PCNSE Exam Questions

When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)

An administrator configures HA on a customer's Palo Alto Networks firewalls with path monitoring by using the default configuration values. What are the default values for ping int...

An administrator is troubleshooting intermittent connectivity problems with a user's GlobalProtect connection. Packet captures at the firewall reveal missing UDP packets, suggestin...

What type of NAT is required to configure transparent proxy?

What should an engineer consider when setting up the DNS proxy for web proxy?

An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity. Which two objects can Dynamic User Groups use as match conditions for group membe...

A firewall administrator has configured User-ID and deployed GlobalProtect, but there is no User- ID showing in the traffic logs. How can the administrator ensure that User-IDs are...

A decryption policy has been created with an action of "No Decryption." The decryption profile is configured in alignment to best practices. What protections does this policy provi...

An administrator plans to install the Windows User-ID agent on a domain member system. What is a best practice for choosing where to install the User-ID agent?

Which statement accurately describes how web proxy is run on a firewall with multiple virtual systems?

A company wants to use GlobalProtect as its remote access VPN solution. Which GlobalProtect features require a Gateway license?

A firewall engineer is investigating high dataplane CPU utilization. To decrease the load on this CPU, what should be reduced?

Which protocol is natively supported by GlobalProtect Clientless VPN?

An administrator wants to add User-ID information for their Citrix MetaFrame Presentation Server (MPS) users. Which option should the administrator use?

An administrator is troubleshooting application traffic that has a valid business use case, and observes the following decryption log message: "Received fatal alert UnknownCA from...

After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?

While troubleshooting an issue, a firewall administrator performs a packet capture with a specific filter. The administrator sees drops for packets with a source IP address of 10.1...

An administrator plans to install the Windows-Based User-ID Agent. What type of Active Directory (AD) service account should the administrator use?

A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access on...

An administrator configures a preemptive active-passive high availability (HA) pair of firewalls and configures the HA election settings on firewall-02 with a device priority value...

An administrator needs to assign a specific DNS server to an existing template variable. Where would the administrator go to edit a template variable at the device level?

Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates. Which CLI command can the firewall administrator use to verify...

What action does a firewall take when a Decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?

A firewall administrator is configuring an IPSec tunnel between a company's HQ and a remote location. On the HQ firewall, the interface used to terminate the IPSec tunnel has a sta...

Review the screenshots. What is the most likely reason for this decryption error log?

SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the certificate is not trusted" warning. Without SSL decryption, the web browser shows that t...

A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An eng...

Which two scripting file types require direct upload to the Advanced WildFire portal/API for analysis? (Choose two.)

Which two actions can the administrative role called "vsysadmin" perform? (Choose two)

Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?

A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security pol...

A company CISO updates the business Security policy to identify vulnerable assets and services and deploy protection for quantum-related attacks. As a part of this update, the fire...

How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?

For company compliance purposes, three new contractors will be working with different device groups in their hierarchy to deploy policies and objects. Which type of role-based acce...

A firewall engineer is migrating port-based rules to application-based rules by using the Policy Optimizer. The engineer needs to ensure that the new application-based rules are fu...

What is the best description of the Cluster Synchronization Timeout (min)?

An engineer has been given approval to upgrade their environment to the latest version of PAN- OS. The environment consists of both physical and virtual firewalls, a virtual Panora...

A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been d...

Which configuration change will improve network reliability and ensure minimal disruption during tunnel failures?

Which statement explains the difference between using the PAN-OS integrated User-ID agent and the standalone User-ID agent when using Active Directory for user-to-IP mapping?

Which sessions does Packet Buffer Protection apply to when used on ingress zones to protect against single-session DoS attacks?

A customer wants to enhance the protection provided by their Palo Alto Networks NGFW deployment to cover public-facing company-owned domains from misconfigurations that point recor...

An administrator is attempting to create policies for deployment of a device group and template stack. When creating the policies, the zone drop-down list does not include the requ...

The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install. When performing...

Users are intermittently being cut off from local resources whenever they connect to GlobalProtect. After researching, it is determined that this is caused by an incorrect setting...

Which tool can gather information about the application patterns when defining a signature for a custom application?

How is Perfect Forward Secrecy (PFS) enabled when troubleshooting a VPN Phase 2 mismatch?

How can a firewall engineer bypass App-ID and content inspection features on a Palo Alto Networks firewall when troubleshooting?

An engineer needs to collect User-ID mappings from the company's existing proxies. What two methods can be used to pull this data from third-party proxies? (Choose two)

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?