PCNSE Exam Questions

Which conditions must be met when provisioning a high availability (HA) cluster? (Choose two.)

Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with multiple virtual systems?

Which two are required by IPSec in transport mode? (Choose two.)

A firewall engineer needs to patch the company's Palo Alto Networks firewalls to the latest version of PAN-OS. The company manages its firewalls by using Panorama. Logs are forward...

Which rule type controls end user SSL traffic to external websites?

An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an internal syslog server. Where can t...

When you troubleshoot an SSL Decryption issue, which PAN-OS CLI command do you use to check the details of the Forward Trust certificate, Forward Untrust certificate, and SSL Inbou...

Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)

A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and th...

Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?

Panorama is being used to upgrade the PAN-OS version on a pair of firewalls in an active/passive high availability (HA) configuration. The Palo Alto Networks best practice upgrade...

A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when...

An engineer has been given approval to upgrade their environment to the latest of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama HA pai...

An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits. Knowing that using dec...

A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any...

What happens when the log forwarding built-in action with tagging is used?

A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that...

What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three.)

A company is expanding its existing log storage and alerting solutions. All company Palo Alto Networks firewalls currently forward logs to Panorama. Which two additional log forwar...

A firewall administrator has confirmed reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the...

After implementing a new NGFW, a firewall engineer is alerted to a VoIP traffic issue. After troubleshooting, the engineer confirms that the firewall is alerting the voice packets...

An administrator is considering deploying WildFire globally. What should the administrator consider with regards to the WildFire analysis process?

Which two components are required to configure certificate-based authentication to the web UI when an administrator needs firewall access on a trusted interface? (Choose two.)

What happens when an A/P firewall pair synchronizes IPsec tunnel security associations (SAs)?

Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?

A security engineer has configured a GlobalProtect portal agent with four gateways. Which GlobalProtect Gateway will users connect to based on the chart provided?

A network security engineer needs to ensure that virtual systems can communicate with one another within a Palo Alto Networks firewall. Separate virtual routers (VRs) are created f...

A new application server 192.168.197.40 has been deployed in the DMZ. There are no public IP addresses available, resulting in the server sharing NAT IP 198.51.100.88 with another...

A security team has enabled eal-time WildFire signature lookup on all its firewalls. Which additional action will further reduce the likelihood of newly discovered malware being al...

A company configures its WildFire analysis profile to forward any file type to the WildFire public cloud. A company employee receives an email containing an unknown link that downl...

Which interface type should a firewall administrator configure as an upstream to the ingress trusted interface when configuring transparent web proxy on a Palo Alto Networks firewa...

A firewall engineer is tasked with defining signatures for a custom application. Which two sources can the engineer use to gather information about the application patterns? (Choos...

The server team is concerned about the high volume of logs forwarded to their syslog server, it is determined that DNS is generating the most logs per second. The risk and complian...

A threat intelligence team has requested more than a dozen Short signatures to be deployed on all perimeter Palo Alto Networks firewalls. How does the firewall engineer fulfill thi...

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees tra...

An administrator is informed that the engineer who previously managed all the VPNs has left the company. According to company policies the administrator must update all the IPSec V...

The firewall team has been asked to deploy a new Panorama server and to forward all firewall logs to this server By default, which component of the Palo Alto Networks firewall arch...

Forwarding of which two log types is configured in Device > Log Settings? (Choose two.)

A firewall administrator manages sets of firewalls which have two unique idle timeout values. Datacenter firewalls needs to be set to 20 minutes and BranchOffice firewalls need to...

A company wants to deploy IPv6 on its network which requires that all company Palo Alto Networks firewalls process IPv6 traffic and to be configured with IPv6 addresses. Which cons...

What does the User-ID agent use to find login and logout events in syslog messages?

An engineer configures a destination NAT policy to allow inbound access to an internal server in the DMZ. The NAT policy is configured with the following values: - Source zone: Out...

When configuring explicit proxy on a firewall, which interface should be selected under the Listening interface option?

Which three sessions are created by a NGFW for web proxy? (Choose three.)

A firewall engineer at a company is researching the Device Telemetry feature of PAN-OS. Which two aspects of the feature require further action for the company to remain compliant...

In which two scenarios would it be necessary to use Proxy IDs when configuring site-to-site VPN Tunnels? (Choose two.)

A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates. What must occur to have Antivirus signatures update?

An existing log forwarding profile is currently configured to forward all threat logs to Panorama. The firewall engineer wants to add syslog as an additional log forwarding method....

An administrator plans to install the Windows-Based User-ID Agent to prevent credential phishing. Which installer package file should the administrator download from the support si...

An administrator is tasked to provide secure access to applications running on a server in the company's on-premises datacenter. What must the administrator consider as they prepar...