It is impossible to pass Paloalto Networks PCNSE6 exam without any help in the short term. Come to Testking soon and find the most advanced, correct and guaranteed Paloalto Networks PCNSE6 practice questions. You will get a surprising result by our Up to the immediate present Palo Alto Networks Certified Network Security Engineer 6.0 practice guides.

2021 Oct PCNSE6 practice test

Q21. What is the correct policy to most effectively block Skype? 

A. Allow Skype, block Skype-probe 

B. Allow Skype-probe, block Skype 

C. Block Skype-probe, block Skype 

D. Block Skype 

Answer: A 


Q22. Which of the following are accurate statements describing the HA3 link in an Active-Active HA deployment? 

A. HA3 is used for session synchronization 

B. The HA3 link is used to transfer Layer 7 information 

C. HA3 is used to handle asymmetric routing 

D. HA3 is the control link 

Answer: A 


Q23. Palo Alto Networks maintains a dynamic database of malicious domains. Which two Security Platform components use this database to prevent threats? Choose 2 answers 

A. Brute-force signatures 

B. DNS-based command-and-control signatures 

C. PAN-DB URL Filtering 

D. BrightCloud URL Filtering 

Answer: B,C 

Explanation: 

Reference: https://www.paloaltonetworks.com/products/features/apt-prevention.html 


Q24. HOTSPOT 

Match the components with their role in preventing threats. 

Answer options may be used more than once or not at all. 


Answer: 



Q25. Which of the following objects cannot use User-ID as a match criteria? 

A. Security Policies 

B. QoS 

C. Policy Based Forwarding 

D. DoS Protection 

E. None of the above 

Answer: E 


PCNSE6 vce

Refresh PCNSE6 exam fees:

Q26. Which three inspections can be performed with a next-generation firewall but NOT with a legacy firewall? Choose 3 answers 

A. Recognizing when SSH sessions are using SSH v1 instead of SSH v2 

B. Validating that UDP port 53 packets are not being used to tunnel data for another protocol 

C. Identifying unauthorized applications that attempt to connect over non-standard ports 

D. Allowing a packet through from an external DNS server only if an internal host recently queried that DNS server 

E. Removing from the session table any TCP session without traffic for 3600 seconds 

Answer: B,C,D 


Q27. What is the name of the debug save file for IPSec VPN tunnels? 

A. set vpn all up 

B. test vpn ike-sa 

C. request vpn IPsec-sa test 

D. Ikemgr.pcap 

Answer: D 


Q28. How is the Forward Untrust Certificate used? 

A. It issues certificates encountered on the Untrust security zone. 

B. It is used for Captive Portal to identify unknown users. 

C. It is used when web servers request a client certificate. 

D. It is the issuer for an external certificate which is not trusted by the firewall. 

Answer: D 


Q29. Which of the following describes the sequence of the Global Protect agent connecting to a Gateway? 

A. The Agent connects to the Portal obtains a list of Gateways, and connects to the Gateway with the fastest SSL response time 

B. The agent connects to the closest Gateway and sends the HIP report to the portal 

C. The agent connects to the portal, obtains a list of gateways, and connects to the gateway with the fastest PING response time 

D. The agent connects to the portal and randomly establishes a connection to the first available gateway 

Answer: A 


Q30. A company has a web server behind their Palo Alto Networks firewall that they would like to make accessible to the public. They have decided to configure a destination NAT Policy rule. 

Given the following zone information: 

DMZzone: DMZ-L3 

Public zone: Untrust-L3 

Web server zone: Trust-L3 

Public IP address (Untrust-L3): 1.1.1.1 

Private IP address (Trust-L3): 192.168.1.50 

What should be configured as the destination zone on the Original Packet tab of the NAT Policy rule? 

A. DMZ-L3 

B. Any 

C. Untrust-L3 

D. Trust-L3 

Answer: C