Palo Alto Networks PCNSE Palo Alto Networks Certified Security Engineer PAN-OS 11.0 Exam Practice Test

Page: 1 / 14
Total 334 questions
Question 1

During a routine security audit, the risk and compliance team notices a series of WildFire logs that contain a "malicious" verdict and the action "allow." Upon further inspection, the team confirms that these same threats are automatically blocked by the firewalls the following day. How can the existing configuration be adjusted to ensure that new threats are blocked within minutes instead of having to wait until the following day?



Answer : B

WildFire logs showing a 'malicious' verdict with an 'allow' action indicate that the initial traffic wasn't blocked in real-time, likely because the Antivirus profile isn't configured to act immediately on WildFire verdicts. By default, WildFire submits files for analysis, and signatures may take up to 24 hours to propagate globally unless real-time blocking is enabled. Configuring the Antivirus security profile (Option B) to 'block' on malicious WildFire verdicts ensures that threats are blocked within minutes once the verdict is returned (typically 5-15 minutes), leveraging WildFire's real-time signature updates.

Option A (WildFire analysis profile) defines what files are sent to WildFire but doesn't control blocking actions. Option C (File Blocking profile) manages file type blocking, not threat verdicts. Option D (file size limits) affects submission eligibility, not blocking behavior. The Antivirus profile is the key to real-time WildFire enforcement, as per Palo Alto Networks documentation.


Question 2

Forwarding of which two log types is configured in Objects -> Log Forwarding? (Choose two)



Answer : B, C

In PAN-OS, the Log Forwarding object under Objects configures forwarding for Authentication (Option B) and User-ID (Option C) logs, among others, to external systems (e.g., syslog servers).

Option A (GlobalProtect) and Option D (WildFire) logs are managed differently (e.g., via profiles or Panorama). Documentation lists supported log types in Log Forwarding.


Question 3

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?



Answer : A

The SSL/TLS Service Profile (Option A) defines ciphers and protocols for management access (e.g., HTTPS GUI, API), allowing specific cipher suites to be enforced.

Option B (SSH Service Profile) doesn't exist; SSH uses global settings. Option C (Certificate Profile) handles authentication, not ciphers. Option D (Decryption Profile) is for traffic decryption, not management. Documentation specifies SSL/TLS profiles for this.


Question 4

An engineer needs to collect User-ID mappings from the company's existing proxies. What two methods can be used to pull this data from third-party proxies? (Choose two)



Answer : B, D

Palo Alto firewalls can gather User-ID mappings from proxies via Syslog (Option B), parsing log messages with user-IP data, and XFF Headers (Option D), extracting user info from HTTP headers (X-Forwarded-For) if the proxy supports it.

Option A (Client Probing) queries clients, not proxies. Option C (Server Monitoring) targets servers like AD, not proxies. Documentation lists these methods for proxy integration.


Question 5

How can a firewall engineer bypass App-ID and content inspection features on a Palo Alto Networks firewall when troubleshooting?



Answer : B

An application override (Option B) bypasses App-ID and content inspection by forcing the firewall to classify traffic as the custom app, skipping deeper analysis. The custom app's properties (e.g., ports) define the match, and no security profiles are applied.

Option A (no scanning options) still processes App-ID. Option C (no profiles) skips inspection but not App-ID. Option D (disable SRI) only limits server response checks. Documentation confirms overrides for bypassing.


Question 6

How is Perfect Forward Secrecy (PFS) enabled when troubleshooting a VPN Phase 2 mismatch?



Answer : A

Perfect Forward Secrecy (PFS) ensures unique session keys per VPN session, enabled under the IKE Gateway advanced options (Option A) by selecting a Diffie-Hellman (DH) group. This resolves Phase 2 mismatches if the peer requires PFS.

Option B (IPsec Tunnel) doesn't directly control PFS. Option C (DH Group in IPsec Crypto) is related but not the enablement point. Option D (authentication algorithm) is unrelated. Documentation specifies IKE Gateway for PFS.


Question 7

Which tool can gather information about the application patterns when defining a signature for a custom application?



Answer : C

Wireshark (Option C) is a packet capture tool that provides detailed application traffic patterns (e.g., ports, protocols, payloads), essential for defining custom application signatures in PAN-OS.

Option A (Policy Optimizer) analyzes existing rules, not raw traffic. Option B (Data Filtering Log) shows data patterns, not app behavior. Option D (Expedition) is for migration, not signature creation. Documentation recommends packet captures for this task.


Page:    1 / 14   
Total 334 questions