Palo Alto Networks PCNSE Übungsprüfungen
Zuletzt aktualisiert am 26.04.2025- Prüfungscode: PCNSE
- Prüfungsname: Palo Alto Networks Certified Network Security Engineer Exam
- Zertifizierungsanbieter: Palo Alto Networks
- Zuletzt aktualisiert am: 26.04.2025
Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)
- A . Log Ingestion
- B . HTTP
- C . Log Forwarding
- D . LDAP
An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.
Which two actions could an administrator take to troubleshoot this issue? (Choose two.)
- A . Run the CLI command show advanced-routing ospf neighbor
- B . In the WebUI, view the Runtime Stats in the virtual router
- C . Look for configuration problems in Network > virtual router > OSPF
- D . In the WebUI, view Runtime Stats in the logical router
A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.
Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)
- A . Navigate to Network > Zone Protection Click Add
Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set "Asymmetric Path" to Bypass - B . > set session tcp-reject-non-syn no
- C . Navigate to Network > Zone Protection Click Add
Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set "Asymmetric Path" to Global - D . # set deviceconfig setting session tcp-reject-non-syn no
A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known
What can the administrator configure to establish the VPN connection?
- A . Set up certificate authentication.
- B . Use the Dynamic IP address type.
- C . Enable Passive Mode
- D . Configure the peer address as an FQDN.
A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.
How does the firewall identify the New App-ID characteristic?
- A . It matches to the New App-IDs downloaded in the last 90 days.
- B . It matches to the New App-IDs in the most recently installed content releases.
- C . It matches to the New App-IDs downloaded in the last 30 days.
- D . It matches to the New App-IDs installed since the last time the firewall was rebooted.
Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.
Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution
How can Information Security extract and learn iP-to-user mapping information from authentication events for VPN and wireless users?
- A . Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users.
- B . Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS.
- C . Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution
- D . Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping.
Review the screenshot of the Certificates page.
An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems.
When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings.
What is the cause of the unsecured website warnings?
- A . The forward untrust certificate has not been signed by the self-singed root CA certificate.
- B . The forward trust certificate has not been installed in client systems.
- C . The self-signed CA certificate has the same CN as the forward trust and untrust certificates.
- D . The forward trust certificate has not been signed by the self-singed root CA certificate.
What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?
- A . IP Netmask
- B . IP Wildcard Mask
- C . IP Address
- D . IP Range
An administrator notices that an interface configuration has been overridden locally on a firewall.
They require all configuration to be managed from Panorama and overrides are not allowed.
What is one way the administrator can meet this requirement?
- A . Perform a commit force from the CLI of the firewall.
- B . Perform a template commit push from Panorama using the "Force Template Values" option.
- C . Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option.
- D . Reload the running configuration and perform a Firewall local commit.
Which type of zone will allow different virtual systems to communicate with each other?
- A . Tap
- B . External
- C . Virtual Wire
- D . Tunnel