It is impossible to pass Paloalto Networks pcnse6 exam questions exam without any help in the short term. Come to Actualtests soon and find the most advanced, correct and guaranteed Paloalto Networks pcnse6 exam dumps practice questions. You will get a surprising result by our Update Palo Alto Networks Certified Network Security Engineer 6.0 practice guides.

Q76. Taking into account only the information in the screenshot above, answer the following question. In order for ping traffic to traverse this device from e1/2 to e1/1, what else needs to be configured? Select all that apply. 

A. Security policy from trust zone to Internet zone that allows ping 

B. Create the appropriate routes in the default virtual router 

C. Security policy from Internet zone to trust zone that allows ping 

D. Create a Management profile that allows ping. Assign that management profile to e1/1 and e1/2 

Answer: A,D 

Q77. A website is presenting an RSA 2048-bit key. By default, what will the size of the key in the certificate sent by the firewall to the client be when doing SSL Decryption? 

A. 512 bits 

B. 1024 bits 

C. 2048 bits 

D. 4096 bits 




Q78. It is discovered that WebandNetTrends Unlimited’s new web server software produces traffic that the Palo Alto Networks firewall sees as "unknown-tcp" traffic. 

Which two configurations would identify the application while preserving the ability of the firewall to perform content and threat detection on the traffic? Choose 2 answers 

A. A custom application, with a name properly describing the new web server s purpose 

B. A custom application and an application override policy that assigns traffic going to and from the web server to the custom application 

C. An application override policy that assigns the new web server traffic to the built-in application "web-browsing" 

D. A custom application with content and threat detection enabled, which includes a signature, identifying the new web server s traffic 

Answer: A,B 

Q79. What is a prerequisite for configuring a pair of Palo Alto Networks firewalls in an Active/Passive High Availability (HA) pair? 

A. The peer HA1 IP address must be the same on both firewalls. 

B. The management interfaces must be on the same network. 

C. The firewalls must have the same set of licenses. 

D. The HA interfaces must be directly connected to each other. 



Reference: page 134 

Q80. In Active/Active HA environments, redundancy for the HA3 interface can be achieved by 

A. Configuring a corresponding HA4 interface 

B. Configuring HA3 as an Aggregate Ethernet bundle 

C. Configuring multiple HA3 interfaces 

D. Configuring HA3 in a redundant group 


Q81. A local/enterprise PKI system is required to deploy outbound forward proxy SSL decryption capabilities. 

A. True 

B. False 


Q82. Which three processor types are found on the data plane of a PA-5050? Choose 3 answers 

A. Multi-Core Security Processor 

B. Signature Match Processor 

C. Network Processor 

D. Protocol Decoder Processor 

E. Management Processor 

Answer: A,B,C 


Reference: page 8 

Q83. A user is reporting that they cannot download a PDF file from the internet. 

Which action will show whether the downloaded file has been blocked by a Security Profile? 

A. Filter the Session Browser for all sessions from the user with the application "adobe". 

B. Filter the System log for "Download Failed" messages. 

C. Filter the Traffic logs for all traffic from the user that resulted in a Deny action. 

D. Filter the Data Filtering logs for the user’s traffic and the name of the PDF file. 


Q84. For non-Microsoft clients, what Captive Portal method is supported? 

A. NTLM Auth 

B. User Agent 

C. Local Database 

D. Web Form Captive Portal 


Q85. Given the following routing table: 

Which configuration change on the firewall would cause it to use as the nexthop for the network? 

A. Configuring the Administrative Distance for RIP to be higher than that of OSPF Ext 

B. Configuring the metric for RIP to be higher than that of OSPF Int 

C. Configuring the metric for RIP to be lower than that of OSPF Ext 

D. Configuring the Administrative Distance for RIP to be lower than that of OSPF Int 




Q86. Both SSL decryption and SSH decryption are disabled by default. 

A. True 

B. False 


Q87. A company hosts a publicly-accessible web server behind their Palo Alto Networks firewall, with this configuration information: 

Users outside the company are in the "Untrust-L3" zone. 

The web server physically resides in the "Trust-L3" zone. 

Web server public IP address: 

Web server private IP address: 

Which NAT Policy rule will allow users outside the company to access the web server? 

A. Option A 

B. Option B 

C. Option C 

D. Option D 


Q88. Which two interface types provide support for network address translation (NAT)? Choose 2 answers 

A. HA 

B. Tap 

C. Layer3 

D. Virtual Wire 

E. Layer2 

Answer: C,D 



Q89. When allowing an Application in a Security policy on a PAN-OS 5.0 device, would a dependency Application need to also be enabled if the application does not employ HTTP, SSL, MSRPC, RPC, t.120, RTSP, RTMP, and NETBIOS-SS. 

A. Yes 

B. No 


Q90. Ethernet 1/1 has been configured with the following subinterfaces: 

The following security policy is applied: 

The Interface Management Profile permits the following: 

Your customer is trying to ping from VLAN 800 IP 

What will be the result of this ping? 

A. The ping will be successful because the management profile applied to Ethernet1/1 allows ping. 

B. The ping will not be successful because the virtual router is different from the other subinterfaces. 

C. The ping will not be successful because there is no management profile attached to Ethernet1/1.799. 

D. The ping will not be successful because the security policy does not apply to VLAN 800. 

E. The ping will be successful because the security policy permits this traffic.