Easter Sale Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Question and Answers

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0

Last Update May 18, 2024
Total Questions : 177

We are offering FREE PCNSE Paloalto Networks exam questions. All you do is to just go and sign up. Give your details, prepare PCNSE free exam questions and then go for complete pool of Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 test questions that will help you more.

PCNSE pdf

PCNSE PDF

$35  $99.99
PCNSE Engine

PCNSE Testing Engine

$42  $119.99
PCNSE PDF + Engine

PCNSE PDF + Testing Engine

$56  $159.99
Questions 1

Which GloDalProtecI gateway setting is required to enable split-tunneting by access route, destination domain and application?

Options:

A.  

Tunnel mode

B.  

Satellite mode

C.  

IPSec mode

D.  

No Direct Access to local networks

Discussion 0
Questions 2

An organization wants to begin decrypting guest and BYOD traffic.

Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?

Options:

A.  

Authentication Portal

B.  

SSL Decryption profile

C.  

SSL decryption policy

D.  

comfort pages

Discussion 0
Questions 3

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)

Options:

A.  

Change the firewall management IP address

B.  

Configure a device block list

C.  

Add administrator accounts

D.  

Rename a vsys on a multi-vsys firewall

E.  

Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode

Discussion 0
Questions 4

An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.

Which three dynamic routing protocols support BFD? (Choose three.)

Options:

A.  

OSPF

B.  

RIP

C.  

BGP

D.  

IGRP

E.  

OSPFv3 virtual link

Discussion 0
Questions 5

Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)

Options:

A.  

Encryption algorithm

B.  

Number of security zones in decryption policies

C.  

TLS protocol version

D.  

Number of blocked sessions

Discussion 0
Questions 6

Which two statements correctly describe Session 380280? (Choose two.)

Options:

A.  

The session went through SSL decryption processing.

B.  

The session has ended with the end-reason unknown.

C.  

The application has been identified as web-browsing.

D.  

The session did not go through SSL decryption processing.

Discussion 0
Questions 7

ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?

Options:

A.  

1 to 4 hours

B.  

6 to 12 hours

C.  

24 hours

D.  

36 hours

Discussion 0
Questions 8

Which log type would provide information about traffic blocked by a Zone Protection profile?

Options:

A.  

Data Filtering

B.  

IP-Tag

C.  

Traffic

D.  

Threat

Discussion 0
Questions 9

An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.

The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.

Which profile is the engineer configuring?

Options:

A.  

Packet Buffer Protection

B.  

Zone Protection

C.  

Vulnerability Protection

D.  

DoS Protection

Discussion 0
Questions 10

Which statement about High Availability timer settings is true?

Options:

A.  

Use the Critical timer for faster failover timer settings.

B.  

Use the Aggressive timer for faster failover timer settings

C.  

Use the Moderate timer for typical failover timer settings

D.  

Use the Recommended timer for faster failover timer settings.

Discussion 0
Questions 11

A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.

What should the engineer do to complete the configuration?

Options:

A.  

Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to 1.1.1.10 with the destination port equal to UDP/53.

B.  

Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward.

C.  

Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Reverse.

D.  

Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to 192.168.1.10 with the destination port equal to UDP/53.

Discussion 0
Questions 12

If an administrator wants to apply QoS to traffic based on source, what must be specified in a QoS policy rule?

Options:

A.  

Post-NAT destination address

B.  

Pre-NAT destination address

C.  

Post-NAT source address

D.  

Pre-NAT source address

Discussion 0
Questions 13

An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.

What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?

Options:

A.  

Configure a floating IP between the firewall pairs.

B.  

Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet.

C.  

Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN.

D.  

On one pair of firewalls, run the CLI command: set network interface vlan arp.

Discussion 0
Questions 14

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?

Options:

A.  

No Direct Access to local networks

B.  

Tunnel mode

C.  

iPSec mode

D.  

Satellite mode

Discussion 0
Questions 15

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)

Options:

A.  

Inherit settings from the Shared group

B.  

Inherit IPSec crypto profiles

C.  

Inherit all Security policy rules and objects

D.  

Inherit parent Security policy rules and objects

Discussion 0
Questions 16

Which three authentication types can be used to authenticate users? (Choose three.)

Options:

A.  

Local database authentication

B.  

PingID

C.  

Kerberos single sign-on

D.  

GlobalProtect client

E.  

Cloud authentication service

Discussion 0
Questions 17

An engineer must configure a new SSL decryption deployment.

Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

Options:

A.  

A Decryption profile must be attached to the Decryption policy that the traffic matches.

B.  

A Decryption profile must be attached to the Security policy that the traffic matches.

C.  

There must be a certificate with only the Forward Trust option selected.

D.  

There must be a certificate with both the Forward Trust option and Forward Untrust option selected.

Discussion 0
Questions 18

The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.

When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?

Options:

A.  

Outdated plugins

B.  

Global Protect agent version

C.  

Expired certificates

D.  

Management only mode

Discussion 0
Questions 19

Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?

Options:

A.  

NAT

B.  

DOS protection

C.  

QoS

D.  

Tunnel inspection

Discussion 0
Questions 20

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?

Options:

A.  

A self-signed Certificate Authority certificate generated by the firewall

B.  

A Machine Certificate for the firewall signed by the organization's PKI

C.  

A web server certificate signed by the organization's PKI

D.  

A subordinate Certificate Authority certificate signed by the organization's PKI

Discussion 0
Questions 21

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?

Options:

A.  

Change destination NAT zone to Trust_L3.

B.  

Change destination translation to Dynamic IP (with session distribution) using firewall ethI/2 address.

C.  

Change Source NAT zone to Untrust_L3.

D.  

Add source Translation to translate original source IP to the firewall eth1/2 interface translation.

Discussion 0
Questions 22

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."

Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?'

Options:

A.  

Active-Secondary

B.  

Non-functional

C.  

Passive

D.  

Active

Discussion 0
Questions 23

A company has recently migrated their branch office's PA-220S to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama

They notice that commit times have drastically increased for the PA-220S after the migration

What can they do to reduce commit times?

Options:

A.  

Disable "Share Unused Address and Service Objects with Devices" in Panorama Settings.

B.  

Update the apps and threat version using device-deployment

C.  

Perform a device group push using the "merge with device candidate config" option

D.  

Use "export or push device config bundle" to ensure that the firewall is integrated with the Panorama config.

Discussion 0
Questions 24

Refer to the exhibit.

Based on the screenshots above what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

Options:

A.  

shared pre-rules

DATACENTER DG pre rules

rules configured locally on the firewall

shared post-rules

DATACENTER_DG post-rules

DATACENTER.DG default rules

B.  

shared pre-rules

DATACENTER_DG pre-rules

rules configured locally on the firewall

shared post-rules

DATACENTER.DG post-rules

shared default rules

C.  

shared pre-rules

DATACENTER_DG pre-rules

rules configured locally on the firewall

DATACENTER_DG post-rules

shared post-rules

shared default rules

D.  

shared pre-rules

DATACENTER_DG pre-rules

rules configured locally on the firewall

DATACENTER_DG post-rules

shared post-rules

DATACENTER_DG default rules

Discussion 0
Questions 25

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?

Options:

A.  

Deny

B.  

Discard

C.  

Allow

D.  

Next VR

Discussion 0
Questions 26

Which type of zone will allow different virtual systems to communicate with each other?

Options:

A.  

Tap

B.  

External

C.  

Virtual Wire

D.  

Tunnel

Discussion 0
Questions 27

An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover event.

Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?

Options:

A.  

Monitor Fail Hold Up Time

B.  

Promotion Hold Time

C.  

Heartbeat Interval

D.  

Hello Interval

Discussion 0
Questions 28

Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?

Options:

A.  

Resource Protection

B.  

TCP Port Scan Protection

C.  

Packet Based Attack Protection

D.  

Packet Buffer Protection

Discussion 0
Questions 29

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed.

What is one way the administrator can meet this requirement?

Options:

A.  

Perform a commit force from the CLI of the firewall.

B.  

Perform a template commit push from Panorama using the "Force Template Values" option.

C.  

Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option.

D.  

Reload the running configuration and perform a Firewall local commit.

Discussion 0
Questions 30

Which protocol is supported by GlobalProtect Clientless VPN?

Options:

A.  

FTP

B.  

RDP

C.  

SSH

D.  

HTTPS

Discussion 0
Questions 31

An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.

Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)

Options:

A.  

Hello Interval

B.  

Promotion Hold Time

C.  

Heartbeat Interval

D.  

Monitor Fail Hold Up Time

Discussion 0
Questions 32

Where can a service route be configured for a specific destination IP?

Options:

A.  

Use Netw ork > Virtual Routers, select the Virtual Router > Static Routes > IPv4

B.  

Use Device > Setup > Services > Services

C.  

Use Device > Setup > Services > Service Route Configuration > Customize > Destination

D.  

Use Device > Setup > Services > Service Route Configuration > Customize > IPv4

Discussion 0
Questions 33

When an engineer configures an active/active high availability pair, which two links can they use? (Choose two)

Options:

A.  

HSCI-C

B.  

Console Backup

C.  

HA3

D.  

HA2 backup

Discussion 0
Questions 34

Based on the graphic which statement accurately describes the output shown in the Server Monitoring panel?

Options:

A.  

The User-ID agent is connected to a domain controller labeled lab-client

B.  

The host lab-client has been found by a domain controller

C.  

The host lab-client has been found by the User-ID agent.

D.  

The User-ID aaent is connected to the firewall labeled lab-client

Discussion 0
Questions 35

An engineer troubleshoots a high availability (HA) link that is unreliable.

Where can the engineer view what time the interface went down?

Options:

A.  

Monitor > Logs > System

B.  

Device > High Availability > Active/Passive Settings

C.  

Monitor > Logs > Traffic

D.  

Dashboard > Widgets > High Availability

Discussion 0
Questions 36

A security engineer needs firewall management access on a trusted interface.

Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)

Options:

A.  

Minimum TLS version

B.  

Certificate

C.  

Encryption Algorithm

D.  

Maximum TLS version

E.  

Authentication Algorithm

Discussion 0
Questions 37

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67

Options:

A.  

The PanGPS process failed to connect to the PanGPA process on port 4767

B.  

The GlobalProtect app failed to connect to the GlobalProtect Portal on port 4767

C.  

The PanGPA process failed to connect to the PanGPS process on port 4767

D.  

The GlobalProtect app failed to connect to the GlobalProtect Gateway on port 4767

Discussion 0