Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Palo Alto Networks
  5. PCNSE

Palo Alto Networks PCNSE Exam
Palo Alto Networks Certified Network Security Engineer (Page 24 )

Updated On: 12-Feb-2026
Page 24 of 123
PDF with 606 Questions

Based on the following image, what is the correct path of root, intermediate, and end-user certificate?

  1. Palo Alto Networks > Symantec > VeriSign
  2. VeriSign > Symantec > Palo Alto Networks
  3. Symantec > VeriSign > Palo Alto Networks
  4. VeriSign > Palo Alto Networks > Symantec

Answer(s): B



An administrator wants a new Palo Alto Networks NGFW to obtain automatic application updates daily, so it is configured to use a scheduler for the application database. Unfortunately, they required the management network to be isolated so that it cannot reach the Internet.

Which configuration will enable the firewall to download and install application updates automatically?

  1. Download and install application updates cannot be done automatically if the MGT port cannot reach the Internet.
  2. Configure a service route for Palo Alto Networks Services that uses a dataplane interface that can route traffic to the Internet, and create a Security policy rule to allow the traffic from that interface to the update servers if necessary.
  3. Configure a Policy Based Forwarding policy rule for the update server IP address so that traffic sourced from the management interfaced destined for the update servers goes out of the interface acting as your Internet connection.
  4. Configure a Security policy rule to allow all traffic to and from the update servers.

Answer(s): B



A company wants to install a NGFW firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone.

Which option differentiates multiple VLANs into separate zones?

  1. Create V-Wire objects with two V-Wire interfaces and define a range of “0-4096” in the “Tag Allowed” field of the V-Wire object.
  2. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the “Tag Allowed” field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.
  3. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface to a unique zone. Do not assign any interface an IP address.
  4. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN I Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.

Answer(s): B



Which data flow describes redistribution of user mappings?

  1. User-ID agent to firewall
  2. Domain Controller to User-ID agent
  3. User-ID agent to Panorama
  4. firewall to firewall

Answer(s): D



Where can an administrator see both the management plane and data plane CPU utilization in the WebUI?

  1. System Utilization log
  2. System log
  3. Resources widget
  4. CPU Utilization widget

Answer(s): C






Post your Comments and Discuss Palo Alto Networks PCNSE exam prep with other Community members:

Join the PCNSE Discussion