PCNSE6 Premium Bundle

PCNSE6 Premium Bundle

Palo Alto Networks Certified Network Security Engineer 6.0 Certification Exam

4.5 
(15900 ratings)
0 QuestionsPractice Tests
0 PDFPrint version
November 23, 2024Last update

Paloalto-Networks PCNSE6 Free Practice Questions

Q1. A network engineer experienced network reachability problems through the firewall. The routing table on the device is complex. To troubleshoot the problem the engineer ran a Command Line Interface (CLI) command to determine the egress interface for traffic destined to 98.139.183.24. The command resulted in the following output: 

How should this output be interpreted? 

A. There is no route for the IP address 98.139.183.24, and there is a default route for outbound traffic. 

B. There is no interface in the firewall with the IP address 98.139.183.24. 

C. In virtual-router vrl, there is a route in the routing table for the network 98.139.0.0/16. 

D. There is no route for the IP address 98.139.183.24, and there is no default route. 

Answer:

Q2. To create a custom signature object for an Application Override Policy, which of the following fields are mandatory? 

A. Category 

B. Regular Expressions 

C. Ports 

D. Characteristics 

Answer:

Q3. HOTSPOT 

Match each type of report provided by the firewall with its description. Answer options may be used more than once or not at all. 

Answer:  

Q4. Which feature can be configured with an IPv6 address? 

A. Static Route 

B. RIPv2 

C. DHCP Server 

D. BGP 

Answer:

Explanation: 

Reference: https://live.paloaltonetworks.com/docs/DOC-5493 

Q5. Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based (customized user roles) 

A. True 

B. False 

Answer:

Q6. Which statement accurately reflects the functionality of using regions as objects in Security policies? 

A. Predefined regions are provided for countries, not but not for cities. The administrator can set up custom regions, including latitude and longitude, to specify the geographic position of that particular region. 

B. The administrator can set up custom regions, including latitude and longitude, to specify the geographic position of that particular region. These custom regions can be used in the "Source User" field of the Security Policies. 

C. Regions cannot be used in the "Source User" field of the Security Policies, unless the administrator has set up custom regions. 

D. The administrator can set up custom regions, including latitude and longitude, to specify the geographic position of that particular region. Both predefined regions and custom regions can be used in the "Source User" field. 

Answer:

Q7. As the Palo Alto Networks administrator, you have enabled Application Block pages. Afterward, some users do not receive web-based feedback for all denied applications. Why would this be? 

A. Some users are accessing the Palo Alto Networks firewall through a virtual system that does not have Application Block pages enabled. 

B. Application Block Pages will only be displayed when Captive Portal is configured 

C. Some Application ID's are set with a Session Timeout value that is too low. 

D. Application Block Pages will only be displayed when users attempt to access a denied web-based application. 

Answer:

Q8. You have decided to implement a Virtual Wire Subinterface. Which options can be used to classify traffic? 

A. Either VLAN tag or IP address, provided that each tag or ID is contained in the same zone. 

B. Subinterface ID and VLAN tag only 

C. By Zone and/or IP Classifier 

D. VLAN tag, or VLAN tag plus IP address (IP address, IP range, or subnet). 

Answer:

Q9. Where can the maximum concurrent SSL VPN Tunnels be set for Vsys2 when provisioning a Palo Alto Networks firewall for multiple virtual systems? 

A. In the GUI under Network->Global Protect->Gateway->Vsys2 

B. In the GUI under Device->Setup->Session->Session Settings 

C. In the GUI under Device->Virtual Systems->Vsys2->Resource 

D. In the GUI under Network->Global Protect->Portal->Vsys2 

Answer:

Explanation: 

Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/tech-briefs/virtual-systems.pdf page 6 

Q10. Which two interface types provide support for network address translation (NAT)? Choose 2 answers 

A. HA 

B. Tap 

C. Layer3 

D. Virtual Wire 

E. Layer2 

Answer: C,D 

Explanation: 

Reference: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/1517-102-7-11647/Understanding_NAT-4.1-RevC.pdf 

Q11. What can cause missing SSL packets when performing a packet capture on data plane interfaces? 

A. There is a hardware problem with the offloading FPGA on the management plane. 

B. The missing packets are offloaded to the management plane CPU. 

C. The packets are hardware offloaded to the offload processor on the data plane. 

D. The packets are not captured because they are encrypted. 

Answer:

Explanation: 

Reference: https://live.paloaltonetworks.com/docs/DOC-8621 

Q12. Wildfire may be used for identifying which of the following types of traffic? 

A. Malware 

B. DNS 

C. DHCP 

D. URL Content 

Answer:

Q13. What is the maximum usable storage capacity of an M-100 appliance? 

A. 2TB 

B. 4TB 

C. 6TB 

D. STB 

Answer:

Explanation: 

Reference: https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/set -up-panorama/set-up-the-m-100-appliance.html 

Q14. Which two statements are true about DoS Protection Profiles and Policies? Choose 2 answers 

A. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks on a zone basis, regardless of interface(s). They provide reconnaissance protection against TCP/UDP port scans and host sweeps. 

B. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks. They provide resource protection by limiting the number of sessions that can be used. 

C. They mitigate against volumetric attacks that leverage known vulnerabilities, brute force methods, amplification, spoofing, and other vulnerabilities. 

D. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks by utilizing "random early drop". 

Answer: B,D 

Explanation: 

Reference: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/7158-102-3-25328/Application%20DDoS%20Mitigation.pdf page 4 

Q15. Which three inspections can be performed with a next-generation firewall but NOT with a legacy firewall? Choose 3 answers 

A. Recognizing when SSH sessions are using SSH v1 instead of SSH v2 

B. Validating that UDP port 53 packets are not being used to tunnel data for another protocol 

C. Identifying unauthorized applications that attempt to connect over non-standard ports 

D. Allowing a packet through from an external DNS server only if an internal host recently queried that DNS server 

E. Removing from the session table any TCP session without traffic for 3600 seconds 

Answer: B,C,D 

START PCNSE6 EXAM