Palo Alto Networks Certified Network Security Engineer (PCNSE) Sample Questions

The Palo Alto Networks Certified Network Security Engineer (PCNSE) certification exam evaluates and formalises candidates’ understanding of the knowledge, abilities, and skills necessary for network security engineers, including aspects such as specifying, designing, deploying, operating, managing, and troubleshooting Palo Alto Networks Next-Generation Firewalls. People who have earned the PCNSE certification have demonstrated that they have in-depth understanding of the Palo Alto Networks product line, which they can apply to actual projects.The article provides a list of Palo Alto Networks Certified Network Security Engineer (PCNSE) Sample Questions that cover core exam topics including –

• Domain 1: Plan
• Domain 2: Deploy and Configure 
• Domain 3: Operate
• Domain 4: Configuration Troubleshooting
• Domain 5: Core Concepts

Q1)Which CLI command is employed to simulate traffic passing through the firewall and identify the Security policy rule, NAT translation, static route, or PBF rule that would be activated by the traffic?

• A. check
• B. find
• C. test
• D. sim

Correct Answer: C

Q2)Palo Alto Networks NGFWs in a company provide logs to platforms for remote security monitoring and administration. The corporate WAN is seeing too much traffic, according to the network staff. How may WAN traffic be decreased while all current monitoring and security platforms are still supported by the Palo Alto Networks NGFW administrator?

• A. Have Panorama forward logs to other external services while solely forwarding logs from firewalls to Panorama.
• B. Send logs from outside sources to Panorama for correlation before sending them from Panorama to the NGFW.
• C. Set up log optimization and compression settings on all external firewalls.
• D. The issues about insufficient bandwidth would be addressed by any configuration for an M-500.

Correct Answer: C

Q3)A Layer 2 Ethernet port’s VLAN interface needs to be configured by a client. What two requirements must be met in order to configure a VLAN interface? (Select two.)

• A. Virtual router
• B. Security zone
• C. ARP entries
• D. Netflow Profile

Correct Answer: AB

Q4) The configuration of a Palo Alto Networks NGFW to offer defence against trojans and worms has been requested by an administrator. Which Security Profile type offers anti-trojan and anti-worm protection?

• A. Anti-Spyware
• B. Instruction Prevention
• C. File Blocking
• D. Antivirus

Correct Answer: D

Q5)Firewalls must be preconfigured as little as possible before being shipped to remote sites by a corporation. Each firewall must set up secure tunnels to several regional data centres after deployment, including the upcoming regional data centres. Which VPN setup would be flexible when it was implemented at the new location?

• A. Preconfigured GlobalProtect satellite
• B. Preconfigured GlobalProtect client
• C. Preconfigured IPsec tunnels
• D. Preconfigured PPTP Tunnels

Correct Answer: A

Q6) The configuration of active/passive HA for two Palo Alto Networks NGFWs has been delegated to an administrator. The active firewall receives priority 100 from the administrator. The correct priority for the passive firewall is which one?

• A. 0
• B. 99
• C. 1
• D. 255

Correct Answer: D

Q7) To set up active/passive HA for two Palo Alto Networks NGFWs, an administrator has been requested. The administrator gives the active firewall priority 100. For the passive firewall, which priority is appropriate?

• A. The passive firewall, which then synchronizes to the active firewall
• B. The active firewall, which then synchronizes to the passive firewall
• C. Both the active and passive firewalls, which then synchronize with each other
• D. Both the active and passive firewalls independently, with no synchronization afterward

Correct Answer: D

Q8)What does providing an Authentication Profile serve when configuring a GlobalProtect Portal?

• A. To enable Gateway authentication to the Portal
• B. To enable Portal authentication to the Gateway
• C. To enable user authentication to the Portal
• D. To enable client machine authentication to the Portal

Correct Answer: C

Q9)Which settings are published to the device when a template stack is pushed if it contains three templates with overlapping settings and is assigned to a device?

• A. The settings applied to the top-level template in the stack.
• B. The administrator will be given the opportunity to select the firewall’s parameters.
• C. Every setting that has been set up in every template.
• D. Panorama makes a sending decision using parameters based on the location of the firewall.

Correct Answer: A

Q10)Which technique will the Palo Alto Networks NGFW use to dynamically register tags?

• A. On the firewall, the User-ID agent, or the ready-only domain controller, the Restful API or the VMware API (RODC)
• B. On the firewall or the User-ID agent, the Restful API or the VMware API
• C. the User-ID agent, the VMware API, the firewall, or the CLI

• D. the NGFW’s XML API, the VM Monitoring agent, or both the User-ID agent and the NGFW API

Correct Answer: D

Q11)How can an administrator plan a dynamic update for Applications and Threats while postponing the update’s installation for a predetermined period of time?

• A. Set the “Threshold” option as desired.
• B. During the workweek, disable automatic updates.
• C. Automatically “download just,” then, after the administrator has given the update the go-ahead, install Applications and Threats.
• D. Download and install automatically with the “disable new programmes” checkbox active.

Correct Answer: C

Q12)Which setting needs to be enabled in order to link the Palo Alto Networks firewall to AutoFocus?

• A. Device>Setup>Services>AutoFocus
• B. Device> Setup>Management >AutoFocus
• C. AutoFocus is enabled by default on the Palo Alto Networks NGFW
• D. Device>Setup>WildFire>AutoFocus
• E. Device>Setup> Management> Logging and Reporting Settings

Correct Answer: B

Q13)A manager ran across issues with inbound decryption. Which alternative needs to be looked at by the administrator as part of triage?

• A. Security policy rule allowing SSL to the target server
• B. Firewall connectivity to a CRL
• C. Root certificate imported into the firewall with ג€Trustג€ enabled
• D. Importation of a certificate from an HSM

Correct Answer: A

Q14)Which two virtualization systems enable Palo Alto Networks VM-Series firewall deployment? (Select two.)

• A. Red Hat Enterprise Virtualization (RHEV)
• B. Kernel Virtualization Module (KVM)
• C. Boot Strap Virtualization Module (BSVM)
• D. Microsoft Hyper-V

Correct Answer: BD

Q15)Which User-ID technique converts IP addresses to usernames for users connecting over a wireless network device supporting 802.1x but lacking native PAN-OS® software integration?

• A. XML API
• B. Port Mapping
• C. Client Probing
• D. Server Monitoring

Correct Answer: A

Q16)Which application and service in the Traffic log will display as decrypted packets from the URL https://www.microsoft.com?

• A. web-browsing and 443
• B. SSL and 80
• C. SSL and 443
• D. web-browsing and 80

Correct Answer: C

Q17)Which PAN-OS® policy must you set up in order to require further authentication from users before they can access an internal application that includes extremely sensitive company data?

• A. Security policy
• B. Decryption policy
• C. Authentication policy
• D. Application Override policy

Correct Answer: C

Q18)What are the two advantages of Panorama’s nested device groups? (Select two.)

• A. Reuse of the existing Security policy rules and objects
• B. Requires configuring both function and location for every device
• C. All device groups inherit settings from the Shared group
• D. Overwrites local firewall configuration

Correct Answer: AC

Q19) In which Captive Portal mode must MFA authentication be enabled?

• A. NTLM
• B. Redirect
• C. Single Sign-On
• D. Transparent

Correct Answer: B

Q20)How can a system administrator incorporate every non-native MFA platform into PAN-OS® software?

• A. Okta
• B. DUO
• C. RADIUS
• D. PingID

Correct Answer: C