Palo Alto Networks PCNSE Exam Practice Test Instant Access

Question 1

Which tool can gather information about the application patterns when defining a signature for a custom application?

APolicy Optimizer

BData Filtering Log

CWireshark

DExpedition

Answer : C

Wireshark (Option C) is a packet capture tool that provides detailed application traffic patterns (e.g., ports, protocols, payloads), essential for defining custom application signatures in PAN-OS.

Option A (Policy Optimizer) analyzes existing rules, not raw traffic. Option B (Data Filtering Log) shows data patterns, not app behavior. Option D (Expedition) is for migration, not signature creation. Documentation recommends packet captures for this task.

Question 2

Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?

ALog Collector

BPanorama

CLegacy

DManagement Only

Answer : D

Question 3

Exhibit.

Review the screenshots and consider the following information

1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC

2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups

Which IP address will be pushed to the firewalls inside Address Object Server-1?

AServer-1 on FW-1 will have IP 4.4.4.4. Server-1 on FW-2 will have IP 1.1.1.1

BServer-1 on FW-1 will have IR 111.1. Server-1 will not be pushed to FW-2.

CServer-1 on FW-1 will have IP 2.2.2.2. Server-1 will not be pushed to FW-2.

DServer-1 on FW-1 will have IP 3.3.3.3. Server-1 will not be pushed to FW-2.

Answer : A

Device Group Hierarchy

Shared

DATACENTER_DG

DC_FW_DG

REGIONAL_DG

OFFICE_FW_DG

FW-1_DG

Analysis

Considerations:

FW-1 is assigned to the FW-1_DG device group.

FW-2 is assigned to the OFFICE_FW_DG device group.

There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.

The address object Server-1 appears in multiple device groups with different IP addresses. The device groups have a hierarchy, which means objects can be inherited from parent groups unless overridden in the child group.

FW-1_DG:

Server-1 has IP 4.4.4.4, which will be pushed to FW-1 because it is in the FW-1_DG device group.

OFFICE_FW_DG (for FW-2):

Since there are no objects in OFFICE_FW_DG and REGIONAL_DG, FW-2 will inherit from Shared.

In the Shared group, Server-1 has IP 1.1.1.1.

Question 4

A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories

Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?

AChoose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select Use Domain Credential Filter Commit

BChoose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select use IP User Mapping Commit

CChoose the URL categories on Site Access column and set action to block Click the User credential Detection tab and select IP User Mapping Commit

DChoose the URL categories in the User Credential Submission column and set action to block Select the URL filtering settings and enable Domain Credential Filter Commit

Answer : A

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/prevent-credential-phishing/set-up-credential-phishing-prevention#idc77030dc-6022-4458-8c50-1dc0fe7cffe4

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/prevent-credential-phishing/set-up-credential-phishing-prevention

Question 5

Which statement accurately describes how web proxy is run on a firewall with multiple virtual systems?

AIt can run on a single virtual system and multiple virtual systems.

BIt can run on multiple virtual systems without issue.

CIt can run only on a single virtual system.

DIt can run only on a virtual system with an alias named 'web proxy.

Answer : A

Question 6

What must be configured to apply tags automatically based on User-ID logs?

ADevice ID

BLog Forwarding profile

CGroup mapping

DLog settings

Answer : D

To apply tags automatically based on User-ID logs, the engineer must configure a Log Forwarding profile that specifies the criteria for matching the logs and the tags to apply. The Log Forwarding profile can be attached to a security policy rule or a decryption policy rule to enable auto-tagging for the traffic that matches the rule.The tags can then be used for dynamic address groups, policy enforcement, or reporting1.Reference:Use Auto-Tagging to Automate Security Actions, PCNSE Study Guide (page 49)

Question 7

Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)

AVoice

BFingerprint

CSMS

DUser certificate

EOne-time password

Answer : A, C, E

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/authentication/configure-multi-factor-authentication

Palo Alto Networks Certified Security Engineer PAN-OS 11.0 PCNSE Exam Practice Test