ExamGecko
Ask Question

PCNSE: Palo Alto Networks Certified Network Security Engineer

Exam Questions:
499
 Learners
  2.370
Last Updated
April - 2025
Language
English
13 Quizzes
PDF | VPLUS
This study guide should help you understand what to expect on the exam and includes a summary of the topics the exam might cover and links to additional resources. The information and materials in this document should help you focus your studies as you prepare for the exam.

Related questions

Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection
Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection
Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN. ICMP ICMPv6, UDP. and other IP flood attacks
Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN. ICMP ICMPv6, UDP. and other IP flood attacks
Add a WildFire subscription to activate DoS and zone protection features
Add a WildFire subscription to activate DoS and zone protection features
Replace the hardware firewall because DoS and zone protection are not available with VM-Series systems
Replace the hardware firewall because DoS and zone protection are not available with VM-Series systems
Suggested answer: A
Explanation:

1 - https://docs.paloaltonetworks.com/best-practices/8-1/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-bestpractices.html#:~:text=DoS%20and%20Zone%20Protection%20help,device%20at%20the%20internet%20perimeter.

2 - https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/zone-protection-and-dosprotection/zone-defense/take-baseline-cps-measurements-for-setting-flood-thresholds/how-to-measure-cps.html

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dosprotection.html

asked 23/09/2024
Federico Miliacca
41 questions

Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration. What part of the configuration should the engineer verify'?

Become a Premium Member for full access
  Unlock Premium Member

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted How should the engineer proceed?

Allow the firewall to block the sites to improve the security posture
Allow the firewall to block the sites to improve the security posture
Add the sites to the SSL Decryption Exclusion list to exempt them from decryption
Add the sites to the SSL Decryption Exclusion list to exempt them from decryption
Install the unsupported cipher into the firewall to allow the sites to be decrypted
Install the unsupported cipher into the firewall to allow the sites to be decrypted
Create a Security policy to allow access to those sites
Create a Security policy to allow access to those sites
Suggested answer: B
Explanation:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-exclusions Traffic that breaks decryption for technical reasons, such as using a pinned certificate, an incomplete certificate chain, unsupported ciphers, or mutual authentication (attempting to decrypt the traffic results in blocking the traffic). Palo Alto Networks provides a predefined SSL Decryption Exclusion list (DeviceCertificate ManagementSSL Decryption Exclusion) that excludes hosts with applications and services that are known to break decryption technically from SSL Decryption by default. If you encounter sites that break decryption technically and are not on the SSL Decryption Exclusion list, you can add them to list manually by server hostname. The firewall blocks sites whose applications and services break decryption technically unless you add them to the SSL Decryption Exclusion list.

asked 23/09/2024
Gerhard Seher
32 questions

If a URL is in multiple custom URL categories with different actions, which action will take priority?

Become a Premium Member for full access
  Unlock Premium Member

What is a correct statement regarding administrative authentication using external services with a local authorization method?

Become a Premium Member for full access
  Unlock Premium Member

You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.

For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)

Become a Premium Member for full access
  Unlock Premium Member

An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices.

What should an administrator configure to route interesting traffic through the VPN tunnel?

Become a Premium Member for full access
  Unlock Premium Member

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?

SSH Service profile
SSH Service profile
SSL/TLS Service profile
SSL/TLS Service profile
Decryption profile
Decryption profile
Certificate profile
Certificate profile
Suggested answer: A
Explanation:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/configure- an-ssh-service-profile

asked 23/09/2024
javier mungaray
43 questions

When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )

user-logon (always on)
user-logon (always on)
pre-logon then on-demand
pre-logon then on-demand
on-demand (manual user initiated connection)
on-demand (manual user initiated connection)
post-logon (always on)
post-logon (always on)
certificate-logon
certificate-logon
Suggested answer: A, B, C
Explanation:

The Method section of the GlobalProtect portal configuration allows you to specify how users connect to the portal. The options are: user-logon (always on): The agent connects to the portal as soon as the user logs in to the endpoint. pre-logon then on-demand: The agent connects to the portal before the user logs in to the endpoint and then switches to on-demand mode after the user logs in. on-demand (manual user initiated connection): The agent connects to the portal only when the user initiates the connection manually. Reference: https://docs.paloaltonetworks.com/pan-os/10-1/pan- os-admin/globalprotect/configure-the-globalprotect-portal/configure-the-agent/configure-the-app- tab.html

asked 23/09/2024
Jeremiah Gem Galeon
49 questions

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?

Become a Premium Member for full access
  Unlock Premium Member