1. Home
  2. Palo Alto Networks
  3. PCNSE

Palo Alto Networks Certified Network Security Engineer - PAN-OS 11.x (PCNSE)

Exam Details

  • Exam Code
    :PCNSE
  • Exam Name
    :Palo Alto Networks Certified Network Security Engineer - PAN-OS 11.x (PCNSE)
  • Certification
    :Palo Alto Networks Certifications
  • Vendor
    :Palo Alto Networks
  • Total Questions
    :860 Q&As
  • Last Updated
    :Jun 14, 2025

Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

  • Question 411:

    Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log?

    A. Log

    B. Alert

    C. Allow

    D. Default

  • Question 412:

    A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used to tunnel malicious traffic to command-andcontrol servers on the internet and SSL Forward Proxy Decryption is not enabled.

    Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment?

    A. Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole

    B. File Blocking profiles applied to outbound security policies with action set to alert

    C. Vulnerability Protection profiles applied to outbound security policies with action set to block

    D. Antivirus profiles applied to outbound security policies with action set to alert

  • Question 413:

    What will be the source address in the ICMP packet?

    A. 10.30.0.93

    B. 10.46.72.93

    C. 10.46.64.94

    D. 192.168.93.1

  • Question 414:

    Which client software can be used to connect remote Linux client into a Palo Alto Networks Infrastructure without sacrificing the ability to scan traffic and protect against threats?

    A. X-Auth IPsec VPN

    B. GlobalProtect Apple IOS

    C. GlobalProtect SSL

    D. GlobalProtect Linux

  • Question 415:

    The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to

    10.1.1.100 on TCP Port 8080.

    Which NAT and security rules must be configured on the firewall? (Choose two)

    A. A security policy with a source of any from untrust-I3 Zone to a destination of 10.1.1.100 in dmz-I3 zone using web-browsing application

    B. A NAT rule with a source of any from untrust-I3 zone to a destination of 10.1.1.100 in dmz-zone using service-http service.

    C. A NAT rule with a source of any from untrust-I3 zone to a destination of 1.1.1.100 in untrust-I3 zone using service-http service.

    D. A security policy with a source of any from untrust-I3 zone to a destination of 1.1.100 in dmz-I3 zone using web-browsing application.

  • Question 416:

    After pushing a security policy from Panorama to a PA-3020 firwall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in Panorama's traffic logs. What could be the problem?

    A. A Server Profile has not been configured for logging to this Panorama device.

    B. Panorama is not licensed to receive logs from this particular firewall.

    C. The firewall is not licensed for logging to this Panorama device.

    D. None of the firwwall's policies have been assigned a Log Forwarding profile

  • Question 417:

    Which three options does the WF-500 appliance support for local analysis? (Choose three)

    A. E-mail links

    B. APK files

    C. jar files

    D. PNG files

    E. Portable Executable (PE) files

  • Question 418:

    A host attached to Ethernet 1/4 cannot ping the default gateway. The widget on the dashboard shows Ethernet 1/1 and Ethernet 1/4 to be green. The IP address of Ethernet 1/1 is 192.168.1.7 and the IP address of Ethernet 1/4 is 10.1.1.7. The default gateway is attached to Ethernet 1/1. A default route is properly configured.

    What can be the cause of this problem?

    A. No Zone has been configured on Ethernet 1/4.

    B. Interface Ethernet 1/1 is in Virtual Wire Mode.

    C. DNS has not been properly configured on the firewall.

    D. DNS has not been properly configured on the host.

  • Question 419:

    Which three function are found on the dataplane of a PA-5050? (Choose three)

    A. Protocol Decoder

    B. Dynamic routing

    C. Management

    D. Network Processing

    E. Signature Match

  • Question 420:

    An administrator is configuring an IPSec VPN to a Cisco ASA at the administrator's home and experiencing issues completing the connection. the following is the output from the command:

    What could be the cause of this problem?

    A. The dead peer detection settings do not match between the Palo Alto Networks Firewall and the ASA.

    B. The Proxy IDs on the Palo Alto Networks Firewall do not match the setting on the ASA.

    C. The public IP addresses do not match for both the Palo Alto Networks Firewall and the ASA.

    D. The shared secrets do not match between the Palo Alto Networks Firewall and the ASA.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Palo Alto Networks exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PCNSE exam preparations and Palo Alto Networks certification application, do not hesitate to visit our Vcedump.com to find your solutions here.