[UPDATED 2024] Read PCNSE Study Guide Cover to Cover as Literally
100% Real & Accurate PCNSE Questions and Answers with Free and Fast Updates
Certification Path
PCNSE is an advanced exam and PCNSA - Palo Alto Networks Certified Network Security Administrator is a prerequisite for this Palo Alto Networks PCNSE exam.
NEW QUESTION # 121
An administrator is configuring an IPSec VPN to a Cisco ASA at the administrator's home and experiencing issues completing the connection. the following is the output from the command:
What could be the cause of this problem?
- A. The dead peer detection settings do not match between the Palo Alto Networks Firewall and the ASA.
- B. The Proxy IDs on the Palo Alto Networks Firewall do not match the setting on the ASA.
- C. The public IP addresses do not match for both the Palo Alto Networks Firewall and the ASA.
- D. The shared secrets do not match between the Palo Alto Networks Firewall and the ASA.
Answer: C
NEW QUESTION # 122 
View the screenshots. A QoS profile and policy rules are configured as shown. Based on this information, which two statements are correct? (Choose two.)
- A. Facetime has a higher priority but lower bandwidth than Zoom.
- B. SMTP has a higher priority but lower bandwidth than Zoom.
- C. DNS has a higher priority and more bandwidth than SSH.
- D. Google-video has a higher priority and more bandwidth than WebEx.
Answer: A,B
NEW QUESTION # 123
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two.)
- A. GlobalProtect agent
- B. User-ID Windows-based agent
- C. XML API
- D. log forwarding auto-tagging
Answer: B,C
Explanation:
Explanation/Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic-user- groups.html
NEW QUESTION # 124
Which three use cases are valid reasons for requiring an Active/Active high availability deployment? (Choose three.)
- A. The environment requires that traffic be load-balanced across both firewalls to handle peak traffic spikes
- B. The environment requires that both firewalls maintain their own routing tables for faster dynamic routing protocol convergence
- C. The environment requires real, full-time redundancy from both firewalls at all times
- D. The environment requires that all configuration must be fully synchronized between both members of the HA pair
- E. The environment requires Layer 2 interfaces in the deployment
Answer: A,B,C
Explanation:
Active/Active high availability is a deployment mode that allows both firewalls in an HA pair to actively process traffic and share the load. Active/Active HA is suitable for environments that require real, full-time redundancy from both firewalls at all times, as there is no failover time or session loss in case of a firewall failure. Active/Active HA is also suitable for environments that require that both firewalls maintain their own routing tables for faster dynamic routing protocol convergence, as each firewall can run its own routing protocols and exchange routes with other routers independently. Active/Active HA is also suitable for environments that require that traffic be load-balanced across both firewalls to handle peak traffic spikes, as each firewall can process a portion of the traffic and increase the overall throughput and performance. Active/Active HA is not suitable for environments that require Layer 2 interfaces in the deployment, as Layer 2 interfaces are not supported in Active/Active HA mode. Active/Active HA is also not suitable for environments that require that all configuration must be fully synchronized between both members of the HA pair, as some configuration settings are not synchronized in Active/Active HA mode, such as virtual router configuration, virtual wire configuration, and QoS configuration. Reference: : https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha : https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha/determine-your-activeactive-use-case
NEW QUESTION # 125
An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN- OS software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web-browsing traffic from any to any zone. What must the administrator configure so that the PAN-OS software can be upgraded?
- A. Security policy rule
- B. Service route
- C. Scheduler
- D. CRL
Answer: A
NEW QUESTION # 126
What are three reasons why an installed session can be identified with the application incomplete" tag? (Choose three.)
- A. The TCP connection was terminated without identifying any application data
- B. There was no application data after the TCP connection was established
- C. The client sent a TCP segment with the PUSH flag set
- D. The TCP connection did not fully establish
- E. There is not enough application data after the TCP connection was established
Answer: A,B,D
Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC
NEW QUESTION # 127
Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS version, and serial number?
- A. show system details
- B. show system info
- C. debug system details
- D. show session info
Answer: B
Explanation:
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZuCAK Reference:
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/technical-documentation/pan-os-60/PAN- CLI-ref.pdf
NEW QUESTION # 128
When is the content inspection performed in the packet flow process?
- A. before session lookup
- B. after the SSL Proxy re-encrypts the packet
- C. after the application has been identified
- D. before the packet forwarding process
Answer: C
Explanation:
Explanation/Reference:
Reference:
https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta-p/56081
NEW QUESTION # 129
A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server.
Which solution in PAN-OS software would help in this case?
- A. application override
- B. content inspection
- C. Virtual Wire mode
- D. redistribution of user mappings
Answer: D
Explanation:
Reference:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/deploy-user-id-in-a-large-scale-netw
NEW QUESTION # 130
Which two features does PAN-OS software use to identify applications? (Choose two)
- A. transaction characteristics
- B. application layer payload
- C. port number
- D. session number
Answer: A,B
NEW QUESTION # 131
Where can an administrator see both the management-plane and data-plane CPU utilization in the WebUI?
- A. General Information widget
- B. System Logs widget
- C. System Resources widget
- D. Session Browser
Answer: C
Explanation:
Explanation
The System Resources widget of the Exadata WebUI, displays a real-time overview of the various resources like CPU, Memory, and I/O usage across the entire Exadata Database Machine. It shows the usage of both management-plane and data-plane CPU utilization.
System Resources Widget Displays the Management CPU usage, Data Plane usage, and the Session Count (the number of sessions established through the firewall or Panorama).https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/dashboard/dashboard-widge
NEW QUESTION # 132
A network security engineer must implement Quality of Service policies to ensure specific levels of delivery guarantees for various applications in the environment They want to ensure that they know as much as they can about QoS before deploying.
Which statement about the QoS feature is correct?
- A. QoS can be used on firewalls with multiple virtual systems configured
- B. QoS is only supported on hardware firewalls
- C. QoS is only supported on firewalls that have a single virtual system configured
- D. QoS can be used in conjunction with SSL decryption
Answer: A
Explanation:
Explanation
The correct answer is D - QoS can be used on firewalls with multiple virtual systems configured. QoS is a feature that enables network administrators to prioritize and manage network traffic to ensure that critical applications receive the necessary bandwidth and quality of service. This feature can be used on firewalls with multiple virtual systems, allowing administrators to configure policies on a per-Virtual System basis.
Additionally, QoS can be used in conjunction with SSL decryption to ensure that applications running over SSL receive appropriate treatment.
NEW QUESTION # 133
Which method will dynamically register tags on the Palo Alto Networks NGFW?
- A. Restful API or the VMWare API on the firewall or on the User-ID agent or the read-only domain controller (RODC)
- B. XML-API or the VM Monitoring agent on the NGFW or on the User-ID agent
- C. Restful API or the VMware API on the firewall or on the User-ID agent
- D. XML-API or the VMware API on the firewall or on the User-ID agent or the CLI
Answer: B
Explanation:
To mitigate the challenges of scale, lack of flexibility, and performance, network architectures today allow for virtual machines (VMs) and applications to be provisioned, changed, and deleted on demand. This agility, though, poses a challenge for security administrators because they have limited visibility into the IP addresses of the dynamically provisioned VMs and the plethora of applications that can be enabled on these virtual resources. Firewalls (hardware-based and VM- Series models) support the ability to register IP addresses, IP sets (IP ranges and subnets), and tags dynamically. The IP addresses and tags can be registered on the firewall directly or from Panorama. You can also automatically remove tags on the source and destination IP addresses included in a firewall log.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/monitor-changes-in-the- virtual-environment/use-dynamic-address-groups-in-policy
NEW QUESTION # 134
An administrator needs to gather information about the firewall CPU utiliza-tion on both the management plane and the data plane.
Where does the administrator view the desired data?
- A. System Resources Widget on the Dashboard
- B. Application Command and Control Center
- C. Support > Resources
- D. Monitor > Utilization
Answer: A
Explanation:
The System Resources widget on the Dashboard in the WebUI shows both the management plane and data plane CPU utilization as well as other system resources such as memory, disk, and session1. The other options do not show both the management plane and data plane CPU utilization. The Application Command and Control Center (ACC) shows the network activity and application usage based on traffic logs2. The Monitor > Utilization page shows the interface utilization and packet buffer utilization3. The Support > Resources page shows the system resources for Panorama only4. Reference: 1: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/dashboard/dashboard-widgets 2: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/acc/acc-overview 3: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/monitor/monitor-utilization 4: https://docs.paloaltonetworks.com/panorama/10-2/panorama-web-interface-help/support/support-resources
NEW QUESTION # 135
A host attached to ethernet1/3 cannot access the internet. The default gateway is attached to ethernet1/4. After troubleshooting. It is determined that traffic cannot pass from the ethernet1/3 to ethernet1/4. What can be the cause of the problem?
- A. Interface ethernet1/3 is in Layer 2 mode and interface ethernet1/4 is in Layer 3 mode.
- B. Interface ethernet1/3 and ethernet1/4 are in Virtual Wire Mode.
- C. DNS has not been properly configured on the firewall
- D. DHCP has been set to Auto.
Answer: A
Explanation:
In a Layer 2 deployment, the firewall provides switching between two or more interfaces. Each group of interfaces must be assigned to a VLAN object in order for the firewall to switch between them.
In a Layer 3 deployment, the firewall routes traffic between ports. An IP address must be assigned to each interface and a virtual router must be defined to route the traffic. Choose this option when routing is required.
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/getting-started/basic- interface-deployments
NEW QUESTION # 136
Which two are required by IPSec in transport mode? (Choose two.)
- A. IKEv1
- B. Auto generated key
- C. DH-group 20 (ECP-384 bits)
- D. NAT Traversal
Answer: A,C
NEW QUESTION # 137
In a security-first network what is the recommended threshold value for content updates to be dynamically updated?
- A. 1 to 4 hours
- B. 6 to 12 hours
- C. 24 hours
- D. 36 hours
Answer: B
Explanation:
Explanation
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-content-and-thre Schedule content updates so that they download-and-install automatically. Then, set a Threshold that determines the amount of time the firewall waits before installing the latest content. In a security-first network, schedule a six to twelve hour threshold.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-content-and-thre
NEW QUESTION # 138
......
Reliable Study Materials for PCNSE Exam Success For Sure: https://examtorrent.actual4test.com/PCNSE_examcollection.html