Palo Alto Networks PCNSE Palo Alto Networks Certified Network Security Engineer Exam Online Training
Palo Alto Networks PCNSE Online Training
The questions for PCNSE were last updated at Apr 25,2025.
- Exam Code: PCNSE
- Exam Name: Palo Alto Networks Certified Network Security Engineer Exam
- Certification Provider: Palo Alto Networks
- Latest update: Apr 25,2025
Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.
In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?
- A . NAT Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Server –
Destination IP: 172.16.15.10 –
Source Translation: Static IP / 172.16.15.1
Security Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Trust –
Destination IP: 172.16.15.10 –
Application: ssh - B . NAT Rule:
Source Zone: Trust –
Source IP: 192.168.15.0/24 –
Destination Zone: Trust –
Destination IP: 192.168.15.1 –
Destination Translation: Static IP / 172.16.15.10
Security Rule:
Source Zone: Trust –
Source IP: 192.168.15.0/24 –
Destination Zone: Server –
Destination IP: 172.16.15.10 –
Application: ssh - C . NAT Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Trust –
Destination IP: 192.168.15.1 –
Destination Translation: Static IP /172.16.15.10
Security Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Server –
Destination IP: 172.16.15.10 –
Application: ssh - D . NAT Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Server –
Destination IP: 172.16.15.10 –
Source Translation: dynamic-ip-and-port / ethernet1/4
Security Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Server –
Destination IP: 172.16.15.10 –
Application: ssh
An administrator would like to determine which action the firewall will take for a specific CVE.
Given the screenshot below, where should the administrator navigate to view this information?
- A . The profile rule action
- B . CVE column
- C . Exceptions lab
- D . The profile rule threat name
A network administrator wants to deploy SSL Forward Proxy decryption.
What two attributes should a forward trust certificate have? (Choose two.)
- A . A subject alternative name
- B . A private key
- C . A server certificate
- D . A certificate authority (CA) certificate
An engineer is configuring a firewall with three interfaces:
• MGT connects to a switch with internet access.
• Ethernet1/1 connects to an edge router.
• Ethernet1/2 connects to a visualization network.
The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic.
What should be configured in Setup > Services > Service Route Configuration to allow this traffic?
- A . Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface.
- B . Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface.
- C . Set DNS and Palo Alto Networks Services to use the MGT source interface.
- D . Set DDNS and Palo Alto Networks Services to use the MGT source interface.
Which Panorama feature protects logs against data loss if a Panorama server fails?
- A . Panorama HA automatically ensures that no logs are lost if a server fails inside the HA Cluster.
- B . Panorama Collector Group with Log Redundancy ensures that no logs are lost if a server fails inside the Collector Group.
- C . Panorama HA with Log Redundancy ensures that no logs are lost if a server fails inside the HA Cluster.
- D . Panorama Collector Group automatically ensures that no logs are lost if a server fails inside the Collector Group
After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall After troubleshooting the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports.
What can the engineer do to solve the VoIP traffic issue?
- A . Disable ALG under H.323 application
- B . Increase the TCP timeout under H.323 application
- C . Increase the TCP timeout under SIP application
- D . Disable ALG under SIP application
An engineer manages a high availability network and requires fast failover of the routing protocols.
The engineer decides to implement BFD.
Which three dynamic routing protocols support BFD? (Choose three.)
- A . OSPF
- B . RIP
- C . BGP
- D . IGRP
- E . OSPFv3 virtual link
An engineer configures SSL decryption in order to have more visibility to the internal users’ traffic when it is regressing the firewall.
Which three types of interfaces support SSL Forward Proxy? (Choose three.)
- A . High availability (HA)
- B . Layer 3
- C . Layer 2
- D . Tap
- E . Virtual Wire
An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.
Which three platforms support PAN-OS 10.2? (Choose three.)
- A . PA-220
- B . PA-800 Series
- C . PA-5000 Series
- D . PA-500
- E . PA-3400 Series
Based on the graphic which statement accurately describes the output shown in the Server Monitoring panel?
- A . The User-ID agent is connected to a domain controller labeled lab-client
- B . The host lab-client has been found by a domain controller
- C . The host lab-client has been found by the User-ID agent.
- D . The User-ID aaent is connected to the firewall labeled lab-client
Latest PCNSE Dumps Valid Version with 280 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund
