Question # 1
Which DoS Protection Profile detects and prevents session exhaustion attacks against
specific destinations? A. Resource ProtectionB. TCP Port Scan ProtectionC. Packet Based Attack ProtectionD. Packet Buffer Protection
Reveal Answer
A. Resource Protection
Explanation : IP flood thresholds, you can also use DoS Protection profiles to detect and
prevent session exhaustion attacks in which a large number of hosts (bots) establish as
many sessions as possible to consume a target’s resources. On the profile’s Resources
Protection tab, you can set the maximum number of concurrent sessions that the device(s)
defined in the DoS Protection policy rule to which you apply the profile can receive. When
the number of concurrent sessions reaches its maximum limit, new sessions are dropped.
Question # 2
Panorama is being used to upgrade the PAN-OS version on a pair of firewalls in an
active/passive high availability (HA) configuration. The Palo Alto Networks best practice
upgrade steps have been completed in Panorama (Panorama upgraded, backups made,
content updates, and disabling "Preemptive" pushed), and the firewalls are ready for
upgrade. What is the next best step to minimize downtime and ensure a smooth transition? A. Upgrade both HA peers at the same time using Panorama’s "Group HA Peers" option to
ensure version consistencyB. Suspend the active firewall, upgrade it first, and reboot to verify it comes back online
before upgrading the passive peerC. Perform the upgrade on the active firewall first while keeping the passive peer online to
maintain failover capabilityD. Upgrade only the passive peer first, reboot it, restore HA functionality, and then upgrade
the active peer
Reveal Answer
D. Upgrade only the passive peer first, reboot it, restore HA functionality, and then upgrade
the active peer
Explanation: For active/passive HA upgrades, best practices minimize downtime by
upgrading the passive peer first (Option D), rebooting it to confirm stability, restoring HA
sync, and then upgrading the active peer. This keeps services running on the active firewall
during the passive upgrade, ensuring a smooth transition with failover capability intact.
Reference: PAN-OS 11.2 Upgrade Guide, "Upgrade HA Firewalls Using Panorama"
section.
Question # 3
Which User-ID mapping method should be used in a high-security environment where all IP
address-to-user mappings should always be explicitly known? A. PAN-OS integrated User-ID agentB. GlobalProtectC. Windows-based User-ID agentD. LDAP Server Profile configuration
Reveal Answer
B. GlobalProtect
GlobalProtect is a VPN solution that provides secure remote access to corporate networks.
When a user connects to GlobalProtect, their identity is verified against an LDAP server.
This ensures that all IP address-to-user mappings are explicitly known.
Question # 4
Which translated port number should be used when configuring a NAT rule for a
transparent proxy? A. 80B. 443C. 8080D. 4443
Reveal Answer
C. 8080
Explanation: A transparent proxy operates by intercepting traffic without client
configuration, typically redirecting HTTP (port 80) or HTTPS (port 443) to a proxy port on
the firewall. In Palo Alto Networks NGFWs, when configuring a NAT rule for a transparent
proxy, the standard translated port is 8080 (Option C), commonly used for proxy services.
This port is where the firewall redirects client traffic for processing (e.g., URL filtering or
decryption) before forwarding it to the destination.
Reference: PAN-OS 11.2 Administrator’s Guide, "NAT" section - Transparent Proxy
Configuration; Palo Alto Networks Tech Docs - Transparent Proxy Deployment.
Question # 5
A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with
an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two
devices? A. show routing protocol bgp summary
B. show routing protocol bgp rib-out
C. show routing protocol bgp state
D. show routing protocol bgp peer
Reveal Answer
D. show routing protocol bgp peer
Question # 6
How can Panorama help with troubleshooting problems such as high CPU or resource
exhaustion on a managed firewall? A. Panorama provides information about system resources of the managed devices in the
Managed Device > Health menu.
B. Firewalls send SNMP traps to Panorama wen resource exhaustion is detected
Panorama generates a system log and can send email alerts.
C. Panorama monitors all firewalls using SNMP. It generates a system log and can send
email alerts when resource exhaustion is detected on a managed firewall.
D. Panorama provides visibility all the system and traffic logs received from firewalls it does
not offer any ability to see or monitor resource utilization on managed firewalls
Reveal Answer
A. Panorama provides information about system resources of the managed devices in the
Managed Device > Health menu.
Question # 7
Which three multi-factor authentication methods can be used to authenticate access to the
firewall? (Choose three.) A. VoiceB. FingerprintC. SMSD. User certificateE. One-time password
Reveal Answer
C. SMSD. User certificateE. One-time password
Explanation:
Palo Alto firewalls support multi-factor authentication (MFA) for secure admin and user access. The three supported MFA methods are:
C. SMS – The firewall can integrate with SMS-based authentication services (e.g., Duo, Okta) to send verification codes.
D. User certificate – Digital certificates (e.g., X.509) can be used as a second factor alongside passwords.
E. One-time password (OTP) – Time-based OTPs (TOTP) from apps like Google Authenticator or RSA SecurID are supported.
Why the Others Are Incorrect:
A. Voice – Not a supported MFA method on Palo Alto firewalls.
B. Fingerprint – Biometric authentication is not natively supported for firewall access.
Reference:
Palo Alto MFA Documentation
How to Pass PCNSE Exam?
PCNSE certification validates your expertise in designing, deploying, configuring, and managing Palo Alto Networks firewalls and Panorama, making it essential to thoroughly understand both the concepts and practical applications.
Official PCNSE Study Guide is an excellent resource to help you prepare effectively. Consider enrolling in official training courses like the Firewall Essentials: Configuration and Management (EDU-210) or Panorama: Managing Firewalls at Scale (EDU-220). Setting up a lab environment using Palo Alto firewalls, either physical or virtual, allows you to practice configuring and managing the platform in real-world scenarios. Focus on key tasks such as configuring security policies, NAT, VPNs, and high availability, as well as implementing App-ID, Content-ID, and User-ID.
Our PCNSE practice test help you identify areas where you need improvement and familiarize you with the exam format and question types.
Engaging with the Palo Alto Networks community through forums like the LIVE Community or Reddit can also provide valuable insights and tips from others who have taken the Palo Alto certified network security engineer exam.