Palo Alto Networks PCNSE Exam Practice Test Instant Access

Question 1

An administrator is attempting to create policies tor deployment of a device group and template stack. When creating the policies, the zone drop down list does not include the required zone.

What must the administrator do to correct this issue?

ASpecify the target device as the master device in the device group

BEnable 'Share Unused Address and Service Objects with Devices' in Panorama settings

CAdd the template as a reference template in the device group

DAdd a firewall to both the device group and the template

Answer : C

In order to see what is in a template, the device-group needs the template referenced. Even if you add the firewall to both the template and device-group, the device-group will not see what is in the template. The following link has a video that demonstrates that B is the correct answer. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNfeCAG

Question 2

An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.

Which priority is correct for the passive firewall?

B99

D255

Answer : D

Question 3

The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install. When performing an upgrade on Panorama to PAN-OS, what is the potential cause of a failed install?

AGlobalProtect agent version

BOutdated plugins

CManagement-only mode

DExpired certificates

Answer : D

A Panorama upgrade can fail if expired certificates (Option D) prevent secure communication with update servers or managed devices. Certificates (e.g., device certificates) must be valid for the upgrade process to proceed.

Option A (GlobalProtect) is unrelated to Panorama upgrades. Option B (outdated plugins) may cause compatibility issues post-upgrade, not install failure. Option C (management-only mode) doesn't block upgrades. Documentation lists certificate expiration as a common issue.

Question 4

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.

The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?

AA web server certificate signed by the organization's PKI

BA self-signed certificate generated on the firewall

CA subordinate Certificate Authority certificate signed by the organization's PKI

DA web server certificate signed by an external Certificate Authority

Answer : B

Question 5

Which log type would provide information about traffic blocked by a Zone Protection profile?

AData Filtering

BIP-Tag

CTraffic

DThreat

Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhzCAC

D is the correct answer because the threat log type would provide information about traffic blocked by a Zone Protection profile.This is because Zone Protection profiles are used to protect the network from attacks, including common flood, reconnaissance attacks, and other packet-based attacks1.These attacks are classified as threats by the firewall and are logged in the threat log2.The threat log displays information such as the source and destination IP addresses, ports, zones, applications, threat types, actions, and severity of the threats2.

Verified Reference:

1:Zone protection profiles - Palo Alto Networks Knowledge Base

2:Threat Log Fields - Palo Alto Networks

Question 6

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?

AEnable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and reboot.

BEnable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot.

CEnable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot.

DEnable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit.

Answer : B

The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.

Question 7

An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama.

However, pre-existing logs from the firewalls are not appearing in Panorama.

Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?

AExport the log database.

BUse the import option to pull logs.

CUse the scp logdb export command.

DUse the ACC to consolidate the logs.

Answer : A

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/use-the-cli/use-secure-copy-to-import-and-export-files/export-and-import-a-complete-log-database-logdb

Palo Alto Networks PCNSE Palo Alto Networks Certified Security Engineer PAN-OS 11.0 Exam Practice Test