March Special Sale Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 713PS592

PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Questions and Answers

Questions 4

A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.

What should the engineer do to complete the configuration?

Options:

A.

Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to 1.1.1.10 with the destination port equal to UDP/53.

B.

Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward.

C.

Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Reverse.

D.

Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to 192.168.1.10 with the destination port equal to UDP/53.

Buy Now
Questions 5

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.

Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

Options:

A.

Navigate to Network > Zone Protection Click Add

Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set "Asymmetric Path" to Bypass

B.

> set session tcp-reject-non-syn no

C.

Navigate to Network > Zone Protection Click Add

Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set "Asymmetric Path" to Global

D.

# set deviceconfig setting session tcp-reject-non-syn no

Buy Now
Questions 6

Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.

What part of the configuration should the engineer verify?

Options:

A.

IKE Crypto Profile

B.

Security policy

C.

Proxy-IDs

D.

PAN-OS versions

Buy Now
Questions 7

An administrator has been tasked with configuring decryption policies,

Which decryption best practice should they consider?

Options:

A.

Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.

B.

Decrypt all traffic that traverses the firewall so that it can be scanned for threats.

C.

Place firewalls where administrators can opt to bypass the firewall when needed.

D.

Create forward proxy decryption rules without Decryption profiles for unsanctioned applications.

Buy Now
Questions 8

An administrator troubleshoots an issue that causes packet drops.

Which log type will help the engineer verify whether packet buffer protection was activated?

Options:

A.

Data Filtering

B.

Configuration

C.

Threat

D.

Traffic

Buy Now
Questions 9

Review the screenshot of the Certificates page.

PCNSE Question 9

An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems.

When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings.

What is the cause of the unsecured website warnings?

Options:

A.

The forward untrust certificate has not been signed by the self-singed root CA certificate.

B.

The forward trust certificate has not been installed in client systems.

C.

The self-signed CA certificate has the same CN as the forward trust and untrust certificates.

D.

The forward trust certificate has not been signed by the self-singed root CA certificate.

Buy Now
Questions 10

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."

Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?'

Options:

A.

Active-Secondary

B.

Non-functional

C.

Passive

D.

Active

Buy Now
Questions 11

An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.

Which two actions could an administrator take to troubleshoot this issue? (Choose two.)

Options:

A.

Run the CLI command show advanced-routing ospf neighbor

B.

In the WebUI, view the Runtime Stats in the virtual router

C.

Look for configuration problems in Network > virtual router > OSPF

D.

In the WebUI, view Runtime Stats in the logical router

Buy Now
Questions 12

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

Options:

A.

Set the passive link state to shutdown".

B.

Disable config sync.

C.

Disable the HA2 link.

D.

Disable HA.

Buy Now
Questions 13

Which Panorama feature protects logs against data loss if a Panorama server fails?

Options:

A.

Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.

B.

Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.

C.

Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.

D.

Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group

Buy Now
Questions 14

Why would a traffic log list an application as "not-applicable”?

Options:

A.

The firewall denied the traffic before the application match could be performed.

B.

The TCP connection terminated without identifying any application data

C.

There was not enough application data after the TCP connection was established

D.

The application is not a known Palo Alto Networks App-ID.

Buy Now
Questions 15

An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama.

However, pre-existing logs from the firewalls are not appearing in Panorama.

Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?

Options:

A.

Export the log database.

B.

Use the import option to pull logs.

C.

Use the scp logdb export command.

D.

Use the ACC to consolidate the logs.

Buy Now
Questions 16

A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose TWO)

Options:

A.

Exclude video traffic

B.

Enable decryption

C.

Block traffic that is not work-related

D.

Create a Tunnel Inspection policy

Buy Now
Questions 17

Match the terms to their corresponding definitions

PCNSE Question 17

Options:

Buy Now
Questions 18

An administrator is attempting to create policies tor deployment of a device group and template stack. When creating the policies, the zone drop down list does not include the required zone.

What must the administrator do to correct this issue?

Options:

A.

Specify the target device as the master device in the device group

B.

Enable "Share Unused Address and Service Objects with Devices" in Panorama settings

C.

Add the template as a reference template in the device group

D.

Add a firewall to both the device group and the template

Buy Now
Questions 19

An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.

Which three platforms support PAN-OS 10.2? (Choose three.)

Options:

A.

PA-220

B.

PA-800 Series

C.

PA-5000 Series

D.

PA-500

E.

PA-3400 Series

Buy Now
Questions 20

Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?

Options:

A.

Resource Protection

B.

TCP Port Scan Protection

C.

Packet Based Attack Protection

D.

Packet Buffer Protection

Buy Now
Questions 21

An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices.

What should an administrator configure to route interesting traffic through the VPN tunnel?

Options:

A.

Proxy IDs

B.

GRE Encapsulation

C.

Tunnel Monitor

D.

ToS Header

Buy Now
Questions 22

Based on the graphic which statement accurately describes the output shown in the Server Monitoring panel?

PCNSE Question 22

Options:

A.

The User-ID agent is connected to a domain controller labeled lab-client

B.

The host lab-client has been found by a domain controller

C.

The host lab-client has been found by the User-ID agent.

D.

The User-ID aaent is connected to the firewall labeled lab-client

Buy Now
Questions 23

An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is currently processing traffic?

Options:

A.

Initial

B.

Passive

C.

Active

D.

Active-primary

Buy Now
Questions 24

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?

PCNSE Question 24

PCNSE Question 24

Options:

A.

Change destination NAT zone to Trust_L3.

B.

Change destination translation to Dynamic IP (with session distribution) using firewall ethI/2 address.

C.

Change Source NAT zone to Untrust_L3.

D.

Add source Translation to translate original source IP to the firewall eth1/2 interface translation.

Buy Now
Questions 25

A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories

Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?

Options:

A.

Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select Use Domain Credential Filter Commit

B.

Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select use IP User Mapping Commit

C.

Choose the URL categories on Site Access column and set action to block Click the User credential Detection tab and select IP User Mapping Commit

D.

Choose the URL categories in the User Credential Submission column and set action to block Select the URL filtering settings and enable Domain Credential Filter Commit

Buy Now
Questions 26

An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration.

What type of service route can be used for this configuration?

Options:

A.

IPv6 Source or Destination Address

B.

Destination-Based Service Route

C.

IPv4 Source Interface

D.

Inherit Global Setting

Buy Now
Questions 27

An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.

Which three dynamic routing protocols support BFD? (Choose three.)

Options:

A.

OSPF

B.

RIP

C.

BGP

D.

IGRP

E.

OSPFv3 virtual link

Buy Now
Questions 28

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?

Options:

A.

No Direct Access to local networks

B.

Tunnel mode

C.

iPSec mode

D.

Satellite mode

Buy Now
Questions 29

Which two statements correctly describe Session 380280? (Choose two.)

PCNSE Question 29

Options:

A.

The session went through SSL decryption processing.

B.

The session has ended with the end-reason unknown.

C.

The application has been identified as web-browsing.

D.

The session did not go through SSL decryption processing.

Buy Now
Questions 30

If a URL is in multiple custom URL categories with different actions, which action will take priority?

Options:

A.

Allow

B.

Override

C.

Block

D.

Alert

Buy Now
Questions 31

An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?

Options:

A.

Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

B.

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group.

C.

Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.

D.

Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall must have all its vsys in a single device group.

Buy Now
Questions 32

A company has recently migrated their branch office's PA-220S to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama

They notice that commit times have drastically increased for the PA-220S after the migration

What can they do to reduce commit times?

Options:

A.

Disable "Share Unused Address and Service Objects with Devices" in Panorama Settings.

B.

Update the apps and threat version using device-deployment

C.

Perform a device group push using the "merge with device candidate config" option

D.

Use "export or push device config bundle" to ensure that the firewall is integrated with the Panorama config.

Buy Now
Questions 33

An engineer is configuring a firewall with three interfaces:

• MGT connects to a switch with internet access.

• Ethernet1/1 connects to an edge router.

• Ethernet1/2 connects to a visualization network.

The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic. What should be configured in Setup > Services > Service Route Configuration to allow this traffic?

Options:

A.

Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface.

B.

Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface.

C.

Set DNS and Palo Alto Networks Services to use the MGT source interface.

D.

Set DDNS and Palo Alto Networks Services to use the MGT source interface.

Buy Now
Questions 34

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)

Options:

A.

upload-onlys

B.

install and reboot

C.

upload and install

D.

upload and install and reboot

E.

verify and install

Buy Now
Questions 35

What is the best description of the Cluster Synchronization Timeout (min)?

Options:

A.

The maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing

B.

The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall

C.

The timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional

D.

The maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational

Buy Now
Questions 36

Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)

Options:

A.

A Deny policy for the tagged traffic

B.

An Allow policy for the initial traffic

C.

A Decryption policy to decrypt the traffic and see the tag

D.

A Deny policy with the "tag" App-ID to block the tagged traffic

Buy Now
Questions 37

ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?

Options:

A.

1 to 4 hours

B.

6 to 12 hours

C.

24 hours

D.

36 hours

Buy Now
Exam Code: PCNSE
Exam Name: Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0
Last Update: Mar 28, 2024
Questions: 143

PDF + Testing Engine

$66.4  $165.99

Testing Engine

$46  $114.99
buy now PCNSE testing engine

PDF (Q&A)

$42  $104.99
buy now PCNSE pdf