PCNSE Free Practice Test

View the screenshots.


A QoS profile and policy rules are configured as shown. Based on this information, which two statements are correct? (Choose two.)

1. A. DNS has a higher priority and more bandwidth than SSH.
2. B. Google-video has a higher priority and more bandwidth than WebEx.
3. C. SMTP has a higher priority but lower bandwidth than Zoom.
4. D. Facetime has a higher priority but lower bandwidth than Zoom.

Correct Answer: CD

An engineer discovers the management interface is not routable to the User-ID agent What configuration is needed to allow the firewall to communicate to the User-ID agent?

1. A. Create a NAT policy for the User-ID agent server
2. B. Add a Policy Based Forwarding (PBF) policy to the User-ID agent IP
3. C. Create a custom service route for the UID Agent
4. D. Add a static route to the virtual router

Correct Answer: C
To allow the firewall to communicate with the User-ID agent, you need to configure a custom service route f the UID Agent23. A custom service route allows you to specify which interface and source IP address the firewall uses to connect to a specific destination service. By default, the firewall uses its management interface for services such as User-ID, but you can override this behavior by creating a custom service route.
To configure a custom service route for the UID Agent, you need to do the following steps:
Go to Device > Setup > Services and click Service Route Configuration.
In the Service column, select User-ID Agent from the drop-down list.
In the Interface column, select an interface that can reach the User-ID agent server from the drop-down list.
In the Source Address column, select an IP address that belongs to that interface from the drop-down list.
Click OK and Commit your changes.
The correct answer is C. Create a custom service route for UID Agent

How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?

1. A. Firewalls send SNMP traps to Panorama when resource exhaustion is detected Panorama generates a system log and can send email alerts
2. B. Panorama provides visibility into all the system and traffic logs received from firewalls it does not offer any ability to see or monitor resource utilization on managed firewalls
3. C. Panorama monitors all firewalls using SNMP It generates a system log and can send email alerts when resource exhaustion is detected on a managed firewall
4. D. Panorama provides information about system resources of the managed devices in the Managed Devices> Health menu

Correct Answer: D
Panorama can help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall by providing information about system resources of the managed devices in the Managed Devices > Health menu. This is explained in the Palo Alto Networks PCNSE Study Guide in Chapter 13: Panorama, under the section "Monitoring Managed Firewalls with Panorama":
"The Panorama web interface provides information about the system resources of the managed devices. In the Managed Devices > Health menu, you can view the CPU, memory, and disk usage of each managed device. This information can help you troubleshoot problems such as high CPU or resource exhaustion on a managed firewall."

An engineer is deploying multiple firewalls with common configuration in Panorama. What are two benefits of using nested device groups? (Choose two.)

1. A. Inherit settings from the Shared group
2. B. Inherit IPSec crypto profiles
3. C. Inherit all Security policy rules and objects
4. D. Inherit parent Security policy rules and objects

Correct Answer: BD
* B. Inherit IPSec crypto profiles
This is correct because IPSec crypto profiles are one of the objects that can be inherited from a parent device group1. You can also create IPSec crypto profiles for use in shared or device group polic1y.
* D. Inherit parent Security policy rules and objects
This is correct because Security policy rules and objects are also inheritable from a parent device group1. You can also create Security policy rules and objects for use in shared or device group policy1.

A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS (Perfect Forward Secrecy) needs to be enabled.
What action should the engineer take?

1. A. Add an authentication algorithm in the IPSec Crypto profile.
2. B. Enable PFS under the IPSec Tunnel advanced options.
3. C. Select the appropriate DH Group under the IPSec Crypto profile.
4. D. Enable PFS under the IKE gateway advanced options

Correct Answer: D