Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Palo Alto Networks
  5. PCNSE

Palo Alto Networks PCNSE Exam
Palo Alto Networks Certified Network Security Engineer (Page 19 )

Updated On: 12-Feb-2026
Page 19 of 123
PDF with 606 Questions

Which two options prevent the firewall from capturing traffic passing through it? (Choose two.)

  1. The firewall is in multi-vsys mode.
  2. The traffic is offloaded.
  3. The traffic does not match the packet capture filter.
  4. The firewall’s DP CPU is higher than 50%.

Answer(s): B,C


Reference:

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/take-packet-captures/disable-hardware-offload



A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server.

Which solution in PAN-OS® software would help in this case?

  1. application override
  2. Virtual Wire mode
  3. content inspection
  4. redistribution of user mappings

Answer(s): D


Reference:

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/deploy-user-id-in-a-large-scale-network



An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in “the cloud”). Bootstrapping is the most expedient way to perform this task.

Which option describes deployment of a bootstrap package in an on-premise virtual environment?

  1. Use config-drive on a USB stick.
  2. Use an S3 bucket with an ISO.
  3. Create and attach a virtual hard disk (VHD).
  4. Use a virtual CD-ROM with an ISO.

Answer(s): D


Reference:

https://www.paloaltonetworks.com/documentation/80/virtualization/virtualization/set-up-the-vm-series-firewall-on-kvm/install-the-vm-series-firewall-on-kvm/use-an-iso-file-to-deploy-the-vm-series-firewall



Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a “No Decrypt” action? (Choose two.)

  1. Block sessions with expired certificates
  2. Block sessions with client authentication
  3. Block sessions with unsupported cipher suites
  4. Block sessions with untrusted issuers
  5. Block credential phishing

Answer(s): A,D


Reference:

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/decryption/define-traffic-to-decrypt/create-a-decryption-profile



Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server?

  1. port mapping
  2. server monitoring
  3. client probing
  4. XFF headers

Answer(s): A


Reference:

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/configure-user-mapping-for-terminal-server-users






Post your Comments and Discuss Palo Alto Networks PCNSE exam prep with other Community members:

Join the PCNSE Discussion