01. While analyzing a traffic log, an engineer sees that some entries show "unknown-tcp" in the Application column. What best explains these occurrences?
a) A handshake took place, but no data packets were sent prior to the timeout.
b) A handshake took place; however, there were not enough packets to identify the application
c) A handshake did not take place, and the application could not be identified.
d) A handshake did take place, but the application could not be identified
02. Which protocol is natively supported by GlobalProtect Clientless VPN?
a) FTP
b) SSH
c) HTTPS
d) RDP
03. Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?
a) No Direct Access to local networks
b) Tunnel mode
c) iPSec mode
d) Satellite mode
04. An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?
a) Reload the running configuration and perform a Firewall local commit.
b) Perform a commit force from the CLI of the firewall.
c) Perform a template commit push from Panorama using the “Force Template Values” option.
d) Perform a device-group commit push from Panorama using the “Include Device and Network Templates” optio
05. Which two policy components are required to block traffic in real time using a dynamic user group (DUG)?
(Choose two.)
a) A Decryption policy to decrypt the traffic and see the tag
b) A Deny policy with the “tag” App-ID to block the tagged traffic
c) An Allow policy for the initial traffic
d) A Deny policy for the tagged traffic
06. An administrator has been tasked with configuring decryption policies, Which decryption best practice should they consider?
a) Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.
b) Decrypt all traffic that traverses the firewall so that it can be scanned for threats.
c) Place firewalls where administrators can opt to bypass the firewall when needed.
d) Create forward proxy decryption rules without Decryption profiles for unsanctioned applications.
07. An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently, HTTP and SSL requests contain the destination IP address of the web server and the client browser is redirected to the proxy.
Which PAN-OS proxy method should be configured to maintain this type of traffic flow?
a) SSL forward proxy
b) Explicit proxy
c) Transparent proxy
d) DNS proxy
08. An engineer is tasked with deploying SSL Forward Proxy decryption for their organization. What should they review with their leadership before implementation?
a) Browser-supported cipher documentation
b) Cipher documentation supported by the endpoint operating system
c) URL risk-based category distinctions
d) Legal compliance regulations and acceptable usage policies
09. Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent?
(Choose two.)
a) LDAP
b) Log Ingestion
c) HTTP
d) Log Forwarding
10. Why would a traffic log list an application as "not-applicable"?
a) The TCP connection terminated without identifying any application data
b) There was not enough application data after the TCP connection was established
c) The application is not a known Palo Alto Networks App-ID.
d) The firewall denied the traffic before the application match could be performed.
Before you write the Palo Alto PCNSE certification exam, you may have certain doubts in your mind regarding the pattern of the test, the types of questions asked in it, the difficulty level of the questions and time required to complete the questions. These Palo Alto Networks Certified Network Security Engineer (PCNSE PAN-OS 10) sample questions and demo exam help you in removing these doubts and prepare you to take the test.