Month End Sale Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 2493360325

Good News !!! PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.2 is now Stable and Pass

PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.2 Question and Answers

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.2

Last Update 5 days ago
Total Questions : 243

PCNSE Exam is stable now with all latest questions are added 5 days ago. Just download our Full package and start your journey with Paloalto Networks Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.2 certification. All these Paloalto Networks Exam PCNSE questions are real and verified by our Experts in the related industry fields.

PCNSE PDF

PCNSE PDF (Printable)
$48
$119.99

PCNSE Testing Engine

PCNSE PDF (Printable)
$56
$139.99

PCNSE PDF + Testing Engine

PCNSE PDF (Printable)
$70.8
$176.99
Question # 1

A network engineer is troubleshooting a VPN and wants to verify whether the decapsulation/encapsulation counters are increasing. Which CLI command should the engineer run?

Options:

A.  

Show vpn tunnel name | match encap

B.  

Show vpn flow name

C.  

Show running tunnel flow lookup

D.  

Show vpn ipsec-sa tunnel

Discussion 0
Question # 2

A client wants to detect the use of weak and manufacturer-default passwords for loT devices. Which option will help the customer?

Options:

A.  

Configure a Data Filtering profile with alert mode.

B.  

Configure an Antivirus profile with alert mode.

C.  

Configure a Vulnerability Protection profile with alert mode

D.  

Configure an Anti-Spyware profile with alert mode.

Discussion 0
Question # 3

Which function is handled by the management plane (control plane) of a Palo Alto Networks firewall?

Options:

A.  

signature matching for content inspection

B.  

IPSec tunnel standup

C.  

Quality of Service

D.  

logging

Discussion 0
Question # 4

Which log type will help the engineer verify whether packet buffer protection was activated?

Options:

A.  

Data Filtering

B.  

Configuration

C.  

Threat

D.  

Traffic

Discussion 0
Question # 5

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?

Options:

A.  

A service route to the LDAP server

B.  

A Master Device

C.  

Authentication Portal

D.  

A User-ID agent on the LDAP server

Discussion 0
Question # 6

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?

Options:

A.  

Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and reboot.

B.  

Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit.

C.  

Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot.

D.  

Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot

Discussion 0
Question # 7

Which Panorama feature protects logs against data loss if a Panorama server fails?

Options:

A.  

Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.

B.  

Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.

C.  

Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.

D.  

Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group

Discussion 0
Question # 8

A network administrator troubleshoots a VPN issue and suspects an IKE Crypto mismatch between peers. Where can the administrator find the corresponding logs after running a test command to initiate the VPN?

Options:

A.  

Configuration logs

B.  

System logs

C.  

Traffic logs

D.  

Tunnel Inspection logs

Discussion 0
Question # 9

A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two)

Options:

A.  

SSUTLS Service

B.  

HTTP Server

C.  

Decryption

D.  

Interface Management

Discussion 0
Question # 10

When planning to configure SSL Froward Proxy on a PA 5260, a user asks how SSL decryption can be implemented using phased approach in alignment with Palo Alto Networks best practices

What should you recommend?

Options:

A.  

Enable SSL decryption for known malicious source IP addresses

B.  

Enable SSL decryption for source users and known malicious URL categories

C.  

Enable SSL decryption for malicious source users

D.  

Enable SSL decryption for known malicious destination IP addresses

Discussion 0
Question # 11

An engineer is configuring SSL Inbound Inspection for public access to a company's application. Which certificate(s) need to be installed on the firewall to ensure that inspection is performed successfully?

Options:

A.  

Self-signed CA and End-entity certificate

B.  

Root CA and Intermediate CA(s)

C.  

Self-signed certificate with exportable private key

D.  

Intermediate CA (s) and End-entity certificate

Discussion 0
Question # 12

What are two best practices for incorporating new and modified App-IDs? (Choose two.)

Options:

A.  

Run the latest PAN-OS version in a supported release tree to have the best performance for the new App-IDs

B.  

Configure a security policy rule to allow new App-IDs that might have network-wide impact

C.  

Perform a Best Practice Assessment to evaluate the impact of the new or modified App-IDs

D.  

Study the release notes and install new App-IDs if they are determined to have low impact

Discussion 0
Question # 13

An engineer needs to redistribute User-ID mappings from multiple data centers. Which data flow best describes redistribution of user mappings?

Options:

A.  

Domain Controller to User-ID agent

B.  

User-ID agent to Panorama

C.  

User-ID agent to firewall

D.  

firewall to firewall

Discussion 0
Question # 14

A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer.

Where should this change be made?

Options:

A.  

IKE Gateway profile

B.  

IPSec Crypto profile

C.  

IPSec Tunnel settings

D.  

IKE Crypto profile

Discussion 0
Question # 15

A network security engineer configured IP multicast in the virtual router to support a new application. Users in different network segments are reporting that they are unable to access the application.

What must be enabled to allow an interface to forward multicast traffic?

Options:

A.  

IGMP

B.  

PIM

C.  

BFD

D.  

SSM

Discussion 0
Question # 16

An engineer is tasked with configuring a Zone Protection profile on the untrust zone.

Which three settings can be configured on a Zone Protection profile? (Choose three.)

Options:

A.  

Ethernet SGT Protection

B.  

Protocol Protection

C.  

DoS Protection

D.  

Reconnaissance Protection

E.  

Resource Protection

Discussion 0
Question # 17

A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped a by the firewall, the administrator decides to enable packet butter protection to protect against similar attacks.

The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.

What else should the administrator do to stop packet buffers from being overflowed?

Options:

A.  

Add the default Vulnerability Protection profile to all security rules that allow traffic from outside.

B.  

Enable packet buffer protection for the affected zones.

C.  

Add a Zone Protection profile to the affected zones.

D.  

Apply DOS profile to security rules allow traffic from outside.

Discussion 0
Question # 18

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?

Options:

A.  

A self-signed Certificate Authority certificate generated by the firewall

B.  

A Machine Certificate for the firewall signed by the organization's PKI

C.  

A web server certificate signed by the organization's PKI

D.  

A subordinate Certificate Authority certificate signed by the organization's PKI

Discussion 0
Question # 19

A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories

Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?

Options:

A.  

Choose the URL categories on Site Access column and set action to block Click the User credential Detection tab and select IP User Mapping Commit

B.  

Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select use IP User Mapping Commit

C.  

Choose the URL categories in the User Credential Submission column and set action to block Select the URL filtering settings and enable Domain Credential Filter Commit

D.  

Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select Use Domain Credential Filter Commit

Discussion 0
Question # 20

Which three methods are supported for split tunneling in the GlobalProtect Gateway? (Choose three.)

Options:

A.  

Video Streaming Application

B.  

Destination Domain

C.  

Client Application Process

D.  

Source Domain

E.  

URL Category

Discussion 0
Question # 21

How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW?

Options:

A.  

Use the debug dataplane packet-diag set capture stage firewall file command.

B.  

Enable all four stages of traffic capture (TX, RX, DROP, Firewall).

C.  

Use the debug dataplane packet-diag set capture stage management file command.

D.  

Use the tcpdump command.

Discussion 0
Question # 22

An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks Which sessions does Packet Buffer Protection apply to?

Options:

A.  

It applies to existing sessions and is not global

B.  

It applies to new sessions and is global

C.  

It applies to new sessions and is not global

D.  

It applies to existing sessions and is global

Discussion 0
Question # 23

How can an administrator use the Panorama device-deployment option to update the apps and threat version of an HA pair of managed firewalls?

Options:

A.  

Configure the firewall's assigned template to download the content updates.

B.  

Choose the download and install action for both members of the HA pair in the Schedule object.

C.  

Switch context to the firewalls to start the download and install process.

D.  

Download the apps to the primary; no further action is required.

Discussion 0
Question # 24

A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business application uptime requirements.

What is the correct setting?

Options:

A.  

Change the HA timer profile to "aggressive" or customize the settings in advanced profile.

B.  

Change the HA timer profile to "fast".

C.  

Change the HA timer profile to "user-defined" and manually set the timers.

D.  

Change the HA timer profile to "quick" and customize in advanced profile.

Discussion 0
Question # 25

An engineer is in the planning stages of deploying User-ID in a diverse directory services environment.

Which server OS platforms can be used for server monitoring with User-ID?

Options:

A.  

Microsoft Terminal Server, Red Hat Linux, and Microsoft Active Directory

B.  

Microsoft Active Directory, Red Hat Linux, and Microsoft Exchange

C.  

Microsoft Exchange, Microsoft Active Directory, and Novell eDirectory

D.  

Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory

Discussion 0
Question # 26

Match each GlobalProtect component to the purpose of that component

Question # 26

Options:

Discussion 0
Question # 27

A firewall has been assigned to a new template stack that contains both "Global" and "Local" templates in Panorama, and a successful commit and push has been performed. While validating the configuration on the local firewall, the engineer discovers that some settings are not being applied as intended.

The setting values from the "Global" template are applied to the firewall instead of the "Local" template that has different values for the same settings.

What should be done to ensure that the settings in the "Local" template are applied while maintaining settings from both templates?

Options:

A.  

Move the "Global" template above the "Local" template in the template stack.

B.  

Perform a commit and push with the "Force Template Values" option selected.

C.  

Move the "Local" template above the "Global" template in the template stack.

D.  

Override the values on the local firewall and apply the correct settings for each value.

Discussion 0
Question # 28

A user at an internal system queries the DNS server for their web server with a private IP of 10 250 241 131 in the. The DNS server returns an address of the web server's public address, 200.1.1.10.

In order to reach the web server, which security rule and U-Turn NAT rule must be configured on the firewall?

Question # 28

A)

Question # 28

B)

Question # 28

C)

Question # 28

D)

Question # 28

Options:

A.  

Option A

B.  

Option B

C.  

Option C

D.  

Option D

Discussion 0
Question # 29

An engineer has discovered that certain real-time traffic is being treated as best effort due to it exceeding defined bandwidth Which QoS setting should the engineer adjust?

Options:

A.  

QoS profile: Egress Max

B.  

QoS interface: Egress Guaranteed

C.  

QoS profile: Egress Guaranteed

D.  

QoS interface: Egress Max

Discussion 0
Question # 30

An engineer is planning an SSL decryption implementation

Which of the following statements is a best practice for SSL decryption?

Options:

A.  

Use the same Forward Trust certificate on all firewalls in the network.

B.  

Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate.

C.  

Obtain an enterprise CA-signed certificate for the Forward Trust certificate.

D.  

Use an enterprise CA-signed certificate for the Forward Untrust certificate.

Discussion 0
Question # 31

An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet gateway and wants to be sure of the functions that are supported on the vwire interface

What are three supported functions on the VWire interface? (Choose three )

Options:

A.  

NAT

B.  

QoS

C.  

IPSec

D.  

OSPF

E.  

SSL Decryption

Discussion 0
Question # 32

An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?

Options:

A.  

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all its vsys in a single device group.

B.  

Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.

C.  

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

D.  

Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

Discussion 0
Question # 33

An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The engineer uses a forward trust certificate from the enterprise PKI that expires December 31, 2025. The validity date on the PA-generated certificate is taken from what?

Options:

A.  

The trusted certificate

B.  

The server certificate

C.  

The untrusted certificate

D.  

The root CA

Discussion 0
Question # 34

What steps should a user take to increase the NAT oversubscription rate from the default platform setting?

Options:

A.  

Navigate to Device > Setup > TCP Settings > NAT Oversubscription Rate

B.  

Navigate to Policies > NAT > Destination Address Translation > Dynamic IP (with session distribution)

C.  

Navigate to Policies > NAT > Source Address Translation > Dynamic IP (with session distribution)

D.  

Navigate to Device > Setup > Session Settings > NAT Oversubscription Rate

Discussion 0
Question # 35

An engineer receives reports from users that applications are not working and that websites are only partially loading in an asymmetric environment. After investigating, the engineer observes the flow_tcp_non_syn_drop counter increasing in the show counters global output.

Which troubleshooting command should the engineer use to work around this issue?

Options:

A.  

set deviceconfig setting tcp asymmetric-path drop

B.  

set deviceconfig setting session tcp-reject-non-syn no

C.  

set session tcp-reject-non-syn yes

D.  

set deviceconfig setting tcp asymmetric-path bypass

Discussion 0
Question # 36

An administrator allocates bandwidth to a Prisma Access Remote Networks compute location with three remote networks.

What is the minimum amount of bandwidth the administrator could configure at the compute location?

Options:

A.  

90Mbps

B.  

300 Mbps

C.  

75Mbps

D.  

50Mbps

Discussion 0