Palo Alto Networks PCCSE Real Exam Questions
The questions for PCCSE were last updated at Feb 02,2025.
- Exam Code: PCCSE
- Exam Name: Prisma Certified Cloud Security Engineer
- Certification Provider: Palo Alto Networks
- Latest update: Feb 02,2025
Retrieve the Prisma Cloud Console images using ‘docker pull’.
Given an existing ECS Cluster, which option shows the steps required to install the Console in Amazon ECS?
- A . The console cannot natively run in an ECS cluster. A onebox deployment should be used.
- B . Download and extract the release tarball
Ensure that each node has its own storage for Console data Create the Console task definition Deploy the task definition - C . Download and extract release tarball Download task from AWS Create the Console task definition Deploy the task definition
- D . Download and extract the release tarball Create an EFS file system and mount to each node in the cluster Create the Console task definition Deploy the task definition
A Prisma Cloud administrator is onboarding a single GCP project to Prisma Cloud.
Which two steps can be performed by the Terraform script? (Choose two.)
- A . enable flow logs for Prisma Cloud.
- B . create the Prisma Cloud role.
- C . enable the required APIs for Prisma Cloud.
- D . publish the flow log to a storage bucket.
A Prisma Cloud administrator is onboarding a single GCP project to Prisma Cloud.
Which two steps can be performed by the Terraform script? (Choose two.)
- A . enable flow logs for Prisma Cloud.
- B . create the Prisma Cloud role.
- C . enable the required APIs for Prisma Cloud.
- D . publish the flow log to a storage bucket.
Which options show the steps required after upgrade of Console?
- A . Uninstall Defenders Upgrade Jenkins Plugin
Upgrade twistcli where applicable
Allow the Console to redeploy the Defender - B . Update the Console image in the Twistlock hosted registry Update the Defender image in the
Twistlock hosted registry Uninstall Defenders - C . Upgrade Defenders Upgrade Jenkins Plugin
Upgrade twistcli where applicable - D . Update the Console image in the Twistlock hosted registry Update the Defender image in the Twistlock hosted registry Redeploy Console
A customer is deploying Defenders to a Fargate environment. It wants to understand the vulnerabilities in the image it is deploying.
How should the customer automate vulnerability scanning for images deployed to Fargate?
- A . Set up a vulnerability scanner on the registry
- B . Embed a Fargate Defender to automatically scan for vulnerabilities
- C . Designate a Fargate Defender to serve a dedicated image scanner
- D . Use Cloud Compliance to identify misconfigured AWS accounts
A security team is deploying Cloud Native Application Firewall (CNAF) on a containerized web application. The application is running an NGINX container. The container is listening on port 8080 and is mapped to host port 80.
Which port should the team specify in the CNAF rule to protect the application?
- A . 443
- B . 80
- C . 8080
- D . 8888
A customer has a requirement to automatically protect all Lambda functions with runtime protection.
What is the process to automatically protect all the Lambda functions?
- A . Configure a function scan policy from the Defend/Vulnerabilities/Functions page.
- B . Configure serverless radar from the Defend/Compliance/Cloud Platforms page.
- C . Configure a manually embedded Lambda Defender.
- D . Configure a serverless auto-protect rule for the functions.
An administrator sees that a runtime audit has been generated for a Container. The audit message is “DNS resolution of suspicious name wikipedia.com. type A”.
Why would this message appear as an audit?
- A . The DNS was not learned as part of the Container model or added to the DNS allow list.
- B . This is a DNS known to be a source of malware.
- C . The process calling out to this domain was not part of the Container model.
- D . The Layer7 firewall detected this as anomalous behavior.