Question # 1
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with
an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two
devices? A. show routing protocol bgp summary
B. show routing protocol bgp rib-out
C. show routing protocol bgp state
D. show routing protocol bgp peer
Reveal Answer
D. show routing protocol bgp peer
Question # 2
Which three sessions are created by a NGFW for web proxy? (Choose three.) A. A session for DNS proxy to DNS serversB. A session for proxy to web serverC. A session for client to proxyD. A session for proxy to authentication serverE. A session for web server to client
Reveal Answer
A. A session for DNS proxy to DNS serversB. A session for proxy to web serverC. A session for client to proxy
Question # 3
A security engineer has configured a GlobalProtect portal agent with four gateways Which
GlobalProtect Gateway will users connect to based on the chart provided?A. SouthB. WestC. EastD. Central
Reveal Answer
C. East
Explanation : Based on the provided table, the GlobalProtect portal agent configuration
includes four gateways with varying priorities and response times. Users will connect to the
gateway with the highest priority and, if multiple gateways share the same priority, the one
with the lowest response time.
Answer Determination
Prioritize by Priority Level:
Evaluate Response Times Within Each Priority:
Given the highest priority is "East" with a response time of 35 ms, users will connect to the
East gateway based on the highest priority.
Question # 4
An administrator is tasked to provide secure access to applications running on a server in
the company's on-premises datacenter.
What must the administrator consider as they prepare to configure the decryption policy? A. Ensure HA3 interfaces are configured in a HA pair environment to sync decrypted
sessions.B. Obtain or generate the server certificate and private key from the datacenter serverC. Obtain or generate the self-signed certificate with private key in the firewallD. Obtain or generate the forward trust and forward untrust certificate from the datacenter
server.
Reveal Answer
B. Obtain or generate the server certificate and private key from the datacenter server
Question # 5
You are auditing the work of a co-worker and need to verify that they have matched the
Palo Alto Networks Best Practices for Anti-Spyware Profiles.
For which three severity levels should single-packet captures be enabled to meet the Best
Practice standard? (Choose three.) A. LowB. HighC. CriticalD. InformationalE. Medium
Reveal Answer
B. HighC. CriticalE. Medium
Explanation : The Palo Alto Networks Best Practices for Anti-Spyware Profiles recommend enabling
single-packet captures (PCAP) for medium, high, and critical severity threats. This allows
for capturing the first packet of the malicious traffic for further analysis and
investigation. PCAP should not be enabled for low and informational severity threats, as
they generate a relatively high volume of traffic and are not particularly useful compared to
potential threats.
Question # 6
To ensure that a Security policy has the highest priority, how should an administrator
configure a Security policy in the device group hierarchy? A. Add the policy to the target device group and apply a master device to the device group.B. Reference the targeted device's templates in the target device group.C. Clone the security policy and add it to the other device groups.D. Add the policy in the shared device group as a pre-rule
Reveal Answer
D. Add the policy in the shared device group as a pre-rule
Question # 7
A firewall engineer is investigating high dataplane CPU utilization. To decrease the load on
this CPU, what should be reduced? A. The amount of decrypted traffic
B. The timeout value for admin sessions
C. The number of mapped User-ID groups
D. The number of permitted IP addresses on the management interface
Reveal Answer
A. The amount of decrypted traffic
How to Pass PCNSE Exam?
PCNSE certification validates your expertise in designing, deploying, configuring, and managing Palo Alto Networks firewalls and Panorama, making it essential to thoroughly understand both the concepts and practical applications.
Official PCNSE Study Guide is an excellent resource to help you prepare effectively. Consider enrolling in official training courses like the Firewall Essentials: Configuration and Management (EDU-210) or Panorama: Managing Firewalls at Scale (EDU-220). Setting up a lab environment using Palo Alto firewalls, either physical or virtual, allows you to practice configuring and managing the platform in real-world scenarios. Focus on key tasks such as configuring security policies, NAT, VPNs, and high availability, as well as implementing App-ID, Content-ID, and User-ID.
Our PCNSE practice test help you identify areas where you need improvement and familiarize you with the exam format and question types.
Engaging with the Palo Alto Networks community through forums like the LIVE Community or Reddit can also provide valuable insights and tips from others who have taken the Palo Alto certified network security engineer exam.