Buy Now
Questions 7

An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.

PCNSE Question 7

What could an administrator do to troubleshoot the issue?

Options:

A.

Go to Device > High Availability> General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup

B.

Check peer IP address In the permit list In Device > Setup > Management > Interfaces > Management Interface Settings

C.

Go to Device > High Availability > HA Communications> General> and check the Heartbeat Backup under Election Settings

D.

Check peer IP address for heartbeat backup to Device > High Availability > HA Communications > Packet Forwarding settings.

Buy Now
Questions 8

Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.)

Options:

A.

User logon

B.

Push

C.

One-Time Password

D.

SSH key

E.

Short message service

Buy Now
Questions 9

A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS (Perfect Forward Secrecy) needs to be enabled. What action should the engineer take?

Options:

A.

Enable PFS under the IKE gateway advanced options.

B.

Enable PFS under the IPSec Tunnel advanced options.

C.

Add an authentication algorithm in the IPSec Crypto profile.

D.

Select the appropriate DH Group under the IPSec Crypto profile.

Buy Now
Questions 10

An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)

Options:

A.

Financial, health, and government traffic categories

B.

Known traffic categories

C.

Known malicious IP space

D.

Public-facing servers,

E.

Less-trusted internal IP subnets

Buy Now
Questions 11

A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates.

What must occur to have Antivirus signatures update?

Options:

A.

An Antivirus license is needed first, then a Security profile for Antivirus needs to be created.

B.

An Antivirus license must be obtained before Dynamic Updates can be downloaded or installed.

C.

An Advanced Threat Prevention license is required to see the Dynamic Updates for Antivirus.

D.

Install the Application and Threats updates first, then refresh the Dynamic Updates.

Buy Now
Questions 12

An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?

Options:

A.

The profile rule action

B.

CVE column

C.

Exceptions lab

D.

The profile rule threat name

Buy Now
Questions 13

An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?

Options:

A.

Initial

B.

Tentative

C.

Passive

D.

Active-secondary

Buy Now
Questions 14

An administrator is troubleshooting application traffic that has a valid business use case, and observes the following decryption log message: "Received fatal alert UnknownCA from client."

How should the administrator remediate this issue?

Options:

A.

Contact the site administrator with the expired certificate to request updates or renewal.

B.

Enable certificate revocation checking to deny access to sites with revoked certificates. -"

C.

Add the server's hostname to the SSL Decryption Exclusion List to allow traffic without decryption.

D.

Check for expired certificates and take appropriate actions to block or allow access based on business needs.

Buy Now
Questions 15

In a template, which two objects can be configured? (Choose two.)

Options:

A.

SD-WAN path quality profile

B.

Monitor profile

C.

IPsec tunnel

D.

Application group

Buy Now
Questions 16

An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is currently processing traffic?

Options:

A.

Initial

B.

Passive

C.

Active

D.

Active-primary

Buy Now
Questions 17

An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?

Options:

A.

show chassis status slot s1

B.

show s/stem state filter ethernet1/1

C.

show s/stem state filter sw.dev interface config

D.

show s/stem state filter-pretty sys.sl*

Buy Now
Questions 18

The firewall team has been asked to deploy a new Panorama server and to forward all firewall logs to this server By default, which component of the Palo Alto Networks firewall architect is responsible for log forwarding and should be checked for early signs of overutilization?

Options:

A.

Management plane CPU

B.

Dataplane CPU

C.

Packet buffers

D.

On-chip packet descriptors

Buy Now
Questions 19

An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an internal syslog server.

Where can the firewall engineer define the data to be added into each forwarded log?

Options:

A.

Custom Log Format within Device > Server Profiles > Syslog

B.

Built-in Actions within Objects > Log Forwarding Profile

C.

Logging and Reporting Settings within Device > Setup > Management

D.

Data Patterns within Objects > Custom Objects

Buy Now
Questions 20

Panorama is being used to upgrade the PAN-OS version on a pair of firewalls in an active/passive high availability (HA) configuration. The Palo Alto Networks best practice upgrade steps have been completed in Panorama (Panorama upgraded, backups made, content updates, and disabling "Preemptive" pushed), and the firewalls are ready for upgrade. What is the next best step to minimize downtime and ensure a smooth transition?

Options:

A.

Upgrade both HA peers at the same time using Panorama’s "Group HA Peers" option to ensure version consistency

B.

Suspend the active firewall, upgrade it first, and reboot to verify it comes back online before upgrading the passive peer

C.

Perform the upgrade on the active firewall first while keeping the passive peer online to maintain failover capability

D.

Upgrade only the passive peer first, reboot it, restore HA functionality, and then upgrade the active peer

Buy Now
Questions 21

A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.

How can this be achieved?

Options:

A.

By configuring Data Redistribution Client in Panorama > Data Redistribution

B.

By configuring User-ID group mapping in Panorama > User Identification

C.

By configuring User-ID source device in Panorama > Managed Devices

D.

By configuring Master Device in Panorama > Device Groups

Buy Now
Questions 22

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?

Options:

A.

Preview Changes

B.

Managed Devices Health

C.

Test Policy Match

D.

Policy Optimizer

Buy Now
Questions 23

Which type of zone will allow different virtual systems to communicate with each other?

Options:

A.

Tap

B.

External

C.

Virtual Wire

D.

Tunnel

Buy Now
Questions 24

An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.

Which three settings can be configured in this template? (Choose three.)

Options:

A.

Log Forwarding profile

B.

SSL decryption exclusion

C.

Email scheduler

D.

Login banner

E.

Dynamic updates

Buy Now
Questions 25

An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?

Options:

A.

An Enterprise Root CA certificate

B.

The same certificate as the Forward Trust certificate

C.

A Public Root CA certificate

D.

The same certificate as the Forward Untrust certificate

Buy Now
Questions 26

An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets. For users that need to access these systems. Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What should the enterprise do to use PAN-OS MFA?

Options:

A.

Configure a Captive Portal authentication policy that uses an authentication sequence.

B.

Configure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile.

C.

Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy.

D.

Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns.

Buy Now
Questions 27

An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors. What is the recommended order of operational steps when upgrading?

Options:

A.

Upgrade the firewalls, upgrade log collectors, upgrade Panorama

B.

Upgrade the firewalls, upgrade Panorama, upgrade the log collectors

C.

Upgrade Panorama, upgrade the log collectors, upgrade the firewalls

D.

Upgrade the log collectors, upgrade the firewalls, upgrade Panorama

Buy Now
Questions 28

A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects

Which type of role-based access is most appropriate for this project?

Options:

A.

Create a Dynamic Read only superuser.

B.

Create a Dynamic Admin with the Panorama Administrator role

C.

Create a Device Group and Template Admin

D.

Create a Custom Panorama Admin

Buy Now
Questions 29

An engineer is pushing configuration from Panorama to a managed firewall What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?

Options:

A.

The firewall ignores only the pushed objects that have the same name as the locally configured objects, and it will commit the rest of the pushed configuration.

B.

The firewall fully commits all of the pushed configuration and overwrites its locally configured objects

C.

The firewall rejects the pushed configuration, and the commit fails.

D.

The firewall renames the duplicate local objects with "-1" at the end signifying they are clones; it will update the references to the objects accordingly and fully commit the pushed configuration.

Buy Now
Questions 30

Refer to Exhibit:

PCNSE Question 30

An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?

A)

PCNSE Question 30

B)

PCNSE Question 30

C)

PCNSE Question 30

D)

PCNSE Question 30

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Questions 31

In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?

Options:

A.

The running configuration with the candidate configuration of the firewall

B.

Applications configured in the rule with applications seen from traffic matching the same rule

C.

Applications configured in the rule with their dependencies

D.

The security rule with any other security rule selected

Buy Now
Questions 32

Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?

Options:

A.

Perform packet forwarding to the active-passive peer during session setup and asymmetric traffic flow.

B.

Perform synchronization of routes, IPSec security associations, and User-ID information.

C.

Perform session cache synchronization for all HA cluster members with the same cluster ID.

D.

Perform synchronization of sessions, forwarding tables, and IPSec security associations between firewalls in an HA pair.

Buy Now
Questions 33

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers Traffic to these sites will therefore be blocked if decrypted.

How should the engineer proceed?

Options:

A.

Install the unsupported cipher into the firewall to allow the sites to be decrypted

B.

Allow the firewall to block the sites to improve the security posture.

C.

Add the sites to the SSL Decryption Exclusion list to exempt them from decryption.

D.

Create a Security policy to allow access to those sites.

Buy Now
Questions 34

‘SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted” warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

1. End-users must not get the warning for the https:///www.very-import-website.com/ website.

2. End-users should get the warning for any other untrusted website.

Which approach meets the two customer requirements?

Options:

A.

Install the Well-Known-intermediate-CA and Well:Known Root-CA certificates on all end-user systems in the user and local computer stores:

B.

Clear the Forward Untrust-CA Certificate check box on the Untrusted-CA certificate= and commit the configuration

C.

Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate Authorities, import Well-Known-Intermediate-CA 2nd Well-Known-Root-CA select the Trusted Root CA check box, aid commit the configuration.

D.

Navigate to Device > Certificate Management > Certificates > Device Certificates, import Well-known-Intermediate-CA and Well-Know5-Root-CA, Select the Trusted Root CA check box, and commit the configuration.

Buy Now
Questions 35

A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.

Which action is the most operationally efficient for the security engineer to find and implement the exception?

Options:

A.

Review high severity system logs to identify why the threat is missing in Vulnerability Profile Exceptions.

B.

Open a support case.

C.

Review traffic logs to add the exception from there.

D.

Select 'Show all signatures' within the Vulnerability Protection Profile under 'Exceptions'.

Buy Now
Questions 36

Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)

Options:

A.

Application filter

B.

Application override policy rule

C.

Security policy rule

D.

Custom app

Buy Now
Questions 37

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)

Options:

A.

Inherit settings from the Shared group

B.

Inherit IPSec crypto profiles

C.

Inherit all Security policy rules and objects

D.

Inherit parent Security policy rules and objects

Buy Now
Questions 38

After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall After troubleshooting the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports

What can the engineer do to solve the VoIP traffic issue?

Options:

A.

Disable ALG under H.323 application

B.

Increase the TCP timeout under H.323 application

C.

Increase the TCP timeout under SIP application

D.

Disable ALG under SIP application

Buy Now
Questions 39

An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic.

Which three elements should the administrator configure to address this issue? (Choose three.)

Options:

A.

An Application Override policy for the SIP traffic

B.

QoS on the egress interface for the traffic flows

C.

QoS on the ingress interface for the traffic flows

D.

A QoS profile defining traffic classes

E.

A QoS policy for each application ID

Buy Now
Questions 40

An engineer must configure a new SSL decryption deployment.

Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

Options:

A.

A Decryption profile must be attached to the Decryption policy that the traffic matches.

B.

A Decryption profile must be attached to the Security policy that the traffic matches.

C.

There must be a certificate with only the Forward Trust option selected.

D.

There must be a certificate with both the Forward Trust option and Forward Untrust option selected.

Buy Now
Questions 41

An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.

Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?

Options:

A.

Use RSA instead of ECDSA for traffic that isn't sensitive or high-priority.

B.

Use the highest TLS protocol version to maximize security.

C.

Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority.

D.

Use SSL Forward Proxy instead of SSL Inbound Inspection for decryption.

Buy Now
Questions 42

A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall

What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)

Options:

A.

Log Forwarding Profile is configured but not added to security rules in the data center firewall.

B.

HIP profiles are configured but not added to security rules in the data center firewall.

C.

User ID is not enabled in the Zone where the users are coming from in the data center firewall.

D.

HIP Match log forwarding is not configured under Log Settings in the device tab.

Buy Now
Questions 43

Which interface type should a firewall administrator configure as an upstream to the ingress trusted interface when configuring transparent web proxy on a Palo Alto Networks firewall?

Options:

A.

Tunnel

B.

Ethernet

C.

VLAN

D.

Lookback

Buy Now
Questions 44

A customer would like to support Apple Bonjour in their environment for ease of configuration.

Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?

Options:

A.

Virtual Wire interface

B.

Loopback interface

C.

Layer 3 interface

D.

Layer 2 interface

Buy Now
Questions 45

What can the Log Forwarding built-in action with tagging be used to accomplish?

Options:

A.

Block the source zones of selected unwanted traffic.

B.

Block the destination IP addresses of selected unwanted traffic.

C.

Forward selected logs to the Azure Security Center.

D.

Block the destination zones of selected unwanted traffic.

Buy Now
Questions 46

Which two scripting file types require direct upload to the Advanced WildFire portal/API for analysis? (Choose two.)

Options:

A.

Ps1

B.

Perl

C.

Python

D.

VBS

Buy Now
Questions 47

A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.

Which set of steps should the engineer take to accomplish this objective?

Options:

A.

1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.

2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.

3. Place (NAT-Rule-1) above (NAT-Rule-2).

B.

1- Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23.

2. Check the box for negate option to negate this IP subnet from NAT translation.

C.

1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port.

2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none.

3. Place (NAT-Rule-2) above (NAT-Rule-1).

D.

1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/32.

2. Check the box for negate option to negate this IP from the NAT translation.

Buy Now
Questions 48

A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is configure an applications and Threats update schedule with a new App-ID threshold of 48 hours. Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.)

Options:

A.

Create a Security policy rule with an application filter to always allow certain categories of new App-IDs.

B.

Click "Review Apps" after application updates are installed in order to assess how the changes might impact Security policy.

C.

Select the action "download-only" when configuring an Applications and Threats update schedule.

D.

Configure an Applications and Threats update schedule with a threshold of 24 to 48 hours

Buy Now
Questions 49

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.

Options:

A.

Add the tool IP address to the reconnaissance protection source address exclusion in the DoS Protection profile.

B.

Add the tool IP address to the reconnaissance protection source address exclusion in the Zone protection profile.

C.

Change the TCP port scan action from Block to Alert in the Zone Protection profile.

D.

Remove the Zone protection profile from the zone setting.

Buy Now
Questions 50

A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time. How can they achieve this?

Options:

A.

Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices.

B.

Use the Scheduled Config Push to schedule Push to Devices and separately schedule an API call to commit all Panorama changes.

C.

Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to commit all Panorama changes

D.

Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices

Buy Now
Questions 51

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.

Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

Options:

A.

Navigate to Network > Zone Protection Click Add

Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set "Asymmetric Path" to Bypass

B.

> set session tcp-reject-non-syn no

C.

Navigate to Network > Zone Protection Click Add

Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set "Asymmetric Path" to Global

D.

# set deviceconfig setting session tcp-reject-non-syn no

Buy Now
Questions 52

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?

Options:

A.

Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and reboot.

B.

Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot.

C.

Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot.

D.

Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit.

Buy Now
Questions 53

The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install. When performing an upgrade on Panorama to PAN-OS, what is the potential cause of a failed install?

Options:

A.

GlobalProtect agent version

B.

Outdated plugins

C.

Management-only mode

D.

Expired certificates

Buy Now
Questions 54

An administrator plans to install the Windows User-ID agent on a domain member system.

What is a best practice for choosing where to install the User-ID agent?

Options:

A.

On the same RODC that is used for credential detection

B.

In close proximity to the firewall it will be providing User-ID to

C.

In close proximity to the servers it will be monitoring

D.

On the DC holding the Schema Master FSMO role

Buy Now
Questions 55

An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy

Which PAN-OS proxy method should be configured to maintain this type of traffic flow?

Options:

A.

DNS proxy

B.

Explicit proxy

C.

SSL forward proxy

D.

Transparent proxy

Buy Now
Questions 56

A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed.

How should email log forwarding be configured to achieve this goal?

Options:

A.

With the relevant configuration log filter inside Device > Log Settings

B.

With the relevant system log filter inside Objects > Log Forwarding

C.

With the relevant system log filter inside Device > Log Settings

D.

With the relevant configuration log filter inside Objects > Log Forwarding

Buy Now
Questions 57

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?

Options:

A.

SSL/TLS Service Profile

B.

SSH Service Profile

C.

Certificate Profile

D.

Decryption Profile

Buy Now
Questions 58

Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with multiple virtual systems?

Options:

A.

To allow traffic between zones in different virtual systems without the traffic leaving the appliance

B.

To allow traffic between zones in different virtual systems while the traffic is leaving the appliance

C.

External zones are required because the same external zone can be used on different virtual systems

D.

Multiple external zones are required in each virtual system to allow the communications between virtual systems

Buy Now
Questions 59

Why would a traffic log list an application as "not-applicable”?

Options:

A.

The firewall denied the traffic before the application match could be performed.

B.

The TCP connection terminated without identifying any application data

C.

There was not enough application data after the TCP connection was established

D.

The application is not a known Palo Alto Networks App-ID.

Buy Now
Questions 60

A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.

Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)

Site A configuration:

PCNSE Question 60

Options:

A.

Enable NAT Traversal on Site B firewall

B.

Configure Local Identification on Site firewall

C.

Disable passive mode on Site A firewall

D.

Match IKE version on both firewalls.

Buy Now
Questions 61

Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?

Options:

A.

Red Hat Linux, Microsoft Exchange, and Microsoft Terminal Server

B.

Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory

C.

Red Hat Linux, Microsoft Active Directory, and Microsoft Exchange

D.

Novell eDirectory, Microsoft Exchange, and Microsoft Active Directory

Buy Now
Questions 62

An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an interal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?

Options:

A.

Data Patterns within Objects > Custom Objects

B.

Custom Log Format within Device Server Profiles> Syslog

C.

Built-in Actions within Objects > Log Forwarding Profile

D.

Logging and Reporting Settings within Device > Setup > Management

Buy Now
Questions 63

An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes?

Options:

A.

Click Preview Changes under Push Scope

B.

Use Test Policy Match to review the policies in Panorama

C.

Review the configuration logs on the Monitor tab

D.

Context-switch to the affected firewall and use the configuration audit tool

Buy Now
Questions 64

An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.

Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?

Options:

A.

An SSL/TLS Service profile with a certificate assigned.

B.

An Interface Management profile with HTTP and HTTPS enabled.

C.

A Certificate profile with a trusted root CA.

D.

An Authentication profile with the allow list of users.

Buy Now
Questions 65

Which conditions must be met when provisioning a high availability (HA) cluster? (Choose two.)

Options:

A.

HA cluster members must share the same zone names.

B.

Dedicated HA communication interfaces for the cluster must be used over HSCI interfaces

C.

Panorama must be used to manage HA cluster members.

D.

HA cluster members must be the same firewall model and run the same PAN-OS version.

Buy Now
Questions 66

An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.

PCNSE Question 66

Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)

Options:

A.

Hello Interval

B.

Promotion Hold Time

C.

Heartbeat Interval

D.

Monitor Fail Hold Up Time

Buy Now
Questions 67

What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection'?

Options:

A.

certificates

B.

profiles

C.

link state

D.

stateful firewall connection

Buy Now
Questions 68

Which two components are required to configure certificate-based authentication to the web Ul when an administrator needs firewall access on a trusted interface'? (Choose two.)

Options:

A.

Server certificate

B.

SSL/TLS Service Profile

C.

Certificate Profile

D.

CA certificate

Buy Now
Questions 69

Which statement regarding HA timer settings is true?

Options:

A.

Use the Recommended profile for typical failover timer settings

B.

Use the Moderate profile for typical failover timer settings

C.

Use the Aggressive profile for slower failover timer settings.

D.

Use the Critical profile for faster failover timer settings.

Buy Now
Questions 70

Review the screenshot of the Certificates page.

An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems.

When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings.

What is the cause of the unsecured website warnings?

Options:

A.

The forward untrust certificate has not been signed by the self-singed root CA certificate.

B.

The forward trust certificate has not been installed in client systems.

C.

The self-signed CA certificate has the same CN as the forward trust and untrust certificates.

D.

The forward trust certificate has not been signed by the self-singed root CA certificate.

Buy Now
Questions 71

An administrator has been tasked with configuring decryption policies,

Which decryption best practice should they consider?

Options:

A.

Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.

B.

Decrypt all traffic that traverses the firewall so that it can be scanned for threats.

C.

Place firewalls where administrators can opt to bypass the firewall when needed.

D.

Create forward proxy decryption rules without Decryption profiles for unsanctioned applications.

Buy Now
Questions 72

After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?

Options:

A.

debug ike stat

B.

test vpn ipsec-sa tunnel

C.

show vpn ipsec-sa tunnel

D.

test vpn ike-sa gateway

Buy Now
Questions 73

An organization wants to begin decrypting guest and BYOD traffic.

Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?

Options:

A.

Authentication Portal

B.

SSL Decryption profile

C.

SSL decryption policy

D.

comfort pages

Buy Now
Questions 74

An administrator plans to install the Windows-Based User-ID Agent to prevent credential phishing.

Which installer package file should the administrator download from the support site?

Options:

A.

UaCredlnstall64-11.0.0.msi

B.

GlobalProtect64-6.2.1.msi

C.

Talnstall-11.0.0.msi

D.

Ualnstall-11.0.0msi

Buy Now
Questions 75

An engineer reviews high availability (HA) settings to understand a recent HA failover event Review the screenshot below.

PCNSE Question 75

Which tuner determines how long the passive firewall will wart before taking over as the active firewall after losing communications with the HA peer?

Options:

A.

Additional Master Hold Up Time

B.

Promotion Hold Time

C.

Monitor Fail Hold Up Time

D.

Heartbeat Interval

Buy Now
Questions 76

Match the terms to their corresponding definitions

PCNSE Question 76

Options:

Buy Now
Questions 77

An administrator needs to identify which NAT policy is being used for internet traffic.

From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?

Options:

A.

Click Session Browser and review the session details.

B.

Click Traffic view and review the information in the detailed log view.

C.

Click Traffic view; ensure that the Source or Destination NAT columns are included and review the information in the detailed log view.

D.

Click App Scope > Network Monitor and filter the report for NAT rules.

Buy Now
Questions 78

Exhibit.

PCNSE Question 78

Given the screenshot, how did the firewall handle the traffic?

Options:

A.

Traffic was allowed by profile but denied by policy as a threat.

B.

Traffic was allowed by policy but denied by profile as a threat.

C.

Traffic was allowed by policy but denied by profile as encrypted.

D.

Traffic was allowed by policy but denied by profile as a nonstandard port.

Buy Now
Questions 79

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."

Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?'

Options:

A.

Active-Secondary

B.

Non-functional

C.

Passive

D.

Active

Buy Now
Questions 80

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?

PCNSE Question 80

PCNSE Question 80

Options:

A.

Change destination NAT zone to Trust_L3.

B.

Change destination translation to Dynamic IP (with session distribution) using firewall ethI/2 address.

C.

Change Source NAT zone to Untrust_L3.

D.

Add source Translation to translate original source IP to the firewall eth1/2 interface translation.

Buy Now
Questions 81

Which configuration change will improve network reliability and ensure minimal disruption during tunnel failures?

Options:

A.

Set up high availability (HA) and increase the IPsec rekey interval to reduce the likelihood of tunnel disruptions

B.

Set up a backup tunnel and reduce the tunnel monitoring interval and threshold to detect failures quickly

C.

Set up high availability (HA) and disable tunnel monitoring to prevent unnecessary failovers due to temporary connectivity issues

D.

Set up a backup tunnel and change the tunnel monitoring profile from "Wait Recover" to "Fail Over"

Buy Now
Questions 82

A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11 0 The client currently uses RADIUS authentication in their environment

Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.)

Options:

A.

Kerberos or SAML authentication need to be configured

B.

LDAP or TACACS+ authentication need to be configured

C.

RADIUS is only supported for a transparent Web Proxy.

D.

RADIUS is not supported for explicit or transparent Web Proxy

Buy Now
Questions 83

A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?

Options:

A.

Virtual ware

B.

Tap

C.

Layer 2

D.

Layer 3

Buy Now
Questions 84

Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates. Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?

Options:

A.

debug dataplane internal vif route 255

B.

show routing route type management

C.

debug dataplane internal vif route 250

D.

show routing route type service-route

Buy Now
Questions 85

A security team has enabled real-time WildFire signature lookup on all its firewalls. Which additional action will further reduce the likelihood of newly discovered malware being allowed through the firewalls?

Options:

A.

increase the frequency of the applications and threats dynamic updates.

B.

Increase the frequency of the antivirus dynamic updates

C.

Enable the "Hold Mode" option in Objects > Security Profiles > Antivirus.

D.

Enable the "Report Grayware Files" option in Device > Setup > WildFire.

Buy Now
Questions 86

A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known

What can the administrator configure to establish the VPN connection?

Options:

A.

Set up certificate authentication.

B.

Use the Dynamic IP address type.

C.

Enable Passive Mode

D.

Configure the peer address as an FQDN.

Buy Now
Questions 87

Exhibit.

PCNSE Question 87

Review the screenshots and consider the following information

1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC

2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups

Which IP address will be pushed to the firewalls inside Address Object Server-1?

Options:

A.

Server-1 on FW-1 will have IP 4.4.4.4. Server-1 on FW-2 will have IP 1.1.1.1

B.

Server-1 on FW-1 will have IR 111.1. Server-1 will not be pushed to FW-2.

C.

Server-1 on FW-1 will have IP 2.2.2.2. Server-1 will not be pushed to FW-2.

D.

Server-1 on FW-1 will have IP 3.3.3.3. Server-1 will not be pushed to FW-2.

Buy Now
Questions 88

A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL.

When creating a new rule, what is needed to allow the application to resolve dependencies?

Options:

A.

Add SSL and web-browsing applications to the same rule.

B.

Add web-browsing application to the same rule.

C.

Add SSL application to the same rule.

D.

SSL and web-browsing must both be explicitly allowed.

Buy Now
Questions 89

If an administrator wants to apply QoS to traffic based on source, what must be specified in a QoS policy rule?

Options:

A.

Post-NAT destination address

B.

Pre-NAT destination address

C.

Post-NAT source address

D.

Pre-NAT source address

Buy Now
Questions 90

A firewall engineer is configuring quality of service (OoS) policy for the IP address of a specific server in an effort to limit the bandwidth consumed by frequent downloads of large files from the internet.

Which combination of pre-NAT and / or post-NAT information should be used in the QoS rule?

Options:

A.

Post-NAT source IP address Pre-NAT source zone

B.

Post-NAT source IP address Post-NAT source zone

C.

Pre-NAT source IP address Post-NAT source zone

D.

Pre-NAT source IP address Pre-NAT source zone

Buy Now
Questions 91

Refer to the exhibit.

PCNSE Question 91

Based on the screenshots above what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

Options:

A.

shared pre-rules

DATACENTER DG pre rules

rules configured locally on the firewall

shared post-rules

DATACENTER_DG post-rules

DATACENTER.DG default rules

B.

shared pre-rules

DATACENTER_DG pre-rules

rules configured locally on the firewall

shared post-rules

DATACENTER.DG post-rules

shared default rules

C.

shared pre-rules

DATACENTER_DG pre-rules

rules configured locally on the firewall

DATACENTER_DG post-rules

shared post-rules

shared default rules

D.

shared pre-rules

DATACENTER_DG pre-rules

rules configured locally on the firewall

DATACENTER_DG post-rules

shared post-rules

DATACENTER_DG default rules

Buy Now
Questions 92

A firewall administrator wants to be able at to see all NAT sessions that are going ‘through a firewall with source NAT. Which CLI command can the administrator use?

Options:

A.

show session all filter nat-rule-source

B.

show running nat-rule-ippool rule "rule_name

C.

show running nat-policy

D.

show session all filter nat source

Buy Now
Questions 93

When configuring explicit proxy on a firewall, which interface should be selected under the Listening interface option?

Options:

A.

ingress for the outgoing traffic to the internet

B.

Loopback for the proxy

C.

Firewall management

D.

ingress for the client traffic

Buy Now
Questions 94

When using certificate authentication for firewall administration, which method is used for authorization?

Options:

A.

Local

B.

Radius

C.

Kerberos

D.

LDAP

Buy Now
Questions 95

When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)

Options:

A.

Schedule

B.

Source Device

C.

Custom Application

D.

Source Interface

Buy Now
Questions 96

A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.

How does the firewall identify the New App-ID characteristic?

Options:

A.

It matches to the New App-IDs downloaded in the last 90 days.

B.

It matches to the New App-IDs in the most recently installed content releases.

C.

It matches to the New App-IDs downloaded in the last 30 days.

D.

It matches to the New App-IDs installed since the last time the firewall was rebooted.

Buy Now
Questions 97

A decryption policy has been created with an action of "No Decryption." The decryption profile is configured in alignment to best practices.

What protections does this policy provide to the enterprise?

Options:

A.

It allows for complete visibility into certificate data, ensuring secure connections to all websites.

B.

It ensures that the firewall checks its certificate store, enabling sessions with trusted self-signed certificates even when an alternative trust anchor exists.

C.

It encrypts all certificate information to maintain privacy and compliance with local regulations.

D.

It enhances security by actively blocking access to potentially insecure sites with expired certificates or untrusted issuers.

Buy Now
Questions 98

When an engineer configures an active/active high availability pair, which two links can they use? (Choose two)

Options:

A.

HSCI-C

B.

Console Backup

C.

HA3

D.

HA2 backup

Buy Now
Questions 99

Which statement explains the difference between using the PAN-OS integrated User-ID agent and the standalone User-ID agent when using Active Directory for user-to-IP mapping?

Options:

A.

The PAN-OS integrated User-ID agent must be a member of the Active Directory domain

B.

The PAN-OS integrated User-ID agent consumes fewer resources on the NGFW’s management CPU

C.

The standalone User-ID agent consumes fewer resources on the NGFW’s management CPU

D.

The standalone User-ID agent must run directly on the domain controller server

Buy Now
Questions 100

A customer wants to enhance the protection provided by their Palo Alto Networks NGFW deployment to cover public-facing company-owned domains from misconfigurations that point records to third-party sources. Which two actions should the network administrator perform to achieve this goal? (Choose two)

Options:

A.

Verify the NGFWs have the Advanced DNS Security and Advanced Threat Prevention licenses installed and validated

B.

Create or update a Vulnerability Protection profile to the DNS Policies / DNS Zone Misconfiguration section, then add the domains to be protected

C.

Verify the NGFWs have the Advanced DNS Security and Advanced URL Filtering licenses installed and validated

D.

Create or update an Anti-Spyware profile, go to the DNS Policies / DNS Zone Misconfiguration section, then add the domains to be protected

Buy Now
Exam Code: PCNSE
Exam Name: Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0
Last Update: Mar 31, 2025
Questions: 334

PDF + Testing Engine

$49.5  $164.99

Testing Engine

$37.5  $124.99
buy now PCNSE testing engine

PDF (Q&A)

$31.5  $104.99
buy now PCNSE pdf
dumpsmate guaranteed to pass
24/7 Customer Support

DumpsMate's team of experts is always available to respond your queries on exam preparation. Get professional answers on any topic of the certification syllabus. Our experts will thoroughly satisfy you.

Site Secure

mcafee secure

TESTED 31 Mar 2025