Download Palo Alto Networks Certified Network Security Engineer.pdfvce.PCNSE.2021-03-11.1e.310q.vcex

Download Exam

File Info

Exam Palo Alto Networks Certified Network Security Engineer
Number PCNSE
File Name Palo Alto Networks Certified Network Security Engineer.pdfvce.PCNSE.2021-03-11.1e.310q.vcex
Size 25.1 Mb
Posted March 11, 2021
Downloads 49
Download Palo Alto Networks Certified Network Security Engineer.pdfvce.PCNSE.2021-03-11.1e.310q.vcex

How to open VCEX & EXAM Files?

Files with VCEX & EXAM extensions can be opened by ProfExam Simulator.


With discount: 20%


Demo Questions

Question 1

When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?

  • A: To enable Gateway authentication to the Portal
  • B: To enable Portal authentication to the Gateway
  • C: To enable user authentication to the Portal
  • D: To enable client machine authentication to the Portal

Correct Answer: C

The additional options of Browser and Satellite enable you to specify the authentication profile to use for specific scenarios. Select Browser to specify the authentication profile to use to authenticate a user accessing the portal from a web browser with the intent of downloading the GlobalProtect agent (Windows and Mac). Select Satellite to specify the authentication profile to use to authenticate the satellite.

Question 2

For which two functions is the management plane responsible? (Choose two.)

  • A: Protocol decoding
  • B: Reassembling packets
  • C: Forwarding logs
  • D: Answering HTTP requests

Correct Answer: CD

Question 3

In order to route traffic between layer 3 interfaces on the PAN firewall you need:

  • A: VLAN
  • B: Vwire
  • C: Security Profile
  • D: Virtual Router

Correct Answer: D

Question 4

Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS software?

  • A: XML API
  • B: Port Mapping
  • C: Client Probing
  • D: Server Monitoring

Correct Answer: A

Captive Portal and the other standard user mapping methods might not work for certain types of user access. For example, the standard methods cannot add mappings of users connecting from a third-party VPN solution or users connecting to a 802.1x-enabled wireless network. For such cases, you can use the PAN-OS XML API to capture login events and send them to the PAN-OS integrated User-ID agent 2 IT Certification Guaranteed, The Easy Way!

Question 5

When using the predefined default antivirus profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action. Answer options may be used more than once or not at all. (select four)

  • A: IMAP - Alert
  • B: IMAP - Reset-both
  • C: HTTP - Alert
  • D: HTTP - Reset-both
  • E: FTP, SMB - Alert
  • F: FTP, SMB - Reset-both
  • G: POP3, SMTP - Alert
  • H: POP3, SMTP - Reset-both

Correct Answer: ADFG

The default profile inspects all of the listed protocol decoders for viruses, and generates alerts for SMTP, IMAP, and POP3 protocols while blocking for FTP, HTTP, and SMB protocols.

Question 6 has an in-house application that the Palo Alto Networks device doesn't identify correctly. 
A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine. 
Which method should use to immediately address this traffic on a Palo Alto Networks device? 

  • A: Create a custom Application without signatures, then create an Application Override policy that includes the source, Destination, Destination Port/Protocol and Custom Application of the traffic.
  • B: Wait until an official Application signature is provided from Palo Alto Networks.
  • C: Modify the session timer settings on the closest referanced application to meet the needs of the in-house application
  • D: Create a Custom Application with signatures matching unique identifiers of the in-house application traffic

Correct Answer: D

Question 7

Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only?

  • A: Disable Server Response Inspection
  • B: Apply an Application Override
  • C: Disable HIP Profile
  • D: Add server IP Security Policy exception

Correct Answer: A

In the Other Settings section, select the option to Disable Server Response Inspection. This setting disables the antivirus and anti-spyware scanning on the server-side responses, and thus reduces the load on the firewall.

Question 8

View the GlobalProtect configuration screen capture. What is the purpose of this configuration? 


  • A: It configures the tunnel address of all internal clients to an IP address range starting at
  • B: It forces an internal client to connect to an internal gateway at IP address
  • C: It enables a client to perform a reverse DNS lookup on to detect that it is an internal client.
  • D: It forces the firewall to perform a dynamic DNS update, which adds the internal gateway's hostname and IP address to the DNS server.

Correct Answer: C

Question 9

In which two types of deployment is active/active HA configuration supported? (Choose two.)

  • A: Layer 3 mode
  • B: TAP mode
  • C: Virtual Wire mode
  • D: Layer 2 mode

Correct Answer: AC

Question 10

Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

  • A: Create a no-decrypt Decryption Policy rule.
  • B: Configure an EDL to pull IP addresses of known sites resolved from a CRL.
  • C: Create a Dynamic Address Group for untrusted sites
  • D: Create a Security Policy rule with vulnerability Security Profile attached.
  • E: Enable the "Block sessions with untrusted issuers" setting.

Correct Answer: AD





You can buy ProfExam with a 20% discount!


Use ProfExam Simulator to open VCEX and EXAM files