Summer Special 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: bestdeal

Free Paloalto Networks PCNSE Practice Exam with Questions & Answers | Set: 8

Questions 71

Which active-passive HA firewall state describes the firewall that is currently processing traffic?

Options:
A.

Active-secondary

B.

Active

C.

Active-primary

D.

Initial

Paloalto Networks PCNSE Premium Access
Questions 72

An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices.

What should an administrator configure to route interesting traffic through the VPN tunnel?

Options:
A.

Proxy IDs

B.

GRE Encapsulation

C.

Tunnel Monitor

D.

ToS Header

Questions 73

A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.

Which action is the most operationally efficient for the security engineer to find and implement the exception?

Options:
A.

Review high severity system logs to identify why the threat is missing in Vulnerability Profile Exceptions.

B.

Open a support case.

C.

Review traffic logs to add the exception from there.

D.

Select 'Show all signatures' within the Vulnerability Protection Profile under 'Exceptions'.

Questions 74

An administrator receives the following error message:

"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192.168 33 33/24 type IPv4 address protocol 0 port 0, received remote id 172.16 33.33/24 type IPv4 address protocol 0 port 0."

How should the administrator identify the root cause of this error message?

Options:
A.

In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate

B.

Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure

C.

Check whether the VPN peer on one end is set up correctly using policy-based VPN

D.

In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.

Questions 75

Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)

Options:
A.

A Deny policy for the tagged traffic

B.

An Allow policy for the initial traffic

C.

A Decryption policy to decrypt the traffic and see the tag

D.

A Deny policy with the "tag" App-ID to block the tagged traffic

Questions 76

Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?

Options:
A.

Perform packet forwarding to the active-passive peer during session setup and asymmetric traffic flow.

B.

Perform synchronization of routes, IPSec security associations, and User-ID information.

C.

Perform session cache synchronization for all HA cluster members with the same cluster ID.

D.

Perform synchronization of sessions, forwarding tables, and IPSec security associations between firewalls in an HA pair.

Questions 77

The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong?

PCNSE Question 77

Options:
A.

A Certificate Profile that contains the client certificate needs to be selected.

B.

The source address supports only files hosted with an ftp://<address/file>.

C.

External Dynamic Lists do not support SSL connections.

D.

A Certificate Profile that contains the CA certificate needs to be selected.

Questions 78

PBF can address which two scenarios? (Choose two.)

Options:
A.

Routing FTP to a backup ISP link to save bandwidth on the primary ISP link

B.

Providing application connectivity the primary circuit fails

C.

Enabling the firewall to bypass Layer 7 inspection

D.

Forwarding all traffic by using source port 78249 to a specific egress interface

Questions 79

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?

Options:
A.

No Direct Access to local networks

B.

Tunnel mode

C.

iPSec mode

D.

Satellite mode

Questions 80

Which log type would provide information about traffic blocked by a Zone Protection profile?

Options:
A.

Data Filtering

B.

IP-Tag

C.

Traffic

D.

Threat

Exam Code: PCNSE
Certification Provider: Paloalto Networks
Exam Name: Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0
Last Update: Oct 14, 2025
Questions: 374

Paloalto Networks Related Exams

How to pass Paloalto Networks PCSAE - Palo Alto Networks Certified Security Automation Engineer Exam
How to pass Paloalto Networks PCDRA - Palo Alto Networks Certified Detection and Remediation Analyst Exam
PSE-Cortex-Pro-24 - Palo Alto Networks Systems Engineer Professional - Cortex
XSIAM-Analyst - Palo Alto Networks XSIAM Analyst
PSE-SoftwareFirewall - Palo Alto Networks Systems Engineer (PSE): Software Firewall Professional
PSE-DataCenter - SE Professional Accreditation-Data Center
PCSFE - Palo Alto Networks Certified Software Firewall Engineer (PCSFE)
SecOps-Pro - Palo Alto Networks Security Operations Professional
NetSec-Generalist - Palo Alto Networks Network Security Generalist
Practitioner - Palo Alto Networks Cybersecurity Practitioner
NetSec-Analyst - Palo Alto Networks Network Security Analyst
PCCP - Palo Alto Certified Cybersecurity Practitioner (PCCP)
PSE-Strata-Pro-24 - Palo Alto Networks Systems Engineer Professional - Hardware Firewall
XSIAM-Engineer - Palo Alto Networks XSIAM Engineer
NetSec-Pro - Palo Alto Networks Network Security Professional
Paloalto Networks Free Access
Get Paloalto Networks Full Access

Paloalto Networks Free Exams
Paloalto Networks Free Exams
Examstrack offers comprehensive free resources and practice tests for Paloalto Networks exams.