Question # 1
A network administrator is trying to prevent domain username and password submissions
to phishing sites on some allowed URL categories
Which set of steps does the administrator need to take in the URL Filtering profile to
prevent credential phishing on the firewall? A. Choose the URL categories in the User Credential Submission column and set action to
block Select the User credential Detection tab and select Use Domain Credential Filter
CommitB. Choose the URL categories in the User Credential Submission column and set action to
block Select the User credential Detection tab and select use IP User Mapping CommitC. Choose the URL categories on Site Access column and set action to block Click the
User credential Detection tab and select IP User Mapping CommitD. Choose the URL categories in the User Credential Submission column and set action to
block Select the URL filtering settings and enable Domain Credential Filter Commit
Reveal Answer
A. Choose the URL categories in the User Credential Submission column and set action to
block Select the User credential Detection tab and select Use Domain Credential Filter
Commit
Question # 2
An engineer is pushing configuration from Panorama to a managed firewall What happens
when the pushed Panorama configuration has Address Object names that duplicate the
Address Objects already configured on the firewall? A. The firewall ignores only the pushed objects that have the same name as the locally
configured objects, and it will commit the rest of the pushed configuration.B. The firewall fully commits all of the pushed configuration and overwrites its locally
configured objectsC. The firewall rejects the pushed configuration, and the commit fails.D. The firewall renames the duplicate local objects with "-1" at the end signifying they are
clones; it will update the references to the objects accordingly and fully commit the pushed
configuration.
Reveal Answer
C. The firewall rejects the pushed configuration, and the commit fails.
Question # 3
Review the information below. A firewall engineer creates a U-NAT rule to allow users in
the trust zone access to a server in the same zone by using an external,
public NAT IP for that server. A. Change destination NAT zone to Trust_L3.B. Change destination translation to Dynamic IP (with session distribution) using firewall ethI/2 address.C. Change Source NAT zone to Untrust_L3.D. Add source Translation to translate original source IP to the firewall eth1/2 interface
translation.
Reveal Answer
D. Add source Translation to translate original source IP to the firewall eth1/2 interface
translation.
Question # 4
Exhibit. A. Any configuration on an M-500 would address the insufficient bandwidth concernsB. Forward logs from external sources to Panorama for correlation, and from Panorama
send them to the NGFWC. Configure log compression and optimization features on all remote firewallsD. Forward logs from firewalls only to Panorama and have Panorama forward logs to other
external services
Reveal Answer
D. Forward logs from firewalls only to Panorama and have Panorama forward logs to other
external services
Explanation:
In the image, we see multiple firewalls at a remote site sending logs directly to both Panorama and to various management and monitoring systems at the data center, which consumes significant WAN bandwidth.
To reduce WAN traffic while maintaining the existing log visibility:
🔄 Centralize log forwarding:
Send logs only once across the WAN — from the firewalls to Panorama — and let Panorama handle the log forwarding to all other systems (SIEM, monitoring tools, etc.).
This drastically cuts down on duplicate log traffic over the WAN.
🔍 Why the other options are incorrect:
A. Any configuration on an M-500 would address the insufficient bandwidth concerns:
❌ Incorrect. The M-500 is a Panorama appliance, and its configuration affects log storage/management but doesn't inherently reduce WAN bandwidth unless used properly in architecture like option D.
B. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW:
❌ Reversed logic. Logs go from NGFWs to Panorama, not the other way around.
C. Configure log compression and optimization features on all remote firewalls:
❌ PAN-OS does not support log compression across WAN links for remote log forwarding. So this option is not feasible.
🧠 Best Practice:
Use Panorama in "Log Collector mode" or dedicated log collectors to centralize logs.
Use Panorama’s Log Forwarding feature to relay logs to external monitoring and SIEM systems.
This keeps only one copy of each log traveling across the WAN, minimizing traffic and duplication.
📚 Reference:
Palo Alto Networks – Log Forwarding
Palo Alto Networks – Best Practices for Distributed Log Collection
Question # 5
A network administrator notices a false-positive state after enabling Security profiles. When
the administrator checks the threat prevention logs, the related signature displays the
following:
threat type: spyware category: dns-c2 threat ID: 1000011111 A. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS
exceptions tabs Search related threat ID and click enable CommitB. Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile
Select the signature exceptions tab and then click show all signatures Search related threat
ID and click enable Change the default action CommitC. Navigate to Objects > Security Profiles > Vulnerability ProtectionD. Navigate to Objects > Security Profiles > Anti-Spyware
Reveal Answer
A. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS
exceptions tabs Search related threat ID and click enable Commit
Explanation : When dealing with a false positive, particularly for a spyware threat detected
through DNS queries (as indicated by the category "dns-c2"), the correct course of action
involves creating an exception in the Anti-Spyware profile, not the Vulnerability Protection
profile. This is because the Anti-Spyware profile in Palo Alto Networks firewalls is designed
to detect and block spyware threats, which can include command and control (C2) activities
often signaled by DNS queries.
Question # 6
A firewall administrator is configuring an IPSec tunnel between a company's HQ and a
remote location. On the HQ firewall, the interface used to terminate the IPSec tunnel has a
static IP. At the remote location, the interface used to terminate the IPSec tunnel has a
DHCP assigned IP address.
Which two actions are required for this scenario to work? (Choose two.) A. On the HQ firewall select peer IP address type FQDN
B. On the remote location firewall select peer IP address type Dynamic
C. On the HQ firewall enable DDNS under the interface used for the IPSec tunnel
D. On the remote location firewall enable DONS under the interface used for the IPSec
tunnel
Reveal Answer
A. On the HQ firewall select peer IP address type FQDN
C. On the HQ firewall enable DDNS under the interface used for the IPSec tunnel
Question # 7
Exhibit. A. Server-1 on FW-1 will have IP 4.4.4.4. Server-1 on FW-2 will have IP 1.1.1.1
B. Server-1 on FW-1 will have IR 111.1. Server-1 will not be pushed to FW-2.
C. Server-1 on FW-1 will have IP 2.2.2.2. Server-1 will not be pushed to FW-2.
D. Server-1 on FW-1 will have IP 3.3.3.3. Server-1 will not be pushed to FW-2.
Reveal Answer
A. Server-1 on FW-1 will have IP 4.4.4.4. Server-1 on FW-2 will have IP 1.1.1.1
Explanation : Device Group Hierarchy
Analysis Server-1 appears in multiple device groups with different IP addresses.
How to Pass PCNSE Exam?
PCNSE certification validates your expertise in designing, deploying, configuring, and managing Palo Alto Networks firewalls and Panorama, making it essential to thoroughly understand both the concepts and practical applications.
