Scribd
Upload
106 views11 pages

PCNSE Demo

The document provides a 19 question practice exam for the Palo Alto Networks Certified Security Engineer (PCNSE) certification. It includes multiple choice questions about Palo Alto Networks Next Generation Firewalls (NGFWs) covering topics like commit tasks, globalprotect configurations, certificate validation, high availability, and more. An administrator is taking this exam to help prepare for the PCNSE certification.

Uploaded by

dezaxxl
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
106 views11 pages

PCNSE Demo

The document provides a 19 question practice exam for the Palo Alto Networks Certified Security Engineer (PCNSE) certification. It includes multiple choice questions about Palo Alto Networks Next Generation Firewalls (NGFWs) covering topics like commit tasks, globalprotect configurations, certificate validation, high availability, and more. An administrator is taking this exam to help prepare for the PCNSE certification.

Uploaded by

dezaxxl
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Questions & Answers PDF Page 1

Palo Alto Networks


PCNSE Exam
Palo Alto Networks Certified Security Engineer

Thank you for downloading PCNSE exam PDF Demo

You can also try our PCNSE practice exam software

Download Free Demo:

https://www.certshero.com/PCNSE.html

https://www.certshero.com
Questions & Answers PDF Page 2

Version: 20.0
Topic 1, Main Questions pool

Question:1

An administrator accidentally closed the commit window/screen before the commit was finished.
Which two options could the administrator use to verify the progress or success of that commit task?
(Choose two.)

A. Configuration Logs
B. System Logs
C. Task Manager
D. Traffic Logs

Answer: BC

Question:2

SAML SLO is supported for which two firewall features? (Choose two.)

A. GlobalProtect Portal
B. CaptivePortal
C. WebUI
D. CLI

Answer: A,B

Question:3

What is the purpose of the firewall decryption broker?

A. Decrypt SSL traffic a then send it as cleartext to a security chain of inspection tools
B. Force decryption of previously unknown cipher suites
C. Inspection traffic within IPsec tunnel
D. Reduce SSL traffic to a weaker cipher before sending it to a security chain of inspection tools

Answer: A

Question:4

https://www.certshero.com
Questions & Answers PDF Page 3

Which three split tunnel methods are supported by a globalProtect gateway? (Choose three.)

A. video streaming application


B. Client Application Process
C. Destination Domain
D. Source Domain
E. Destination user/group
F. URL Category

Answer: A,B,C

Question:5

Based on the image, what caused the commit warning?

A. The CA certificate for FWDtrust has not been imported into the firewall.
B. The FWDtrust certificate has not been flagged as Trusted Root CA.
C. SSL Forward Proxy requires a public certificate to be imported into the firewall.
D. The FWDtrust certificate does not have a certificate chain.

https://www.certshero.com
Questions & Answers PDF Page 4

Answer: D

Question:6

An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against
resource exhaustion. When platform utilization is considered, which steps must the administrator
take to configure and apply packet buffer protection?

A. Enable and configure the Packet Buffer protection thresholds.Enable Packet Buffer Protection per
ingress zone.
B. Enable and then configure Packet Buffer thresholdsEnable Interface Buffer protection.
C. Create and Apply Zone Protection Profiles in all ingress zones.Enable Packet Buffer Protection per
ingress zone.
D. Configure and apply Zone Protection Profiles for all egress zones.Enable Packet Buffer Protection
pre egress zone.
E. Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits.Enable Zone Buffer
Protection per zone.

Answer: A

Question:7

Which feature can provide NGFWs with User-ID mapping information?

A. Web Captcha
B. Native 802.1q authentication
C. GlobalProtect
D. Native 802.1x authentication

Answer: C

Question:8

What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit
counter when a firewall is rebooted? (Choose two.)

A. Rule Usage Hit counter will not be reset


B. Highlight Unused Rules will highlight all rules.
C. Highlight Unused Rules will highlight zero rules.
D. Rule Usage Hit counter will reset.

Answer: A, B

Question:9

https://www.certshero.com
Questions & Answers PDF Page 5

The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely
is wrong?

A. A Certificate Profile that contains the client certificate needs to be selected.


B. The source address supports only files hosted with an ftp://<address/file>.
C. External Dynamic Lists do not support SSL connections.
D. A Certificate Profile that contains the CA certificate needs to be selected.

Answer: D

Question:10

Which is not a valid reason for receiving a decrypt-cert-validation error?

A. Unsupported HSM
B. Unknown certificate status
C. Client authentication
D. Untrusted issuer

Answer: A

Question:11

In the following image from Panorama, why are some values shown in red?

https://www.certshero.com
Questions & Answers PDF Page 6

A. sg2 session count is the lowest compared to the other managed devices.
B. us3 has a logging rate that deviates from the administrator-configured thresholds.
C. uk3 has a logging rate that deviates from the seven-day calculated baseline.
D. sg2 has misconfigured session thresholds.

Answer: A

Question:12

What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1
version?

A. Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or
template stacks.
B. An administrator must use the Expedition tool to adapt the configuration to the pre-PAN-OS 8.1
state.
C. When Panorama is reverted to an earlier PAN-OS release, variables used in templates or template
stacks will be removed automatically.
D. Administrators need to manually update variable characters to those used in pre-PAN-OS 8.1.

Answer: A

Question:13

Which two methods can be configured to validate the revocation status of a certificate? (Choose
two.)

A. CRL
B. CRT
C. OCSP
D. Cert-Validation-Profile
E. SSL/TLS Service Profile

Answer: A,C

Question:14

https://www.certshero.com
Questions & Answers PDF Page 7

Which administrative authentication method supports authorization by an external service?

A. Certificates
B. LDAP
C. RADIUS
D. SSH keys

Answer: C

Question:15

An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks
NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?

A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.
B. Each firewall will have a separate floating IP, and priority will determine which firewall has the
primary IP.
C. The firewalls do not use floating IPs in active/active HA.
D. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device
0 fails.

Answer: A

Question:16

Which version of GlobalProtect supports split tunneling based on destination domain, client process,
and HTTP/HTTPS video streaming application?

A. GlobalProtect version 4.0 with PAN-OS 8.1


B. GlobalProtect version 4.1 with PAN-OS 8.1
C. GlobalProtect version 4.1 with PAN-OS 8.0
D. GlobalProtect version 4.0 with PAN-OS 8.0

Answer: B

Question:17

How does Panorama prompt VMWare NSX to quarantine an infected VM?

A. HTTP Server Profile


B. Syslog Server Profile
C. Email Server Profile
D. SNMP Server Profile

https://www.certshero.com
Questions & Answers PDF Page 8

Answer: A

Question:18

An administrator accidentally closed the commit window/screen before the commit was finished.
Which two options could the administrator use to verify the progress or success of that commit task?
(Choose two.)

https://www.certshero.com
Questions & Answers PDF Page 9

A. Exhibit A
B. Exhibit B
C. Exhibit C
D. Exhibit D

Answer: A, D

Question:19

Which two actions would be part of an automatic solution that would block sites with untrusted
certificates without enabling SSL Forward Proxy? (Choose two.)

A. Create a no-decrypt Decryption Policy rule.


B. Configure an EDL to pull IP addresses of known sites resolved from a CRL.
C. Create a Dynamic Address Group for untrusted sites
D. Create a Security Policy rule with vulnerability Security Profile attached.
E. Enable the “Block sessions with untrusted issuers” setting.

Answer: D, E

Question:20

Which CLI command is used to simulate traffic going through the firewall and determine which
Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?

A. check
B. find
C. test
D. sim

https://www.certshero.com
Questions & Answers PDF Page 10

Answer: C

Reference: http://www.shanekillen.com/2014/02/palo-alto-useful-cli-commands.html

https://www.certshero.com
Questions & Answers PDF Page 11

Thank You for trying PCNSE PDF Demo

To try our PCNSE practice exam software visit link below

https://www.certshero.com/PCNSE.html

Start Your PCNSE Preparation


Use Coupon “20OFF” for extra 20% discount on the purchase of
Practice Test Software. Test your PCNSE preparation with actual
exam questions.

https://www.certshero.com

You might also like