PCNSE Premium Bundle

PCNSE Premium Bundle

Palo Alto Networks Certified Security Engineer (PCNSE)PAN-OS 8.0 Certification Exam

4.5 
(47025 ratings)
0 QuestionsPractice Tests
0 PDFPrint version
December 30, 2024Last update

Paloalto-Networks PCNSE Free Practice Questions

Want to know features? Want to lear more about experience? Study . Gat a success with an absolute guarantee to pass Paloalto Networks PCNSE (Palo Alto Networks Certified Security Engineer (PCNSE)PAN-OS 8.0) test on your first attempt.

Online PCNSE free questions and answers of New Version:

NEW QUESTION 1
A network design calls for a "router on a stick" implementation with a PA-5060 performing inter- VLAN routing All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk interface
Which interface type and configuration setting will support this design?

  • A. Trunk interface type with specified tag
  • B. Layer 3 interface type with specified tag
  • C. Layer 2 interface type with a VLAN assigned
  • D. Layer 3 subinterface type with specified tag

Answer: D

NEW QUESTION 2
Which PAN-OS® policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data?

  • A. Security policy
  • B. Decryption policy
  • C. Authentication policy
  • D. Application Override policy

Answer: C

NEW QUESTION 3
How are IPV6 DNS queries configured to user interface ethernet1/3?

  • A. Network > Virtual Router > DNS Interface
  • B. Objects > CustomerObjects > DNS
  • C. Network > Interface Mgrnt
  • D. Device > Setup > Services > Service Route Configuration

Answer: D

NEW QUESTION 4
An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required. Which interface type would support this business requirement?

  • A. Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ
  • B. Layer 3 or Aggregate Ethernet interfaces, but configuring EIGRP on subinterfaces only
  • C. Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel (with the GlobalProtect License to support LSVPN and EIGRPprotocols)
  • D. Layer 3 interfaces, but configuring EIGRP on the attached virtual router

Answer: C

NEW QUESTION 5
A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web- browsing traffic to this server on tcp/443.

  • A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow
  • B. Rule #1: application: web-browsing; service: service-https; action: allow Rule #2: application: ssl; service: application-default; action: allow
  • C. Rule # 1: application: ssl; service: application-default; action: allowRule #2: application: web-browsing; service: application-default; action: allow
  • D. Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl; service: application-default; action: allow

Answer: A

NEW QUESTION 6
A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule.
Given the following zone information:
• DMZ zone: DMZ-L3
• Public zone: Untrust-L3
• Guest zone: Guest-L3
• Web server zone: Trust-L3
• Public IP address (Untrust-L3): 1.1.1.1
• Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of NAT Policy rule?

  • A. Untrust-L3
  • B. DMZ-L3
  • C. Guest-L3
  • D. Trust-L3

Answer: A

NEW QUESTION 7
Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a “No Decrypt” action? (Choose two.)

  • A. Block sessions with expired certificates
  • B. Block sessions with client authentication
  • C. Block sessions with unsupported cipher suites
  • D. Block sessions with untrusted issuers
  • E. Block credential phishing

Answer: ABC

Explanation: Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/create-a-decryption-profile

NEW QUESTION 8
Which item enables a firewall administrator to see details about traffic that is currently active through the NGFW?

  • A. ACC
  • B. System Logs
  • C. App Scope
  • D. Session Browser

Answer: D

NEW QUESTION 9
In the following image from Panorama, why are some values shown in red?
PCNSE dumps exhibit

  • A. sg2 session count is the lowest compared to the other managed devices.
  • B. us3 has a logging rate that deviates from the administrator-configured thresholds.
  • C. uk3 has a logging rate that deviates from the seven-day calculated baseline.
  • D. sg2 has misconfigured session thresholds.

Answer: C

NEW QUESTION 10
Which authentication source requires the installation of Palo Alto Networks software, other than PAN-OS 7x, to obtain a username-to-IP-address mapping?

  • A. Microsoft Active Directory
  • B. Microsoft Terminal Services
  • C. Aerohive Wireless Access Point
  • D. Palo Alto Networks Captive Portal

Answer: B

NEW QUESTION 11
Which three steps will reduce the CPU utilization on the management plane? (Choose three.)

  • A. Disable SNMP on the management interface.
  • B. Application override of SSL application.
  • C. Disable logging at session start in Security policies.
  • D. Disable predefined reports.E.Reduce the traffic being decrypted by the firewall.

Answer: CD

NEW QUESTION 12
Based on the following image,
PCNSE dumps exhibit
what is the correct path of root, intermediate, and end-user certificate?

  • A. Palo Alto Networks > Symantec > VeriSign
  • B. Symantec > VeriSign > Palo Alto Networks
  • C. VeriSign > Palo Alto Networks > Symantec
  • D. VeriSign > Symantec > Palo Alto Networks

Answer: D

NEW QUESTION 13
Palo Alto Networks maintains a dynamic database of malicious domains.
Which two Security Platform components use this database to prevent threats? (Choose two)

  • A. Brute-force signatures
  • B. BrightCloud Url Filtering
  • C. PAN-DB URL Filtering
  • D. DNS-based command-and-control signatures

Answer: CD

NEW QUESTION 14
How can a candidate or running configuration be copied to a host external from Panorama?

  • A. Commit a running configuration.
  • B. Save a configuration snapshot.
  • C. Save a candidate configuration.
  • D. Export a named configuration snapshot.

Answer: D

Explanation: Reference:
https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/administ er-panorama/back-up-panorama-and-firewall-configurations

NEW QUESTION 15
In a virtual router, which object contains all potential routes?

  • A. MIB
  • B. RIB
  • C. SIP
  • D. FIB

Answer: B

Explanation: Reference: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&ved=0ahUKEwiOkbfYzPzXAhVnEJoKHcwVCg4QFghiMAk&url=https%3A%2F%2Flive.paloaltonetworks.com%2Ftwzvq79624%2Fattachments%2Ftwzvq79624%2Fdocumentation_tkb%2F487%2F1%2FRoute%2520Redistribution%2520and%2520Filtering%2520TechNote%2520-%2520Rev% 2520B. pdf&usg=AOvVaw0H9qgaJK0oI2xjIJBNo1Km

NEW QUESTION 16
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

  • A. Configure the option for “Threshold”.
  • B. Disable automatic updates during weekdays.
  • C. Automatically “download only” and then install Applications and Threats later, after the administrator approves the update.
  • D. Automatically “download and install” but with the “disable new applications” option used.

Answer: A

NEW QUESTION 17
Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

  • A. Create a no-decrypt Decryption Policy rule.
  • B. Configure an EDL to pull IP addresses of known sites resolved from a CRL.
  • C. Create a Dynamic Address Group for untrusted sites
  • D. Create a Security Policy rule with vulnerability Security Profile attached.
  • E. Enable the “Block sessions with untrusted issuers” setting.

Answer: AD

Recommend!! Get the Full PCNSE dumps in VCE and PDF From Simply pass, Welcome to Download: https://www.simply-pass.com/Paloalto Networks-exam/PCNSE-dumps.html (New 255 Q&As Version)


START PCNSE EXAM