• Home
  • Blogs
  • Prepare PCNSE Question Answers - PCNSE Exam Dumps [Q118-Q141]

Prepare PCNSE Question Answers - PCNSE Exam Dumps [Q118-Q141]

Share

Prepare PCNSE Question Answers - PCNSE Exam Dumps

Real Palo Alto Networks PCNSE Exam Questions [Updated 2023]

NEW QUESTION 118
When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action.
Answer options may be used more than once or not at all.

Answer:

Explanation:

Explanation
IMAP , POP3 , SMTP - > Alert
HTTP,FTP,SMB -> Reset-both

 

NEW QUESTION 119
What is the best description of the HA4 Keep-Alive Threshold (ms)?

  • A. The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall
  • B. the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional.
  • C. the maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational.
  • D. The timeframe that the local firewall wait before going to Active state when another cluster member is preventing the cluster from fully synchronizing.

Answer: B

 

NEW QUESTION 120
If an administrator wants to decrypt SMTP traffic and possesses the server's certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?

  • A. SSL Inbound Inspection
  • B. SMTP Inbound Decryption
  • C. TLS Bidirectional Inspection
  • D. SSH Forward Proxy

Answer: A

Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/decryption/configure-ssl- inbound-inspection

 

NEW QUESTION 121
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?

  • A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.
  • B. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.
  • C. The firewalls do not use floating IPs in active/active HA.
  • D. Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP.

Answer: A

Explanation:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high-availability/floating-ip- address-and-virtual-mac-address

 

NEW QUESTION 122
What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.)

  • A. the website matches a category that is not allowed for most users
  • B. the website matches a sensitive category
  • C. the website matches a high-risk category
  • D. the web server requires mutual authentication

Answer: A,B

 

NEW QUESTION 123
The certificate information displayed in the following image is for which type of certificate?
Exhibit:

  • A. Self-Signed Root CA certificate
  • B. Web Server certificate
  • C. Public CA signed certificate
  • D. Forward Trust certificate

Answer: A

 

NEW QUESTION 124
When configuring the firewall for packet capture, what are the valid stage types?

  • A. Receive management , transmit, and non-syn
  • B. Receive , firewall, transmit, and drop
  • C. Receive , firewall, send , and non-syn
  • D. Receive, management , transmit , and drop

Answer: B

Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0 docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/monitor/monitor-packet-capture/packet-capture-overview.html

 

NEW QUESTION 125
An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make?
A:

B:

C:

D:

E:

  • A. Option C
  • B. Option B
  • C. Option A
  • D. Option E
  • E. Option D

Answer: B

 

NEW QUESTION 126
Exhibit:

What will be the egress interface if the traffic's ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image?

  • A. ethernet1/6
  • B. ethernet1/5
  • C. ethernet1/3
  • D. ethernet1/7

Answer: C

 

NEW QUESTION 127
An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port. Which log entry can the administrator use to verify that sessions are being decrypted?

  • A. Decryption log
  • B. In the details of the Threat log entries
  • C. In the details of the Traffic log entries
  • D. Data Filtering log

Answer: C

Explanation:
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClboCAC The Question is simply asking how to verify if traffic was being decrypted. There are (2) ways to see this in the traffic logs:
1. To confirm that the traffic is decrypted inside the WebGUI > Monitor > Logs > Traffic. Click the magnifying glass icon in the traffic log entries to confirm that the connections were decrypted.
2. Another way to validate the decrypted session is by enabling the column "Decrypted" as below Traffic logs . This can be done by clicking on the arrow down next to any column title and selecting the Columns > Decrypted. This shows decrypted status in regular traffic log view.

 

NEW QUESTION 128
Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three.)

  • A. .jar
  • B. .pdf
  • C. .dll
  • D. .src
  • E. .exe
  • F. .apk

Answer: C,D,E

Explanation:
The question is asking for the free basic Wildfire Service which only allows for PE (Portable executables) files.
pe
Portable Executable (PE) files. PEs include executable files, object code, DLLs, FON (fonts), and LNK files. A subscription is not required to forward PE files for WildFire analysis, but is required for all other supported file types.
"With the basic WildFire service, the firewall can forward portable executable (PE) files for WildFire analysis", look online for PE files and you will get:
.acm, .ax, .cpl, .dll, .drv, .efi, .exe, .mui, .ocx, .scr, .sys, .tsp
https://docs.paloaltonetworks.com/wildfire/10-0/wildfire-admin/wildfire-overview/wildfire- concepts/file-analysis.html

 

NEW QUESTION 129
What is the function of a service route?

  • A. The service route is the method required to use the firewall's management plane to provide services to applications
  • B. Service routes provide access to external services such as DNS servers external authentication servers or Palo Alto Networks services like the Customer Support Portal
  • C. The service packets enter the firewall on the port assigned from the external service. The server sends its response to the configured destination interface and destination IP address
  • D. The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source interface and source IP address

Answer: D

 

NEW QUESTION 130
In a virtual router, which object contains all potential routes?

  • A. RIB
  • B. SIP
  • C. FIB
  • D. MIB

Answer: A

Explanation:
Reference: https://www.google.com/url?
sa=t&rct=j&q=&esrc=s&source=web&cd=10&ved=0ahUKEwiOkbfYzPzXAhVnEJoKHcwVCg4QFghiMAk&
2Flive.paloaltonetworks.com%2Ftwzvq79624%2Fattachments%2Ftwzvq79624%2Fdocumentation_tkb%2F487%
2520Redistribution%2520and%2520Filtering%2520TechNote%2520-%2520Rev%
2520B.pdf&usg=AOvVaw0H9qgaJK0oI2xjIJBNo1Km

 

NEW QUESTION 131
If an administrator wants to decrypt SMTP traffic and possesses the server's certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?

  • A. SSL Inbound Inspection
  • B. SMTP Inbound Decryption
  • C. TLS Bidirectional Inspection
  • D. SSH Forward Proxy

Answer: A

Explanation:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan- os/decryption/configure-ssl-inbound-inspection

 

NEW QUESTION 132
Which log file can be used to identify SSL decryption failures?

  • A. Traffic
  • B. Threats
  • C. Configuration
  • D. ACC

Answer: A

 

NEW QUESTION 133
Which two events trigger the operation of automatic commit recovery? (Choose two.)

  • A. when an aggregate Ethernet interface component fails
  • B. when a firewall performs a local commit
  • C. when Panorama pushes a configuration
  • D. when a firewall HA pair fails over

Answer: A,D

 

NEW QUESTION 134
A client has a sensitive application server in their data center and is particularly concerned about session flooding because of denial of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against session floods originating from a single IP address?

  • A. Add a tuned DoS Protection Profile
  • B. Add QoS Profiles to throttle incoming requests
  • C. Define a custom App-ID to ensure that only legitimate application traffic reaches the server
  • D. Add an Anti-Spyware Profile to block attacking IP address

Answer: A

Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmTCAS DoS Protection Profiles set the protection thresholds to provide DoS protection against flooding of new sessions for IP floods (CPS limits) to provide resource protection (maximum concurrent session limits for specified endpoints and resources) and to configure whether the profile applies to aggregate or classified traffic. DoS Protection policy rules control where to apply DoS protection and which action to take when traffic matches the criteria defined in the rule. Unlike a Zone Protection Profile, which protects only the ingress zone, DoS Protection Profiles and policy rules can protect specific resources inside a zone and traffic flowing between different endpoints and areas. Unlike the case with a Zone Protection Profile, which supports only aggregate traffic, you can configure aggregate or classified DoS Protection Profiles and policy rules.

 

NEW QUESTION 135
Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS?version, and serial number?

  • A. debug system details
  • B. show system details
  • C. show system info
  • D. show session info

Answer: C

Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZuCAK

 

NEW QUESTION 136
An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS software?

  • A. Application and Threats update package
  • B. Wildfire update package
  • C. User-ID agent
  • D. Anti virus update package

Answer: A

Explanation:
Explanation : Dependencies : Before upgrade, make sure the firewall is running a version of app + threat (content version) that meets the minimum requirement of the new PAN-OS Upgrade.
https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045

 

NEW QUESTION 137
View the GlobalProtect configuration screen capture.

What is the purpose of this configuration?

  • A. It forces an internal client to connect to an internal gateway at IP address 192.168.10.1.
  • B. It forces the firewall to perform a dynamic DNS update, which adds the internal gateway's hostname and IP address to the DNS server.
  • C. It enables a client to perform a reverse DNS lookup on 192.168.10.1 to detect that it is an internal client.
  • D. It configures the tunnel address of all internal clients to an IP address range starting at 192.168.10.1.

Answer: C

Explanation:
Reference:
https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprotect-por the-globalprotect-client-authentication-configurations/define-the-globalprotect-agent-configurations
"Select this option to allow the GlobalProtect agent to determine if it is inside the enterprise network. This option applies only to endpoints that are configured to communicate with internal gateways.When the user attempts to log in, the agent does a reverse DNS lookup of an internal host using the specified Hostname to the specified IP Address. The host serves as a reference point that is reachable if the endpoint is inside the enterprise network. If the agent finds the host, the endpoint is inside the network and the agent connects to an internal gateway; if the agent fails to find the internal host, the endpoint is outside the network and the agent establishes a tunnel to one of the external gateways"

 

NEW QUESTION 138
To more easily reuse templates and template slacks , you can create term plate variables in place of firewall-specific and appliance-specific IP literals in your configurations Which one is the correct configuration?

  • A. &Panorama
  • B. #Pancrama
  • C. @Panorama
  • D. $Panorama

Answer: D

 

NEW QUESTION 139
When is the content inspection performed in the packet flow process?

  • A. after the application has been identified
  • B. after the SSL Proxy re-encrypts the packet
  • C. before session lookup
  • D. before the packet forwarding process

Answer: A

Explanation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0

 

NEW QUESTION 140
Which two events trigger the operation of automatic commit recovery? (Choose two.)

  • A. when a firewall performs a local commit
  • B. when a firewall HA pair fails over
  • C. when an aggregate Ethernet interface component fails
  • D. when Panorama pushes a configuration

Answer: A,D

Explanation:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/panorama-features/automatic-panorama-connection-recovery.html
Automatic commit recovery allows you to configure the firewall to attempt a specified number of connectivity tests after:
1- you push a configuration from Panorama or
2- commit a configuration change locally on the firewall.
Additionally, the firewall checks connectivity to Panorama every hour to ensure consistent communication in the event unrelated network configuration changes have disrupted connectivity between the firewall and Panorama or if implications to a pushed committed configuration may have affected connectivity.

 

NEW QUESTION 141
......

PCNSE Exam Dumps Pass with Updated 2023: https://www.actual4cert.com/PCNSE-real-questions.html

Free PCNSE Exam Dumps to Pass Exam Easily: https://drive.google.com/open?id=1UkI64VK05aq6r-Ua9Yxrw-eNVWg3f08W

Related Blogs

more
Palo Alto Networks PCNSE Certification Practice Exam

Copyright © 2026 ACTUAL4CERT.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor.