Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

PCNSEFree trial

By palo-alto-networks

Verified

25Q per page

Question 101

A Security policy rule is configured with a Vulnerability Protection Profile and an action of Deny.
Which action will this cause configuration on the matched traffic?

A: The configuration is invalid. The Profile Settings section will be grayed out when the Action is set to ג€Denyג€.
B: The configuration will allow the matched session unless a vulnerability signature is detected. The ג€Denyג€ action will supersede the per-severity defined actions defined in the associated Vulnerability Protection Profile.
C: The configuration is invalid. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit.
D: The configuration is valid. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is set to ג€Denyג€.

—

Question 102

During SSL decryption, which three factors affect resource consumption? (Choose three.)

A: key exchange algorithm
B: transaction size
C: TLS protocol version
D: applications ta non-standard ports
E: certificate issuer

—

Question 103

An engineer must configure a new SSL decryption deployment.
Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

A: A Decryption profile must be attached to the Decryption policy that the traffic matches.
B: There must be a certificate with both the Forward Trust option and Forward Untrust option selected.
C: A Decryption profile must be attached to the Security policy that the traffic matches.
D: There must be a certificate with only the Forward Trust option selected.

—

Question 104

Which two features require another license on the NGFW? (Choose two.)

A: SSL Inbound Inspection
B: SSL Forward Proxy
C: Decryption Mirror
D: Decryption Broker

—

Question 105

An administrator has a PA-820 firewall with an active Threat Prevention subscription. The administrator is considering adding a WildFire subscription.
How does adding the WildFire subscription improve the security posture of the organization?

A: WildFire and Threat Prevention combine to minimize the attack surface.
B: After 24 hours, WildFire signatures are included in the antivirus update.
C: Protection against unknown malware can be provided in near real-time.
D: WildFire and Threat Prevention combine to provide the utmost security posture for the firewall.

—

Question 106

What are two characteristic types that can be defined for a variable? (Choose two.)

A: zone
B: FQDN
C: IP netmask
D: path group

—

Question 107

A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an Interface Management profile to secure management access? (Choose three.)

A: Permitted IP Addresses
B: SSH
C: https
D: User-ID
E: HTTP

—

Question 108

An administrator needs to troubleshoot a User-ID deployment. The administrator believes that there is an issue related to LDAP authentication. The administrator wants to create a packet capture on the management plane.
Which CLI command should the administrator use to obtain the packet capture for validating the configuration?

A: > scp export mgmt-pcap from mgmt.pcap to (username@host:path)
B: > scp export poap-mgmt from poap.mgmt to (username@host:path)
C: > ftp export mgmt-pcap from mgmt.pcap to <FTF host>
D: > scp export pcap from pcap to (username@host:path)

—

Question 109

When you configure an active/active high availability pair, which two links can you use? (Choose two.)

A: ׀׀3
B: Console Backup
C: HSCI-C
D: HA2 backup

—

Question 110

What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

A: the web server requires mutual authentication
B: the website matches a category that is not allowed for most users
C: the website matches a high-risk category
D: the website matches a sensitive category

—

Question 111

PBF can address which two scenarios? (Choose two.)

A: routing FTP to a backup ISP link to save bandwidth on the primary ISP link
B: providing application connectivity the primary circuit fails
C: enabling the firewall to bypass Layer 7 inspection
D: forwarding all traffic by using source port 78249 to a specific egress interface

—

Question 112

Refer to the exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?

A: Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.
B: Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW.
C: Configure log compression and optimization features on all remote firewalls.
D: Any configuration on an M-500 would address the insufficient bandwidth concerns.

—

Question 113

A user's traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user's traffic matches when it goes to http://www.company.com.
How can the firewall be configured automatically disable the PBF rule if the next hop goes down?

A: Create and add a Monitor Profile with an action of Wait Recover in the PBF rule in question.
B: Create and add a Monitor Profile with an action of Fail Over in the PBF rule in question.
C: Enable and configure a Link Monitoring Profile for the external interface of the firewall.
D: Configure path monitoring for the next hop gateway on the default route in the virtual router.

—

Question 114

A firewall should be advertising the static route 10.2.0.0/24 into OSPF. The configuration on the neighbour is correct, but the route is not in the neighbour's routing table.
Which two configurations should you check on the firewall? (Choose two.)

A: Ensure that the OSPF neighbour state is "2-Way"
B: In the OSPF configuration, ensure that the correct redistribution profile is selected in the OSPF Export Rules section.
C: Within the redistribution profile ensure that Redist is selected.
D: In the redistribution profile check that the source type is set to "ospf."

—

Question 115

Which value in the Application column indicates UDP traffic that did not match an App-ID signature?

A: unknown-udp
B: unknown-ip
C: incomplete
D: not-applicable

—

Question 116

What are three valid qualifiers for a Decryption Policy Rule match? (Choose three.)

A: App-ID
B: Custom URL Category
C: User-ID
D: Destination Zone
E: Source Interface

—

Question 117

An administrator needs to gather information about the CPU utilization on both the management plane and the data plane.
Where does the administrator view the desired data?

A: Resources Widget on the Dashboard
B: Monitor > Utilization
C: Support > Resources
D: Application Command and Control Center

—

Question 118

Which CLI command displays the physical media that are connected to ethernet1/8?

A: > show system state filter-pretty sys.s1.p8.stats
B: > show system state filter-pretty sys.s1.p8.med
C: > show interface ethernet1/8
D: > show system state filter-pretty sys.s1.p8.phy

—

Question 119

A variable name must start with which symbol?

A: $
B: !
C: #
D: &

—

Question 120

Given the following configuration, which route is used for destination 10.10.0.4? set network virtual-router 2 routing-table ip static-route "Route 1" nexthop ip-address 192.168.1.2 set network virtual-router 2 routing-table ip static-route "Route 1" metric 30 set network virtual-router 2 routing-table ip static-route "Route 1" destination 10.10.0.0/24 set network virtual-router 2 routing-table ip static-route "Route 1" re route-table unicast set network virtual-router 2 routing-table ip static-route "Route 2" nexthop ip-address 192.168.1.2 set network virtual-router 2 routing-table ip static-route "Route 2" metric 20 set network virtual-router 2 routing-table ip static-route "Route 2" destination 10.10.0.0/24 set network virtual-router 2 routing-table ip static-route "Route 2" route-table unicast set network virtual-router 2 routing-table ip static-route "Route 3" nexthop ip-address 10.10.20.1 set network virtual-router 2 routing-table ip static-route "Route 3" metric 5 set network virtual-router 2 routing-table ip static-route "Route 3" destination 0.0.0.0/0 set network virtual-router 2 routing-table ip static-route "Route 3" route-table unicast set network virtual-router 2 routing-table ip static-route "Route 4" nexthop ip-address 192.168.1.2 set network virtual-router 2 routing-table ip static-route "Route 4" metric 10 set network virtual-router 2 routing-table ip static-route "Route 4" destination 10.10.1.0/25 set network virtual-router 2 routing-table ip static-route "Route 4" route-table unicast

A: Route 1
B: Route 3
C: Route 2
D: Route 4

—

Question 121

In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

A: self-signed CA certificate
B: server certificate
C: wildcard server certificate
D: client certificate
E: enterprise CA certificate

—

Question 122

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls.
The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration.
Which two solutions can the administrator use to scale this configuration? (Choose two.)

A: virtual systems
B: template stacks
C: variables
D: collector groups

—

Question 123

Which three statements accurately describe Decryption Mirror? (Choose three.)

A: Decryption, storage, inspection, and use of SSL traffic regulated in certain countries.
B: You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment.
C: Decryption Mirror requires a tap interface on the firewall.
D: Only management consent is required to use the Decryption Mirror future.
E: Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel.

—

Question 124

What are two benefits of nested device groups in Panorama? (Choose two.)

A: Reuse of the existing Security policy rules and objects
B: Requires configuring both function and location for every device
C: All device groups inherit settings from the Shared group
D: Overwrites local firewall configuration

—

That’s the end of your free questions

You’ve reached the preview limit for PCNSE

Consider upgrading to gain full access!

Page 5 of 25 • Questions 101-125 of 619

←

3 4 5 6 7

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!