Month End Sale Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 2493360325

Good News !!! PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 is now Stable and With Pass Result

PCNSE Practice Question and Answers

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0

Last Update 5 days ago
Total Questions : 89

PCNSE is stable now with all latest exam questions are added 5 days ago. Just download our Full package and start your journey with Paloalto Networks Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 certification. All these Paloalto Networks PCNSE practice questions are real and verified by our Experts in the related industry fields.

PCNSE PDF

PCNSE PDF (Printable)
$48
$119.99

PCNSE Testing Engine

PCNSE PDF (Printable)
$56
$139.99

PCNSE PDF + Testing Engine

PCNSE PDF (Printable)
$70.8
$176.99
Question # 1

Which GloDalProtecI gateway setting is required to enable split-tunneting by access route, destination domain and application?

Options:

A.  

Tunnel mode

B.  

Satellite mode

C.  

IPSec mode

D.  

No Direct Access to local networks

Discussion 0
Question # 2

A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose TWO)

Options:

A.  

Exclude video traffic

B.  

Enable decryption

C.  

Block traffic that is not work-related

D.  

Create a Tunnel Inspection policy

Discussion 0
Question # 3

Refer to the exhibit.

Question # 3

Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?

Options:

A.  

Click the hyperlink for the Zero Access.Gen threat.

B.  

Click the left arrow beside the Zero Access.Gen threat.

C.  

Click the source user with the highest threat count.

D.  

Click the hyperlink for the hotport threat Category.

Discussion 0
Question # 4

Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)

Options:

A.  

A Deny policy for the tagged traffic

B.  

An Allow policy for the initial traffic

C.  

A Decryption policy to decrypt the traffic and see the tag

D.  

A Deny policy with the "tag" App-ID to block the tagged traffic

Discussion 0
Question # 5

Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the firewall? (Choose three.)

Options:

A.  

RADIUS

B.  

TACACS+

C.  

Kerberos

D.  

LDAP

E.  

SAML

Discussion 0
Question # 6

Why would a traffic log list an application as "not-applicable”?

Options:

A.  

The firewall denied the traffic before the application match could be performed.

B.  

The TCP connection terminated without identifying any application data

C.  

There was not enough application data after the TCP connection was established

D.  

The application is not a known Palo Alto Networks App-I

D.  

Discussion 0
Question # 7

After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall After troubleshooting the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports

What can the engineer do to solve the VoIP traffic issue?

Options:

A.  

Disable ALG under H.323 application

B.  

Increase the TCP timeout under H.323 application

C.  

Increase the TCP timeout under SIP application

D.  

Disable ALG under SIP application

Discussion 0
Question # 8

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?

Options:

A.  

PAN-OS integrated User-ID agent

B.  

GlobalProtect

C.  

Windows-based User-ID agent

D.  

LDAP Server Profile configuration

Discussion 0
Question # 9

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?

Question # 9

Question # 9

Options:

A.  

Change destination NAT zone to Trust_L3.

B.  

Change destination translation to Dynamic IP (with session distribution) using firewall ethI/2 address.

C.  

Change Source NAT zone to Untrust_L3.

D.  

Add source Translation to translate original source IP to the firewall eth1/2 interface translation.

Discussion 0
Question # 10

When an engineer configures an active/active high availability pair, which two links can they use? (Choose two)

Options:

A.  

HSCI-C

B.  

Console Backup

C.  

HA3

D.  

HA2 backup

Discussion 0
Question # 11

Refer to the diagram. Users at an internal system want to ssh to the SSH server The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.

In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?

Question # 11

Options:

A.  

NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Source Translation: Static IP / 172.16.15.1

Security Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Trust -

Destination IP: 172.16.15.10 -

Application: ssh

B.  

NAT Rule:

Source Zone: Trust -

Source IP: 192.168.15.0/24 -

Destination Zone: Trust -

Destination IP: 192.168.15.1 -

Destination Translation: Static IP / 172.16.15.10

Security Rule:

Source Zone: Trust -

Source IP: 192.168.15.0/24 -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh

C.  

NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Trust -

Destination IP: 192.168.15.1 -

Destination Translation: Static IP /172.16.15.10

Security Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh

D.  

NAT Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Source Translation: dynamic-ip-and-port / ethernet1/4

Security Rule:

Source Zone: Trust -

Source IP: Any -

Destination Zone: Server -

Destination IP: 172.16.15.10 -

Application: ssh

Discussion 0
Question # 12

An administrator needs to identify which NAT policy is being used for internet traffic.

From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?

Options:

A.  

Click Session Browser and review the session details.

B.  

Click Traffic view and review the information in the detailed log view.

C.  

Click Traffic view; ensure that the Source or Destination NAT columns are included and review the information in the detailed log view.

D.  

Click App Scope > Network Monitor and filter the report for NAT rules.

Discussion 0
Question # 13

What is the best definition of the Heartbeat Interval?

Options:

A.  

The interval in milliseconds between hello packets

B.  

The frequency at which the HA peers check link or path availability

C.  

The frequency at which the HA peers exchange ping

D.  

The interval during which the firewall will remain active following a link monitor failure

Discussion 0
Question # 14

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed.

What is one way the administrator can meet this requirement?

Options:

A.  

Perform a commit force from the CLI of the firewall.

B.  

Perform a template commit push from Panorama using the "Force Template Values" option.

C.  

Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option.

D.  

Reload the running configuration and perform a Firewall local commit.

Discussion 0
Question # 15

An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama.

However, pre-existing logs from the firewalls are not appearing in Panorama.

Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?

Options:

A.  

Export the log database.

B.  

Use the import option to pull logs.

C.  

Use the scp logdb export command.

D.  

Use the ACC to consolidate the logs.

Discussion 0
Question # 16

An administrator has been tasked with configuring decryption policies,

Which decryption best practice should they consider?

Options:

A.  

Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.

B.  

Decrypt all traffic that traverses the firewall so that it can be scanned for threats.

C.  

Place firewalls where administrators can opt to bypass the firewall when needed.

D.  

Create forward proxy decryption rules without Decryption profiles for unsanctioned applications.

Discussion 0
Question # 17

Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?

Options:

A.  

Resource Protection

B.  

TCP Port Scan Protection

C.  

Packet Based Attack Protection

D.  

Packet Buffer Protection

Discussion 0
Question # 18

Question # 18

Question # 18

Review the images. A firewall policy that permits web traffic includes the global-logs policy is depicted

What is the result of traffic that matches the "Alert - Threats" Profile Match List?

Options:

A.  

The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.

B.  

The source address of traffic that matches a threat is automatically blocked as BadGuys for 180 minutes.

C.  

The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.

D.  

The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.

Discussion 0
Question # 19

An administrator is troubleshooting why video traffic is not being properly classified.

If this traffic does not match any QoS classes, what default class is assigned?

Options:

A.  

1

B.  

2

C.  

3

D.  

4

Discussion 0
Question # 20

What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

Question # 20

Options:

A.  

IP Netmask

B.  

IP Wildcard Mask

C.  

IP Address

D.  

IP Range

Discussion 0
Question # 21

An administrator would like to determine which action the firewall will take for a specific CV

E.  

Given the screenshot below, where should the administrator navigate to view this information?

Question # 21

Options:

A.  

The profile rule action

B.  

CVE column

C.  

Exceptions lab

D.  

The profile rule threat name

Discussion 0
Question # 22

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.

The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?

Options:

A.  

A web server certificate signed by the organization's PKI

B.  

A self-signed certificate generated on the firewall

C.  

A subordinate Certificate Authority certificate signed by the organization's PKI

D.  

A web server certificate signed by an external Certificate Authority

Discussion 0
Question # 23

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?

Options:

A.  

No Direct Access to local networks

B.  

Tunnel mode

C.  

iPSec mode

D.  

Satellite mode

Discussion 0
Question # 24

Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.

What part of the configuration should the engineer verify?

Options:

A.  

IKE Crypto Profile

B.  

Security policy

C.  

Proxy-IDs

D.  

PAN-OS versions

Discussion 0
Question # 25

If a URL is in multiple custom URL categories with different actions, which action will take priority?

Options:

A.  

Allow

B.  

Override

C.  

Block

D.  

Alert

Discussion 0
Question # 26

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?

Options:

A.  

A service route to the LDAP server

B.  

A Master Device

C.  

Authentication Portal

D.  

A User-ID agent on the LDAP server

Discussion 0
Get PCNSE dumps and pass your exam in 24 hours!

Free Exams Sample Questions