Palo Alto Networks PCNSE Palo Alto Networks Certified Network Security Engineer Exam Online Training

Palo Alto Networks PCNSE Online Training

The questions for PCNSE were last updated at Apr 22,2025.

Exam Code: PCNSE
Exam Name: Palo Alto Networks Certified Network Security Engineer Exam
Certification Provider: Palo Alto Networks
Latest update: Apr 22,2025

Question #21

Which statement regarding HA timer settings is true?

A . Use the Recommended profile for typical failover timer settings
B . Use the Moderate profile for typical failover timer settings
C . Use the Aggressive profile for slower failover timer settings.
D . Use the Critical profile for faster failover timer settings.

Question #22

A company has configured a URL Filtering profile with override action on their firewall.

Which two profiles are needed to complete the configuration? (Choose two)

A . SSL/TLS Service
B . HTTP Server
C . Decryption
D . Interface Management

Reveal Solution Hide Solution

Question #23

A company has recently migrated their branch office’s PA-220S to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama.

They notice that commit times have drastically increased for the PA-220S after the migration.

What can they do to reduce commit times?

A . Disable "Share Unused Address and Service Objects with Devices" in Panorama Settings.
B . Update the apps and threat version using device-deployment
C . Perform a device group push using the "merge with device candidate config" option
D . Use "export or push device config bundle" to ensure that the firewall is integrated with the Panorama config.

Reveal Solution Hide Solution

Question #24

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external, public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?

A . Change destination NAT zone to Trust_L3.
B . Change destination translation to Dynamic IP (with session distribution) using firewall eth1/2 address.
C . Change Source NAT zone to Untrust_L3.
D . Add source Translation to translate original source IP to the firewall eth1/2 interface translation.

Reveal Solution Hide Solution

Question #25

Why would a traffic log list an application as "not-applicable”?

A . The firewall denied the traffic before the application match could be performed.
B . The TCP connection terminated without identifying any application data
C . There was not enough application data after the TCP connection was established
D . The application is not a known Palo Alto Networks App-ID.

Reveal Solution Hide Solution

Question #26

Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the firewall? (Choose three.)

A . RADIUS
B . TACACS+
C . Kerberos
D . LDAP
E . SAML

Reveal Solution Hide Solution

Question #27

Where can a service route be configured for a specific destination IP?

A . Use Network > Virtual Routers, select the Virtual Router > Static Routes > IPv4
B . Use Device > Setup > Services > Services
C . Use Device > Setup > Services > Service Route Configuration > Customize > Destination
D . Use Device > Setup > Services > Service Route Configuration > Customize > IPv4

Reveal Solution Hide Solution

Question #28

A network security administrator has been tasked with deploying User-ID in their organization.

What are three valid methods of collecting User-ID information in a network? (Choose three.)