Vendor: Palo Alto Networks

Exam Code: PCNSE

Exam Name: Palo Alto Networks Certified Security Engineer

(PCNSE) PAN-OS 10.0

Version: DEMO
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

QUESTION 1
After some firewall configuration changes, an administrator discovers that application
identification has started failing. The administrator investigates further and notices that a high
number of sessions were going to a discard state with the application showing as unknown-tcp.
Which possible firewall change could have caused this issue?

A. enabling Forward segments that exceed the TCP App-ID inspection queue in Device > Setup >
Content-ID > Content-ID Settings
B. enabling Forward segments that exceed the TCP content inspection queue in Device > Setup >
Content-ID > Content-ID Settings
C. Jumbo frames were enabled on the firewall, which reduced the App-ID queue size and the
number of available packet buffers.
D. Jumbo frames were disabled on the firewall, which reduced the queue sizes dedicated for out-of-
order and application identification.

Answer: A
Explanation:
Disable this option to prevent the firewall from forwarding TCP segments and skipping App-ID
inspection when the App-ID inspection queue is full.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-setup-
content-id

QUESTION 2
A firewall administrator wants to have visibility on one segment of the company network. The
traffic on the segment is routed on the Backbone switch. The administrator is planning to apply
Security rules on segment X after getting the visibility.
There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are
enough system resources to get extra traffic on the firewall. The administrator needs to complete
this operation with minimum service interruptions and without making any IP changes.
What is the best option for the administrator to take?

A. Configure the TAP interface for segment X on the firewall

B. Configure a Layer 3 interface for segment X on the firewall.
C. Configure vwire interfaces for segment X on the firewall.
D. Configure a new vsys for segment X on the firewall.

Answer: C
Explanation:
As it specifically states in the question that security rules will be applied, VWire is the only method
that allows this without making any IP address changes.

QUESTION 3
A network engineer is troubleshooting a VPN and wants to verify whether the
decapsulation/encapsulation counters are increasing.
Which CLI command should the engineer run?

A. Show running tunnel flow lookup

B. Show vpn flow name <tunnel name>
C. Show vpn ipsec-sa tunnel <tunnel name>
D. Show vpn tunnel name | match encap

Answer: B

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 2
http://www.passleader.com
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

Explanation:
Check if encapsulation and decapsulation bytes are increasing. If the firewall is passing traffic,
then both values should be increasing.
> show vpn flow name <tunnel.id/tunnel.name> | match bytes
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

QUESTION 4
You have upgraded Panorama to 10.2 and need to upgrade six Log Collectors.
When upgrading Log Collectors to 10.2, you must do what?

A. Upgrade the Log Collectors one at a time.

B. Add Panorama Administrators to each Managed Collector.
C. Add a Global Authentication Profile to each Managed Collector.
D. Upgrade all the Log Collectors at the same time.

Answer: D
Explanation:
You must upgrade all Log Collectors in a collector group at the same time to avoid losing log data
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-panorama/deploy-
updates-to-firewalls-log-collectors-and-wildfire-appliances-using-panorama/deploy-an-update-to-
log-collectors-when-panorama-is-internet-connected

QUESTION 5
A network security administrator has an environment with multiple forms of authentication. There
is a network access control system in place that authenticates and restricts access for wireless
users, multiple Windows domain controllers, and an MDM solution for company-provided
smartphones. All of these devices have their authentication events logged. Given the information,
what is the best choice for deploying User-ID to ensure maximum coverage?

A. Syslog listener
B. agentless User-ID with redistribution
C. standalone User-ID agent
D. captive portal

Answer: A
Explanation:
To obtain user mappings from existing network services that authenticate users—such as
wireless controllers, 802.1x devices, Apple Open Directory servers, proxy servers, or other
Network Access Control (NAC) mechanisms—Configure User-ID to Monitor Syslog Senders for
User Mapping.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users

QUESTION 6
How would an administrator configure a Bidirectional Forwarding Detection profile for BGP after
enabling the Advance Routing Engine run on PAN-OS 10.2?

A. create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD
profile under Network > Virtual Router > BGP > BFD
B. create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the
BFD profile under Network > Virtual Router > BGP > General > Global BFD Profile
C. create a BFD profile under Network > Routing > Routing Profiles > BFD and then select the

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 3
http://www.passleader.com
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

BFD profile under Network > Routing > Logical Routers > BGP > General > Global BFD Profile
D. create a BFD profile under Network > Network Profiles > BFD Profile and then select the BFD
profile under Network > Routing > Logical Routers > BGP > BFD

Answer: C
Explanation:
The Advanced Routing Engine uses Logical Routers, not Virtual Routers.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/advanced-
routing/configure-bgp-on-an-advanced-routing-engine
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/advanced-
routing/create-bfd-profiles

QUESTION 7
An administrator allocates bandwidth to a Prisma Access Remote Networks compute location
with three remote networks.
What is the minimum amount of bandwidth the administrator could configure at the compute
location?

A. 90Mbps
B. 300 Mbps
C. 75Mbps
D. 50Mbps

Answer: D
Explanation:
The number you specify for the bandwidth applies to both the egress and ingress traffic for the
remote network connection. If you specify a bandwidth of 50 Mbps, Prisma Access provides you
with a remote network connection with 50 Mbps of bandwidth on ingress and 50 Mbps on egress.
Your bandwidth speeds can go up to 10% over the specified amount without traffic being
dropped; for a 50 Mbps connection, the maximum bandwidth allocation is 55 Mbps on ingress
and 55 Mbps on egress (50 Mbps plus 10% overage allocation).
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-
admin/prisma-access-for-networks/how-to-calculate-network-bandwidth

QUESTION 8
Where is information about packet buffer protection logged?

A. Alert entries are in the Alarms log Entries for dropped traffic, discarded sessions, and blocked IP
address are in the Threat log
B. All entries are in the System log
C. Alert entries are in the System log Entries for dropped traffic, discarded sessions and blocked IP
addresses are in the Threat log
D. All entries are in the Alarms log

Answer: C
Explanation:
The firewall records alert events in the System log and events for dropped traffic, discarded
sessions, and blocked IP address in the Threat log.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNGFCA4

QUESTION 9

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 4
http://www.passleader.com
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

Drag and Drop Question

An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple
routing protocols, and the engineer is trying to determine routing priority Match the default
Administrative Distances for each routing protocol.

Answer:

Explanation:
Static - Range is 10-240; default is 10.
OSPF Internal - Range is 10-240; default is 30.
OSPF External - Range is 10-240; default is 110.
IBGP - Range is 10-240; default is 200.
EBGP- Range is 10-240; default is 20.
RIP - Range is 10-240; default is 120.

QUESTION 10
An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet
gateway and wants to be sure of the functions that are supported on the vwire interface.

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 5
http://www.passleader.com
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

What are three supported functions on the VWire interface? (Choose three )

A. NAT
B. QoS
C. IPSec
D. OSPF
E. SSL Decryption

Answer: ABE
Explanation:
The virtual wire supports blocking or allowing traffic based on virtual LAN (VLAN) tags, in addition
to supporting security policy rules, App-ID, Content-ID, User-ID, decryption, LLDP, active/passive
and active/active HA, QoS, zone protection (with some exceptions), non-IP protocol protection,
DoS protection, packet buffer protection, tunnel content inspection, and NAT.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/configure-
interfaces/virtual-wire-interfaces

QUESTION 11
What is considered the best practice with regards to zone protection?

A. Review DoS threat activity (ACC > Block Activity) and look for patterns of abuse
B. Use separate log-forwarding profiles to forward DoS and zone threshold event logs separately
from other threat logs
C. If the levels of zone and DoS protection consume too many firewall resources, disable zone
protection
D. Set the Alarm Rate threshold for event-log messages to high severity or critical severity

Answer: B
Explanation:
https://docs.paloaltonetworks.com/best-practices/10-1/dos-and-zone-protection-best-
practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-best-
practices
Log Forwarding—For easier management, forward DoS logs separately from other Threat logs
directly to administrators via email and to a log server.

QUESTION 12
An administrator is attempting to create policies tor deployment of a device group and template
stack.
When creating the policies, the zone drop down list does not include the required zone.
What must the administrator do to correct this issue?

A. Specify the target device as the master device in the device group
B. Enable "Share Unused Address and Service Objects with Devices" in Panorama settings
C. Add the template as a reference template in the device group
D. Add a firewall to both the device group and the template

Answer: C
Explanation:
In order to see what is in a template, the device-group needs the template referenced. Even if you
add the firewall to both the template and device-group, the device-group will not see what is in the
template.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNfeCAG

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 6
http://www.passleader.com
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

QUESTION 13
A users traffic traversing a Palo Alto networks NGFW sometimes can reach http //www company
com At other times the session times out. At other times the session times out The NGFW has
been configured with a PBF rule that the user traffic matches when it goes to
http://www.company.com goes to http://www company com
How can the firewall be configured to automatically disable the PBF rule if the next hop goes
down?

A. Create and add a monitor profile with an action of fail over in the PBF rule in question
B. Create and add a monitor profile with an action of wait recover in the PBF rule in question
C. Configure path monitoring for the next hop gateway on the default route in the virtual router
D. Enable and configure a link monitoring profile for the external interface of the firewall

Answer: A
Explanation:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/network/network-
network-profiles/network-network-profiles-monitor
A monitor profile is used to monitor IPSec tunnels and to monitor a next-hop device for policy-
based forwarding (PBF) rules. In both cases, the monitor profile is used to specify an action to
take when a resource (IPSec tunnel or next-hop device) becomes unavailable.
wait-recover - Wait for the tunnel to recover; do not take additional action. Packets will continue to
be sent according to the PBF rule.
fail-over - Traffic will fail over to a backup path, if one is available. The firewall uses routing table
lookup to determine routing for the duration of this session.

QUESTION 14
Drag and Drop Question

Based on PANW Best Practices for Planning DoS and Zone Protection, match each type of DoS
attack to an example of that type of attack.

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 7
http://www.passleader.com
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

Answer:

Explanation:
Application-Based Attacks
-- Target weaknesses in a particular application and try to exhaust its resources so legitimate
users can't use it. An example is the Slowloris attack.
Protocol-Based Attacks
-- Also known as state-exhaustion attacks, they target protocol weaknesses. A common example
is a SYN flood attack.
Volumetric Attacks
- -High-volume attacks that attempt to overwhelm the available network resources, especially
bandwidth, and bring down the target to prevent legitimate users from accessing its resources. An
example is a UDP flood attack.

QUESTION 15
The manager of the network security team has asked you to help configure the company's
Security Profiles according to Palo Alto Networks best practice. As part of that effort, the manager
has assigned you the Vulnerability Protection profile for the internet gateway firewall.
Which action and packet-capture setting for items of high severity and critical severity best
matches Palo Alto Networks best practice'?

A. action 'reset-both' and packet capture 'extended-capture'

B. action 'default' and packet capture 'single-packet'
C. action 'reset-both' and packet capture 'single-packet'
D. action 'reset-server' and packet capture 'disable'

Answer: A
Explanation:
"Enable extended-capture for critical, high, and medium severity events and single-packet
capture for low severity events. "
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-security-
profiles-vulnerability-protection

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 8
http://www.passleader.com
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

QUESTION 16
An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all
devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls
to Panorama. Pre-existing logs from the firewalls are not appearing in PanoramA.
Which action would enable the firewalls to send their pre-existing logs to Panorama?

A. Use the import option to pull logs.

B. Export the log database
C. Use the scp logdb export command
D. Use the ACC to consolidate the logs

Answer: C
Explanation:
commands:
request logdb
migrate-to-panorama start end-timestart-timetype
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/set-up-panorama/install-
content-and-software-updates-for-panorama/migrate-panorama-logs-to-new-log-format

QUESTION 17
An engineer is creating a security policy based on Dynamic User Groups (DUG) What benefit
does this provide?

A. Automatically include users as members without having to manually create and commit policy or
group changes
B. DUGs are used to only allow administrators access to the management interface on the Palo Alto
Networks firewall
C. It enables the functionality to decrypt traffic and scan for malicious behaviour for User-ID based
policies
D. Schedule commits at a regular intervals to update the DUG with new users matching the tags
specified

Answer: A
Explanation:
Dynamic user groups help you to create policy that provides auto-remediation for anomalous user
behavior and malicious activity while maintaining user visibility. Previously, quarantining users in
response to suspicious activity meant time-and resource-consuming updates for all members of
the group or updating the IP address-to-username mapping to a label to enforce policy at the cost
of user visibility, as well as having to wait until the firewall checked the traffic. Now, you can
configure a dynamic user group to automatically include users as members without having to
manually create and commit policy or group changes and still maintain user-to-data correlation at
the device level before the firewall even scans the traffic.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-
user-groups.html

QUESTION 18
A bootstrap USB flash drive has been prepared using a Linux workstation to load the initial
configuration of a Palo Alto Networks firewall. The USB flash drive was formatted using file
system NTFS and the initial configuration is stored in a file named init-cfg.txt. The contents of init-
cfg.txt in the USB flash drive are as follows:

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 9
http://www.passleader.com
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

The USB flash drive has been inserted in the firewalls USB port, and the firewall has been
powered on. Upon boot, the firewall fails to begin the bootstrapping process. The failure is caused
because:

A. the bootstrap.xml file is a required file, but it is missing

B. init-cfg.txt is an incorrect filename, the correct filename should be init-cfg.xml
C. The USB must be formatted using the ext4 file system
D. There must be commas between the parameter names and their values instead of the equal
symbols
E. The USB drive has been formatted with an unsupported file system

Answer: E
Explanation:
The USB flash drive that bootstraps a hardware-based Palo Alto Networks firewall must support
one of the following:
File Allocation Table 32 (FAT32)
Third Extended File System (ext3)
The firewall can bootstrap from the following flash drives with USB2.0 or USB3.0 connectivity:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/firewall-administration/bootstrap-
the-firewall/usb-flash-drive-support.html#id3cfc3106-f7ab-4eee-82b7-1ca62ec5e997

QUESTION 19
The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most
likely is wrong?

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 10
http://www.passleader.com
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

A. A Certificate Profile that contains the client certificate needs to be selected.

B. The source address supports only files hosted with an ftp://<address/file>.
C. External Dynamic Lists do not support SSL connections.
D. A Certificate Profile that contains the CA certificate needs to be selected.

Answer: D
Explanation:
If the list source is secured with SSL (i.e. lists with an HTTPS URL), enable server authentication.
Select a Certificate Profile
or create a New Certificate Profile for authenticating the server that hosts the list. The certificate
profile you select must have root certificate authority (CA) and intermediate CA certificates that
match the certificates installed on the server you are authenticating.
https://live.paloaltonetworks.com/t5/MineMeld-Articles/Connecting-PAN-OS-to-MineMeld-using-
External-Dynamic-Lists/ta-p/190414

QUESTION 20
A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business
application uptime requirements.

What is the correct setting?

A. Change the HA timer profile to "user-defined" and manually set the timers.
B. Change the HA timer profile to "fast".
C. Change the HA timer profile to "aggressive" or customize the settings in advanced profile.
D. Change the HA timer profile to "quick" and customize in advanced profile.

Answer: C
Explanation:
Use the Recommended profile for typical failover timer settings and the Aggressive profile for

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 11
http://www.passleader.com
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

faster failover timer settings. The Advanced profile allows you to customize the timer values to
suit your network requirements.
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/high-availability/set-up-
activepassive-ha/configure-activepassive-ha.html

QUESTION 21
An administrator accidentally closed the commit window/screen before the commit was finished.
Which two options could the administrator use to verify the progress or success of that commit
task? (Choose two.)

A.

B.

C.

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 12
http://www.passleader.com
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

D.

Answer: AD
Explanation:
No Decryption profile (Objects > Decryption > Profile > No Decryption) controls server verification
checks for traffic that you choose not to decrypt as defined in "No Decryption" Decryption policies
to which you attach the profile.
Server Certificate Verification
Block sessions with expired certificates
Block sessions with untrusted issuers
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-concepts/no-
decryption-decryption-profile.html

QUESTION 22
An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices
are not participating in dynamic routing, and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS?software?

A. Antivirus update package.

B. Applications and Threats update package.
C. User-ID agent.
D. WildFire update package.

Answer: B
Explanation:
Before you upgrade, make sure the firewall is running a version of app + threat (content version)
that meets the minimum requirement of the new PAN-OS (see release notes). We recommend
always running the latest version of content to ensure the most accurate and effective protections
are being applied.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRrCAK

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 13
http://www.passleader.com
 ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee

Thank You for Trying Our Product

Passleader Certification Exam Features:

★ More than 99,900 Satisfied Customers Worldwide.

★ Average 99.9% Success Rate.

★ Free Update to match latest and real exam scenarios.

★ Instant Download Access! No Setup required.

★ Questions & Answers are downloadable in PDF format and

VCE test engine format.

★ Multi-Platform capabilities - Windows, Laptop, Mac, Android, iPhone, iPod, iPad.

★ 100% Guaranteed Success or 100% Money Back Guarantee.

★ Fast, helpful support 24x7.

View list of all certification exams: http://www.passleader.com/all-products.html

10% Discount Coupon Code: ASTR14

Get Latest & Actual PCNSE Exam's Question and Answers from Passleader. 14
http://www.passleader.com