Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Palo Alto Networks
  5. PCNSE

Palo Alto Networks PCNSE Exam
Palo Alto Networks Certified Network Security Engineer (Page 18 )

Updated On: 12-Feb-2026
Page 18 of 123
PDF with 606 Questions

Which processing order will be enabled when a Panorama administrator selects the setting “Objects defined in ancestors will take higher precedence?”

  1. Descendant objects will take precedence over other descendant objects.
  2. Descendant objects will take precedence over ancestor objects.
  3. Ancestor objects will have precedence over descendant objects.
  4. Ancestor objects will have precedence over other ancestor objects.

Answer(s): C


Reference:

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-setup-management



An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors.

How would the administrator establish the chain of trust?

  1. Use custom certificates
  2. Enable LDAP or RADIUS integration
  3. Set up multi-factor authentication
  4. Configure strong password authentication

Answer(s): A


Reference:

https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/panorama- overview/plan-your-panorama-deployment



What will be the egress interface if the traffic’s ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image?

  1. ethernet1/7
  2. ethernet1/5
  3. ethernet1/6
  4. ethernet1/3

Answer(s): D



Refer to the exhibit.


A web server in the DMZ is being mapped to a public address through DNAT.
Which Security policy rule will allow traffic to flow to the web server?

  1. Untrust (any) to Untrust (10.1.1.100), web browsing – Allow
  2. Untrust (any) to Untrust (1.1.1.100), web browsing – Allow
  3. Untrust (any) to DMZ (1.1.1.100), web browsing – Allow
  4. Untrust (any) to DMZ (10.1.1.100), web browsing – Allow

Answer(s): C



A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web-browsing traffic to this server on tcp/443?

  1. Rule #1: application: web-browsing; service: application-default; action: allow
    Rule #2: application: ssl; service: application-default; action: allow
  2. Rule #1: application: web-browsing; service: service-http; action: allow
    Rule #2: application: ssl; service: application-default; action: allow
  3. Rule # 1: application: ssl; service: application-default; action: allow
    Rule #2: application: web-browsing; service: application-default; action: allow
  4. Rule #1: application: web-browsing; service: service-https; action: allow
    Rule #2: application: ssl; service: application-default; action: allow

Answer(s): D






Post your Comments and Discuss Palo Alto Networks PCNSE exam prep with other Community members:

Join the PCNSE Discussion