palo-alto-networks pcnse practice test

Palo Alto Networks Certified Network Security Engineer


Question 1

An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the
administrator use to verify the progress or success of that commit task? (Choose two.)



  • A. Option A
  • B. Option B
  • C. Option C
  • D. Option D
Answer:

A D

Discussions

Question 2

What is the purpose of the firewall decryption broker?

  • A. decrypt SSL traffic and then send it as cleartext to a security chain of inspection tools.
  • B. force decryption of previously unknown cipher suites
  • C. reduce SSL traffic to a weaker cipher before sending it to a security chain of inspection tools.
  • D. inspect traffic within IPsec tunnels
Answer:

A

Explanation:
Reference: https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/decryption-features/decryption-
broker

Discussions

Question 3

Which feature can be configured on VM-Series firewalls?

  • A. aggregate interfaces
  • B. machine learning
  • C. multiple virtual systems
  • D. GlobalProtect
Answer:

D

Discussions

Question 4

Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three.)

  • A. .dll
  • B. .exe
  • C. .fon
  • D. .apk
  • E. .pdf
  • F. .jar
Answer:

D E F

Discussions

Question 5

When is the content inspection performed in the packet flow process?

  • A. after the application has been identified
  • B. before session lookup
  • C. before the packet forwarding process
  • D. after the SSL Proxy re-encrypts the packet
Answer:

A

Explanation:
Reference: https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta-p/56081

Discussions

Question 6

Which two features require another license on the NGFW? (Choose two.)

  • A. SSL Inbound Inspection
  • B. SSL Forward Proxy
  • C. Decryption Mirror
  • D. Decryption Broker
Answer:

C D

Explanation:
Reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-decryption-port-mirroring.html
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-licenses.html

Discussions

Question 7

A customer is replacing its legacy remote-access VPN solution. Prisma Access has been selected as the replacement.
During onboarding, the following options and licenses were selected and enabled:
- Prisma Access for Remote Networks: 300Mbps
- Prisma Access for Mobile Users: 1500 Users
- Cortex Data Lake: 2TB
- Trusted Zones: trust
- Untrusted Zones: untrust
- Parent Device Group: shared
The customer wants to forward to a Splunk SIEM the logs that are generated by users that are connected to Prisma Access
for Mobile Users. Which two settings must the customer configure? (Choose two.)

  • A. Configure Panorama Collector group device log forwarding to send logs to the Splunk syslog server.
  • B. Configure Cortex Data Lake log forwarding and add the Splunk syslog server.
  • C. Configure a log forwarding profile and select the Panorama/Cortex Data Lake checkbox. Apply the Log Forwarding profile to all of the security policy rules in Mobile_User_Device_Group.
  • D. Configure a Log Forwarding profile, select the syslog checkbox, and add the Splunk syslog server. Apply the Log Forwarding profile to all of the security policy rules in the Mobile_User_Device_Group.
Answer:

B C

Explanation:
Reference: https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-
forwarding-app/forward-logs-from-logging-service-to-syslog-server.html

Discussions

Question 8

On the NGFW, how can you generate and block a private key from export and thus harden your security posture and prevent
rogue administrators or other bad actors from misusing keys?

  • A. 1. Select Device > Certificate Management > Certificates > Device > Certificates 2. Import the certificate 3. Select Import Private key 4. Click Generate to generate the new certificateB. 1. Select Device > Certificates 2. Select Certificate Profile 3. Generate the certificate 4. Select Block Private Key Export
  • B. 1. Select Device > Certificate Management > Certificates > Device > Certificates 2. Generate the certificate 3. Select Block Private Key Export 4. Click Generate to generate the new certificateD. 1. Select Device > Certificates 2. Select Certificate Profile 3. Generate the certificate 4. Select Block Private Key Export
Answer:

B

Explanation:
Reference: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/decryption-features/block-export-of-private-
keys.html

Discussions

Question 9

Which virtual router feature determines if a specific destination IP address is reachable?

  • A. Heartbeat Monitoring
  • B. Failover
  • C. Path Monitoring
  • D. Ping-Path
Answer:

C

Explanation:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/policy-based-forwarding/pbf/path-
monitoring-for-pbf

Discussions

Question 10

An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information
available is shown on the following image.
Which configuration change should the administrator make?



  • A. Option A
  • B. Option B
  • C. Option C
  • D. Option D
  • E. Option E
Answer:

B

Discussions
To page 2