1. Home
  2. Paloalto Networks
  3. Palo Alto Certifications and Accreditations
  4. PCNSE
  5. Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Questions and Answers

Pass the Paloalto Networks Palo Alto Certifications and Accreditations PCNSE Questions and answers with CertsForce

 Paloalto Networks Exams      Go to Exam Detail      Get Premium Access
Viewing page 1 out of 12 pages
Viewing questions 1-10 out of questions
Questions # 1:

An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.

Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?

Options:
A.

An SSL/TLS Service profile with a certificate assigned.

B.

An Interface Management profile with HTTP and HTTPS enabled.

C.

A Certificate profile with a trusted root CA.

D.

An Authentication profile with the allow list of users.

Questions # 2:

A security team has enabled real-time WildFire signature lookup on all its firewalls. Which additional action will further reduce the likelihood of newly discovered malware being allowed through the firewalls?

Options:
A.

increase the frequency of the applications and threats dynamic updates.

B.

Increase the frequency of the antivirus dynamic updates

C.

Enable the "Hold Mode" option in Objects > Security Profiles > Antivirus.

D.

Enable the "Report Grayware Files" option in Device > Setup > WildFire.

Questions # 3:

An administrator receives the following error message:

"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192.168 33 33/24 type IPv4 address protocol 0 port 0, received remote id 172.16 33.33/24 type IPv4 address protocol 0 port 0."

How should the administrator identify the root cause of this error message?

Options:
A.

In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate

B.

Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure

C.

Check whether the VPN peer on one end is set up correctly using policy-based VPN

D.

In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.

Questions # 4:

Which link is responsible for synchronizing sessions between high availability (HA) peers?

Options:
A.

HA1

B.

HA3

C.

HA4

D.

HA2

Questions # 5:

After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?

Options:
A.

debug ike stat

B.

test vpn ipsec-sa tunnel

C.

show vpn ipsec-sa tunnel

D.

test vpn ike-sa gateway

Questions # 6:

What should an engineer consider when setting up the DNS proxy for web proxy?

Options:
A.

A secondary DNS server in the DNS proxy is optional, and configuration commit to the firewall will succeed with only one DNS server.

B.

A maximum of two FQDNs can be mapped to an IP address in the static entries for DNS proxy.

C.

DNS timeout for web proxy can be configured manually, and it should be set to the highest value possible.

D.

Adjust the UDP queries for the DNS proxy to allow both DNS servers to be tried within 20 seconds.

Questions # 7:

An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)

Options:
A.

Financial, health, and government traffic categories

B.

Known traffic categories

C.

Known malicious IP space

D.

Public-facing servers,

E.

Less-trusted internal IP subnets

Questions # 8:

A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL.

When creating a new rule, what is needed to allow the application to resolve dependencies?

Options:
A.

Add SSL and web-browsing applications to the same rule.

B.

Add web-browsing application to the same rule.

C.

Add SSL application to the same rule.

D.

SSL and web-browsing must both be explicitly allowed.

Questions # 9:

Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)

Options:
A.

ECDSA

B.

ECDHE

C.

RSA

D.

DHE

Questions # 10:

Four configuration choices are listed, and each could be used to block access to a specific URL.

If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?

Options:
A.

Custom URL category in URL Filtering profile

B.

EDL in URL Filtering profile

C.

PAN-DB URL category in URL Filtering profile

D.

Custom URL category in Security policy rule

Viewing page 1 out of 12 pages
Viewing questions 1-10 out of questions