1. Home
  2. Palo Alto Networks
  3. PCNSE

Palo Alto Networks Certified Network Security Engineer - PAN-OS 11.x (PCNSE)

Exam Details

  • Exam Code
    :PCNSE
  • Exam Name
    :Palo Alto Networks Certified Network Security Engineer - PAN-OS 11.x (PCNSE)
  • Certification
    :Palo Alto Networks Certifications
  • Vendor
    :Palo Alto Networks
  • Total Questions
    :860 Q&As
  • Last Updated
    :Jun 14, 2025

Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

  • Question 371:

    A users traffic traversing a Palo Alto networks NGFW sometimes can reach http //www company com At other times the session times out. At other times the session times out The NGFW has been configured with a PBF rule that the user traffic matches when it goes to http://www.company.com

    goes to http://www company com

    How can the firewall be configured to automatically disable the PBF rule if the next hop goes down?

    A. Create and add a monitor profile with an action of fail over in the PBF rule in question

    B. Create and add a monitor profile with an action of wait recover in the PBF rule in question

    C. Configure path monitoring for the next hop gateway on the default route in the virtual router

    D. Enable and configure a link monitoring profile for the external interface of the firewall

  • Question 372:

    Which three options are available when creating a security profile? (Choose three)

    A. Anti-Malware

    B. File Blocking

    C. Url Filtering

    D. IDS/ISP

    E. Threat Prevention

    F. Antivirus

  • Question 373:

    A VPN connection is set up between Site-A and Site-B, but no traffic is passing in the system log of Site-A, there is an event logged as like-nego-p1-fail-psk.

    What action will bring the VPN up and allow traffic to start passing between the sites?

    A. Change the Site-B IKE Gateway profile version to match Site-A,

    B. Change the Site-A IKE Gateway profile exchange mode to aggressive mode.

    C. Enable NAT Traversal on the Site-A IKE Gateway profile.

    D. Change the pre-shared key of Site-B to match the pre-shared key of Site-A

  • Question 374:

    A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall. Which method shows the global counters associated with the traffic after configuring the appropriate packet filters?

    A. From the CLI, issue the show counter global filter pcap yes command.

    B. From the CLI, issue the show counter global filter packet-filter yes command.

    C. From the GUI, select show global counters under the monitor tab.

    D. From the CLI, issue the show counter interface command for the ingress interface.

  • Question 375:

    How is the Forward Untrust Certificate used?

    A. It issues certificates encountered on the Untrust security zone when clients attempt to connect to a site that has be decrypted/

    B. It is used when web servers request a client certificate.

    C. It is presented to clients when the server they are connecting to is signed by a certificate authority that is not trusted by firewall.

    D. It is used for Captive Portal to identify unknown users.

  • Question 376:

    Which Panorama feature allows for logs generated by Panorama to be forwarded to an external Security Information and Event Management(SIEM) system?

    A. Panorama Log Settings

    B. Panorama Log Templates

    C. Panorama Device Group Log Forwarding

    D. Collector Log Forwarding for Collector Groups

  • Question 377:

    Given the following table.

    Which configuration change on the firewall would cause it to use 10.66.24.88 as the next hop for the 192.168.93.0/30 network?

    A. Configuring the administrative Distance for RIP to be lower than that of OSPF Int.

    B. Configuring the metric for RIP to be higher than that of OSPF Int.

    C. Configuring the administrative Distance for RIP to be higher than that of OSPF Ext.

    D. Configuring the metric for RIP to be lower than that OSPF Ext.

  • Question 378:

    An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 subinterface on a Palo Alto Networks firewall. However this network segment cannot access the dedicated management interface due to the Security policy.

    Without changing the existing access to the management interface how can the engineer fulfill this request?

    A. Enable HTTPS in an Interface Management profile on the subinterface

    B. Add the network segment's IP range to the Permitted IP Addresses list

    C. Specify the subinterface as a management interface in Setup > Device > Interfaces

    D. Configure a service route for HTTP to use the subinterface

  • Question 379:

    Refer to Exhibit:

    A firewall has three PDF rules and a default route with a next hop of 172.29.19.1 that is configured in the default VR. A user named XX-bes a PC with a 192.168.101.10 IP address.

    He makes an HTTPS connection to 172.16.10.29.

    What is the next hop IP address for the HTTPS traffic from Wills PC.

    A. 172.20.30.1

    B. 172.20.20.1

    C. 172.20.10.1

    D. 172.20.40.1

  • Question 380:

    Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured to dynamically create the routes between the sites. The OSPF configuration in Site-A is configured properly, but the route for the tunner is not being established. The Site-B interfaces in the graphic are using a broadcast Link Type. The administrator has determined that the OSPF configuration in Site-B is using the wrong Link Type for one of its interfaces.

    Which Link Type setting will correct the error?

    A. Set tunnel. 1 to p2p

    B. Set tunnel. 1 to p2mp

    C. Set Ethernet 1/1 to p2mp

    D. Set Ethernet 1/1 to p2p

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Palo Alto Networks exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PCNSE exam preparations and Palo Alto Networks certification application, do not hesitate to visit our Vcedump.com to find your solutions here.