PCNSC – Paloalto Certified Network Security Consultant

Certification Provider: Paloalto

Exam: Paloalto Certified Network Security Consultant

Exam Code: PCNSC

Total Question: 60

Question per Quiz: 50

Updated On: 12 April 2025

Note: In order to practice all the Q/A's, you have to practice multiple time. Question's and Answer's will be presented randomly and will help you get hands-on for real exam.

In preparation for a cutover event, what two processes or procedures should be verified? (Choose 2)

roles and responsibilites

logging and reporting

auditing

change management requirements

A customer has a five-year-old firewall in production in the time since the firewall was installed, the IT team deleted unused security policies on a regular basis but they did not remove the address objects and groups that were part ofthese security policies. What is the best way to delete all of the unused address objects on the firewall?

Search each address object with Global Find and delete if it shows that the address object is not referenced

Import the configuration in Expedition, remove unused address objects, and reimport the configuration.

Go to Address Objects under the Objects tab and click on Remove unused objects

Using CLI execute requestconfiguration address-objectsremove-unused-objects.

None

Which CLI command should you use to verify whether all SFP, SFP+, or QSFP modules are installed in a firewall?

show system state filter sys.s*.p*.phy

show system state filter sys.p*.phy

show system info

show interface detail

None

Your customer wants to implement Active/Active High Availability for their PA-5260 pair. Which three of the following HA configurations should your customer ensure they use to meet these requirements? (Choose three.)

The following conditions are true in their environment:
-They are using multiple Layer 3 interfaces to process traffic.
-Their routing topology requires the use of Network Address Translation policies to ensure that traffic can reach its destinations correctly.
-They prefer to have the session workload distributed as evenly as possible to ensure both firewalls have lower resource utilization.
-They make use of dynamic routing protocols on their virtual routers for route-based redundancy.
-They chose to go with Active/Active for failover speed reasons.

Session selection algorithm – Primary Device

Session selection algorithm – First Packet

Active/Active HA Binding in the NAT policies

HA1A, HA1B, and HA2 interfaces

HA1A, HA1B, HA2, and HA3 interfaces

Which are two commands required to upgrade Expedition? (Choose two.)

sudo apt-get install expedition-beta

sudo apt-get update expedition

sudo apt-get upgrade all

sudo apt-get update

What happens when a packet from an existing session is received by a firewall that is not the session owner?

The firewall drops the packet to prevent anu l3 loops

The firewall forwards the packet to the peer firewall over hA3 ink

The firewall requests the sender to resend the packet

The firewall takes the ownership of the session from the peer firewall

None

In an HA (High Availability) setup, what is the purpose of the HA3 link?

Exchange heartbeats between the devices

Transmit HA control traffic

Synchronize configuration changes

Synchronize session state information

None

When creating a custom application signature, which field allows you to specify the layer 7 protocol details to match?

Pattern Match

Signature ID

Protocol Decoder

Application

None

A company has deployed an Active/Passive 5280 HA pair with BGP configured to the company’s ISP. The lead firewall engineer has set the HA Timer to “Recommended”. Upon failing over the HA pair, there is a two-minute outage and internet traffic is dropped. What should the engineer do to eliminate or minimize the outage in the future?

Enable Path Monitoring to the ISP

Ensure that “Graceful Restart” has been enabled on all peers

Change the HA Timer to “Aggressive”

Change the HA Timer to “Advanced” with “Preemption Hold Time” of one minute

None

10.

Your customer believes that the Panorama appliance is being overwhelmed by the logs from deployed Palo Alto Networks Next-Generation Firewalls. What CLI command can you run to determine the number of logs per second sent by each firewall?

show logging status

debug log-receiver statistics

show log traffic

debug log-sender statistics

None

11.

Which category of Vulnerability Signature is mostly like to trigger false positive alerts?

info-leak

Code-execution

phishing

brute-force

None

12.

In Expedition, which objects are classified as “Ghost objects”?

Unused address objects

Addresses imported from Security and NAT policies without corresponding address objects.

Address objects that are not part of an Address Group

Address objects that are not applied in Security or NAT policies

None

13.

A customer has deployed a GlobalProtect portal and gateway as its remote-access VPN solution for its fleet of Windows 10 laptops The customer wants to use Host information Profile (HIP) data collected at the GlobalProtect gateway throughout its enterprise as an additional means of policy enforcement What additional licensing must the customer purchase?

GlobalProtect license for the gateway firewall

DNS Security on the perimeter firewall

WildFire license

GlobalProtect license for each firewall that will use HIP data to enforce policy

None

14.

Which Palo Alto Network feature allows you to create dynamic security policies based on the behavior of the device in your network?

Dynamic Address Group

Cortex XDR

Behavioral Threat Detection

APP-ID

None

15.

In an HA active/active configuration, what is the purpose of APR load sharing?

share an IP address and provide gateway services

protect internal networks from an ARP flooding attack

share all IP addresses and provide Layer 4 through Layer 7 services when failure is detected

sync the ARP table between the two firewalls

None

16.

Instead of disabling App-IDs regularly, a security policy rule is going to be configured to temporarily allow new App-IDs. In which two circumstances is it valid to disable App-IDs as part of content update? (Choose two.)

when disabling facebook-base to disable all other Facebook App-IDs

when planning to enable the App-IDs immediately

when an organization operates a mission-critical network and has zero tolerance for downtime

when you want to immediately benefit from the latest threat prevention

17.

SSL Forward Proxy decryption is enabled on the firewall. When clients use Chrome to browse to HTTPS sites, the firewall returns the Forward Trust certificate, even when accessing websites with invalid certificates. The clients need to be presented with a browser warning error with the option to proceed to websites with invalid certificates. Which two options will satisfy this requirement? (Choose two.)

Create a self-signed Forward Untrust enabled certificate.

Create a Decryption Profile with the “Block sessions with expired certificates” option enabled.

Remove the Forward Untrust option from the Forward Trust certificate.

Create a PKI signed Forward Untrust enabled certificate.

18.

An existing customer who has deployed several Palo Alto Networks Next-Generation Firewalls would like to start using Device-ID to obtain policy rule recommendations They have also purchased a Support license, a Threat license a URL Filtering license, and a WildFire license for each firewall What additional license do they need to purchase?

a Cortex Data Lake license

an loT Security license for each deployed firewall

an loT Security license (or the perimeter firewall

an Enterprise Data Loss Prevention (DLP) license

None

19.

Which command is used to install Expedition tool for migration? (Choose 2)

sudo apt-get update

sudo apt-get install expedition-beta

sudo apt-get install expedition

sudo apt-get upgrade

20.

An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewalls use layer 3 interface to send traffic to a single gateway IP for the pair. Which configuration will enable this HA scenario?

Each firewall will have a separate floating IP. and priority will determine which firewall has the primary IP

The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP

The firewall do not use floating IPs in active/active

The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.

None

21.

What is the default port used by the Terminal Services agent to communicate with a firewall?

5009

636

5007

443

None

22.

What configuration is necessary for Active/Active HA to synchronize sessions between peers?

Enable session Preemption on both peers

Configure a floating IP address

Use the same virtual IP address on both peers

Enable session synchronization under the HA settings

None

23.

Your customer has asked you to set up tunnel monitoring on an IPSEC VPN tunnel between two offices. What three steps are needed to setup tunnel monitoring? (Choose three)

Add and IP address to each tunnel interface

Enable tunnel monitoring on each IPsec tunnel

Restart each IKE gateway

Create a monitoring profile

Restart each IPSEC tunnel

24.

A customer has firewalls deployed at multiple data centers globally, and which are managed by a single Panorama pair. Each data center has multiple PA-7080 firewalls running PAN-OS 9.0. What are two recommended logging infrastructures across the data centers if the customer needs to log? (Choose two.)

Mixed mode Panorama

Single log collector in the main data center

Distributed log collector

Cortex Data Lake

25.

A customer recently purchased a license for URL filtering and is having trouble activating PAN-DB. Which two commands can be used to troubleshoot this issue? (Choose two.)

show device setting pan-db

request license info

request url-database license info

show system setting url-database

26.

How can you verify that new security policy is correctly blocking traffic without disrupting network?

Use the test security-policy-match CLI command

Disable all other rules temp

Implement the policy in lab environment first

Enable logging on the rule and monitor logs

None

27.

Which of the following must be enabled to use Threat Prevention features such as Anti-Virus and Anti-spyware on firewall?

Wildfire Subscription

Global Protect

Security Profiles

URL Filtering

None

28.

A customer has a pair of Panorama HA appliances running local log collectors and wants to have log redundancy on logs forwarded from firewalls. Which two configuration options fulfill the customer’s requirement for log redundancy? (Choose two.)

Log redundancy must be enabled per Collector Group.

Panorama operational mode needs to be Dedicated Log Collector.

A Collector Group must contain at least two Log Collectors.

Panorama configured in HA provides log redundancy.

29.

An administrator pushes a new configuration from panorama to a pair of firewalls that are configured as active/passive HA pair. Which NGFW receives the configuration from panorama?

both active and passive firewalls independently and with no sync afterward

the passive firewall, which then synchronize to active firewall

both active and passive firewalls which then sync with each other

the active firewall, which then synchronize to passive firewall

None

30.

Identify the Stakeholder with their Role when planning a Firewall, Panorama, and Cortex XDR Deployment. (Select correct 4)

Security Administrator -> Manages the software distribution method for Cortex XDR Client

Network Engineer -> manages the routing, switching, and general device interconnectivity

Security Engineer -> Determines the security, logging, reporting requirement and manages the security policy

Security Administrator-> Determines the security, logging, reporting requirement and manages the security policy

Security Operation Analyst -> Manages the alerts and responds to threats identified to the network or endpoints.

Security Engineer-> Manages the software distribution method for Cortex XDR Client

31.

Match the APP-ID Adoption Task with it's order in the process.

None

32.

Which routing configuration should you recommend to a customer who wishes to actively use multiple pathways to the same destination?

ECMP

BGP

OSPF

RIPv2

None

33.

Which three steps must admin perform to load only objects from PANOS saved config file into VM-300 firewall that is in production? (Choose 3)

use device config import in panorama

enter config mode from CLI

use load config partial command

import names config snapshot through web interface

Load config in web interface and commit

34.

What information is necessary to properly plan the deployment of a Panorama hardware appliance for firewall management?

Virtual router, zones, and interface configuration of the dataplane interface

Panorama Mode, number of managed devices, CPU, and memory allocation in the hypervisor

ESXi Server location and routing to the Panorama appliance

Wiring, power, Console access, and management interface connectivity

None

35.

In Panorama, the web interface displays the security rules in evaluation order. Organize the security rules in the order in which they will be evaluated?

Shared pre-rules ->Local firewall-rules -> Device group pre-rules ->Device group post-rules -> Shared post-rules

Shared pre-rules -> Device group pre-rules -> Local firewall-rules ->Device group post-rules -> Shared post-rules

Shared pre-rules -> Shared post-rules -> Device group pre-rules -> Local firewall-rules ->Device group post-rules

Shared pre-rules -> Device group pre-rules ->Device group post-rules -> Shared post-rules -> Local firewall-rules

None

36.

What happens when a packet from an existing session is received by a firewall that

The firewall forwards the packet lo the peer firewall over the HA3 link

The firewall drops the packet to prevent any L3 loops

The firewall takes ownership of the session from the peer firewall

The firewall requests the sender to resend the packet

None

37.

Which two options describe the behavior of the “Direction” property in a WildFire Analysis Profile rule? (Choose two.)

The upload direction option matches only files that were uploaded to the internet by a user on the Inside network.

The both direction option matches all files that are seen by the firewall, regardless of whether the transfer is started by the connection initiator or responder.

The download direction option matches files that the connection initiator received from the service it connected to.

The both direction option matches all files, but only if the transfer is started by the connection initiator.

38.

With its improved reliability and automation, Expedition 2 will install by using which of the following?

Ubuntu 16.04 and higher

Windows Server 2016

Ubuntu 20.04

Red Hat Enterprise Linux (RHEL) 9

None

39.

when disabling facebook-base to disable all other Facebook App-IDs

when planning to enable the App-IDs immediately

when you want to immediately benefit from the latest threat prevention

when an organization operates a mission-critical network and has zero tolerance for downtime

40.

Match the task for servr setting in group mapping with its order in the process.

None

41.

What is exchanged through the HA2 link?

hello heartbeats

User-ID in information

HA state information

session synchronization

None

42.

What is the preferred method for gathering User-ID mappings from Citrix VDI servers?

The Windows User-ID agent

GlobalProtect with an internal gateway

Agentless Server Monitoring

The Terminal Services agent

None

43.

Which interface deployments support the Aggregate Ethernet Active configuration? (Choose three.)

LACP in Layer 3

LACP in Virtual Wire

LACP in TAP

LACP in Layer 2

LLDP in Layer 3

44.

After you run command "sudo apt-get update", which command will you run to install?

sudo apt-get expedition install

sudo apt-get install expedition

sudo apt-get install expedition-beta

sudo apt-get upgrade

None

45.

What command can you use to check the status of GlobalProtect clients connected to the firewall?

show globalprotect current-user

show globalprotect gateway

show globalprotect statistics

show globalprotect status

None

46.

A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server. Which solution in PAN -OS software would help in this case?

redistribution of user mappings

virtual wire mode

application override

content inspection

None

47.

In a HA active/active configuration, which task does the session setup firewall perform?

NAT

Traffic log generation

threat scanning

decryption

None

48.

Which Panorama operational mode is necessary to manage a large number of firewalls and also act as a log collector?

Management Only

Log Collector Only

Dedicated Log Collector

Management and Log Collector

None

49.

TAC has requested a PCAP on your Panorama lo see why the DNS app is having intermittent issues resolving FODN What is the appropriate CLI command?

tcpdump snaplen 53 filter "port 53"

tcp dump snap-en 0 filter "app dns"

tcp dump snaplen 53 filter "tcp 53"

tcpdump snaplen 0 filter "port 53"

None

50.

When creating a custom application signature, which field allows you to specify the layer 7 protocol details to match?

Pattern Match

Protocol Decoder

Application

Signature ID

None

Time's up

Follow Us

PCNSC – Paloalto Certified Network Security Consultant

Fortinet NSE5 Forti Manager v7.2

No Comment! Be the first one.

Leave a Reply Cancel reply

Popular

Broken Access Control

Social

Newsletter

Follow Us

Type and hit Enter to search

PCNSC – Paloalto Certified Network Security Consultant

Share Article

Fortinet NSE5 Forti Manager v7.2

No Comment! Be the first one.

Leave a Reply Cancel reply

Popular

Broken Access Control

Setup Windows Hello Fingerprint Login

Social

Newsletter