Free PCNSE Sample Questions — Palo Alto Networks Certified Network Security Engineer

How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

• A. Configure the option for "Threshold"
• B. Disable automatic updates during weekdays
• C. Automatically "download only" and then install Applications and Threats later, after the administrator approves the update
• D. Automatically "download and install" but with the "disable new applications" option used

An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OSֲ® software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web- browsing traffic from any to any zone. What must the administrator configure so that the PAN-OSֲ® software can be upgraded?

• A. Security policy rule
• B. CRL
• C. Service route
• D. Scheduler

Which operation will impact the performance of the management plane?

• A. Enabling DoS protection
• B. Enabling packet buffer protection
• C. Decrypting SSL sessions
• D. Generating a Saas Application report

An administrator receives the following error message: "IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id 172.16.33.33/24 type IPv4 address protocol 0 port 0." How should the administrator identify the root cause of this error message?

• A. Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure
• B. Check whether the VPN peer on one end is set up correctly using policy-based VPN
• C. In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate
• D. In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers

A firewall administrator is trying to identify active routes learned via BGP in the virtual router runtime stats within the GUI. Where can they find this information?

• A. Routes listed in the routing table with flags Oi
• B. Routes listed in the routing table with flags A?B
• C. Under the BGP Summary tab
• D. Routes listed in the forwarding table with BGP in the Protocol column

Which three authentication factors does PAN-OSֲ® software support for MFA? (Choose three.)

• A. Push
• B. Pull
• C. Okta Adaptive
• D. Voice
• E. SMS

A prospect is eager to conduct a Security Lifecycle Review (SLR) with the aid of the Palo Alto Networks NGFW. Which interface type is best suited to provide the raw data for an SLR from the network in a way that is minimally invasive?

• A. Layer 2
• B. Virtual Wire
• C. Tap
• D. Layer 3

When overriding a template configuration locally on a firewall, what should you consider?

• A. Panorama will update the template with the overridden value
• B. The firewall template will show that it is out of sync within Panorama
• C. Only Panorama can revert the override
• D. Panorama will lose visibility into the overridden configuration

A firewall administrator wants to be able to see all NAT sessions that are going through a firewall with source NAT. Which CLI command can the administrator use?

• A. show session all filter nat source
• B. show running nat-rule-ippool rule “rule_name”
• C. show running nat-policy
• D. show session all filter nat-rule-source

An administrator has configured a QoS policy rule and a QoS Profile that limits the maximum allowable bandwidth for the YouTube application. However, YouTube is consuming more than the maximum bandwidth allotment configured. Which configuration step needs to be configured to enable QoS?

• A. Enable QoS interface
• B. Enable QoS in the Interface Management Profile
• C. Enable QoS Data Filtering Profile
• D. Enable QoS monitor

A firewall administrator needs to be able to inspect inbound HTTPS traffic on servers hosted in their DMZ to prevent the hosted service from being exploited. Which combination of features can allow PAN-OS to detect exploit traffic in a session with TLS encapsulation?

• A. a WildFire profile and a File Blocking profile
• B. a Vulnerability Protection profile and a Decryption policy
• C. a Vulnerability Protection profile and a QoS policy
• D. a Decryption policy and a Data Filtering profile

An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company's proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats. Which option would achieve this result?

• A. Create a custom App-ID and enable scanning on the advanced tab
• B. Create an Application Override policy
• C. Create a custom App-ID and use the "ordered conditions" check box
• D. Create an Application Override policy and a custom threat signature for the application

Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.)

• A. Check dependencies
• B. Schedules
• C. Verify
• D. Revert content
• E. Install

An engineer is planning an SSL decryption implementation. Which of the following statements is a best practice for SSL decryption?

• A. Obtain an enterprise CA-signed certificate for the Forward Trust certificate
• B. Use an enterprise CA-signed certificate for the Forward Untrust certificate
• C. Use the same Forward Trust certificate on all firewalls in the network
• D. Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate

The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?

• A. 6-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol, and Source Security Zone
• B. 5-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Protocol
• C. 7-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Source User, URL Category, and Source Security Zone
• D. 9-tuple match: Source IP Address, Destination IP Address, Source Port, Destination Port, Source User, Source Security Zone, Destination Security Zone, Application, and URL Category

How does Panorama prompt VMWare NSX to quarantine an infected VM?

• A. HTTP Server Profile
• B. Syslog Server Profile
• C. Email Server Profile
• D. SNMP Server Profile

An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks. Which three settings can be configured in this template? (Choose three.)

• A. Log Forwarding profile
• B. SSL decryption exclusion
• C. Email scheduler
• D. Login banner
• E. Dynamic updates

An administrator is building Security rules within a device group to block traffic to and from malicious locations. How should those rules be configured to ensure that they are evaluated with a high priority?

• A. Create the appropriate rules with a Block action and apply them at the top of the local firewall Security rules
• B. Create the appropriate rules with a Block action and apply them at the top of the Security Pre-Rules
• C. Create the appropriate rules with a Block action and apply them at the top of the Security Post-Rules
• D. Create the appropriate rules with a Block action and apply them at the top of the Default Rules

An administrator is seeing one of the firewalls in a HA active/passive pair moved to "suspended" state due to Non-functional loop. Which three actions will help the administrator resolve this issue? (Choose three.)

• A. Check the HA Link Monitoring interface cables
• B. Check High Availability > Active/Passive Settings > Passive Link State
• C. Check the High Availability > Link and Path Monitoring settings
• D. Check the High Availability > HA Communications > Packet Forwarding settings
• E. Use the CLI command show high-availability flap-statistics

In order to fulfill the corporate requirement to back up the configuration of Panorama and the Panorama-managed firewalls securely which protocol should you select when adding a new scheduled config export?

• A. HTTPS
• B. FTP
• C. SMB v3
• D. SCP