Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCNSADomainsDecryption and Monitoring
PCNSAFree — No Signup

Decryption and Monitoring

Practice PCNSA Decryption and Monitoring questions with full explanations on every answer.

66questions

Start practicing

Decryption and Monitoring — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

PCNSA Domains

Managing ObjectsPolicy Evaluation and ManagementSecuring TrafficCore ConceptsPalo Alto Networks Platforms and ArchitectureDevice Management and ServicesApp-ID and Content-IDDecryption and Monitoring

Practice Decryption and Monitoring questions

10Q20Q30Q50Q

All PCNSA Decryption and Monitoring questions (66)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security engineer notices that HTTPS traffic to a critical business application is being decrypted and re-encrypted, causing performance issues. The application uses a certificate from a public CA. The engineer wants to minimize decryption overhead while still inspecting for threats. Which decryption policy configuration best achieves this?

2

A company implements SSL Forward Proxy decryption. Users report that some internal applications fail to load after deployment. The firewall is configured with a CA-signed certificate for decryption. What is the most likely cause of the application failures?

3

A network administrator wants to monitor traffic that is not decrypted due to a 'No Decrypt' policy rule. Which log type would show that decryption was bypassed?

4

A company has a decryption policy that decrypts all outbound SSL traffic. Recently, users accessing a partner website receive a certificate warning. The partner uses a self-signed certificate. The firewall is configured with a CA-signed certificate for decryption. Which action should the firewall take?

5

Which monitoring tool in Palo Alto Networks firewall provides real-time visibility into decryption statistics, such as the number of sessions decrypted and certificate errors?

6

An organization deploys SSL Forward Proxy decryption. They want to ensure that traffic to financial websites is not decrypted due to compliance requirements. Which decryption policy configuration should be used?

7

During a security audit, it is discovered that some internal hosts are using TLS 1.0, which is deprecated. The firewall is configured to decrypt SSL traffic. How can the administrator use the firewall to detect and report these connections without breaking them?

8

A company uses SSL Forward Proxy decryption. The firewall's decryption certificate expires. What immediate impact does this have on traffic?

9

Which TWO of the following are best practices for configuring SSL Forward Proxy decryption? (Choose two.)

10

Which THREE of the following are valid actions for a decryption policy rule? (Choose three.)

11

Which TWO of the following are types of decryption supported by Palo Alto Networks firewalls? (Choose two.)

12

Refer to the exhibit. An administrator notices a large number of decryption sessions. What is a valid conclusion based on the output?

13

Refer to the exhibit. A user in the trust zone accesses a banking site (category: financial-services). What action will the firewall take on this HTTPS session?

14

A mid-sized enterprise has deployed a Palo Alto Networks firewall with SSL Forward Proxy decryption for outbound traffic. The firewall uses a CA-signed certificate from a public CA, and the certificate is installed on all corporate-managed endpoints. Recently, the security team noticed that a few users are unable to access a specific external SaaS application (app.example.com) over HTTPS. Other users can access it without issues. The firewall logs show that for these users, the session is being decrypted and no threat is detected. The application uses a valid certificate from a public CA. The affected users are in the same IP subnet and use the same browser version. Which is the most likely cause?

15

A university uses a Palo Alto Networks firewall to protect its network. They have implemented SSL Forward Proxy decryption for all student traffic. Recently, the IT helpdesk has received complaints from students that some websites (e.g., online banking, healthcare portals) are not loading properly. The firewall logs show that these sites are being decrypted, and no threats are detected. The university's legal team has advised that decryption of financial and healthcare sites may violate regulations. The network team wants to quickly resolve the issue while ensuring compliance. What is the best course of action?

16

A security administrator needs to inspect traffic to a critical web server that uses HTTPS. The firewall is configured as a forward proxy for outbound traffic. Which decryption type should be used to decrypt the traffic inbound to the web server?

17

A company wants to decrypt all SSL/TLS traffic from internal users except traffic to financial sites. The firewall is placed as a forward proxy. Which policy configuration ensures that traffic to financial sites is not decrypted?

18

During troubleshooting, a firewall shows a large number of SSL decryption failures with error 'certificate_unknown'. The firewall is configured for forward proxy decryption. What is the most likely cause?

19

A firewall is configured for inbound inspection decryption. Which certificate must be installed on the firewall for this to work?

20

A network administrator wants to monitor HTTPS traffic without decrypting it, but still wants to identify the applications being used. Which feature can be used to identify HTTPS applications without decryption?

21

A firewall administrator notices that traffic from an internal user is being decrypted, but the user's browser shows a certificate warning. The firewall uses a CA certificate issued by the company's internal PKI. What is the most likely reason for the browser warning?

22

A firewall is configured to decrypt SSH traffic. Which type of decryption must be enabled?

23

A company wants to ensure that decryption policies are applied based on the user identity. The firewall is integrated with Active Directory. Which decryption policy matching criteria should be used?

24

A firewall is experiencing high CPU utilization due to SSL decryption. The administrator wants to reduce the load without completely disabling decryption. Which action should be taken?

25

A security analyst is troubleshooting a decryption issue. Which TWO logs are most useful for identifying decryption failures? (Choose two.)

26

Which TWO actions can be performed in a decryption policy? (Choose two.)

27

A firewall administrator is configuring SSL decryption for internal users. Which THREE components are required for forward proxy decryption to function properly? (Choose three.)

28

An administrator runs the command and sees the above output. What is the most likely cause of the large number of handshake failures?

29

A user at IP 10.0.0.10 is accessing a server at 192.168.1.5. According to the decryption policy, what will happen to the traffic?

30

An administrator sees the above traffic log entries. What can be concluded about the traffic to 192.168.1.1?

31

A company uses forward proxy decryption. A user cannot access an HTTPS site. The decryption policy is configured with the default SSL/TLS service profile. What is the most likely issue?

32

An admin notices that decryption is failing for some sites with error 'SSL Handshake Failed' in the traffic log. The decryption policy uses a custom SSL/TLS service profile with 'Allow Self-Signed Certificates' enabled. The firewall's certificate was issued by an internal CA. What should the admin check first?

33

An organization uses inbound inspection decryption for their public-facing web servers. They have imported the server's certificate and private key into the firewall. However, some clients report 'untrusted certificate' warnings. What is the most likely cause?

34

A security administrator wants to inspect decrypted traffic for threats. What is the minimum set of features required?

35

A company has a decryption policy that decrypts all traffic except for traffic to financial sites. However, users report that some financial sites are still being decrypted. What should the admin check first?

36

A firewall is configured with decryption and a custom SSL/TLS service profile that has 'Block Expired Certificates' enabled. After renewing a server certificate, some users are unable to access the site. The server certificate is correctly installed. What could be the issue?

37

An administrator wants to view logs related to decryption failures. Which log type should they use?

38

A decryption policy is configured to decrypt traffic to a specific external server. The admin notices that the traffic is not being decrypted. What is the first step in troubleshooting?

39

A company uses SSL Forward Proxy decryption. After implementing, they notice that some internal applications that use client certificate authentication are failing. What is the most likely cause?

40

Which TWO actions should be taken when configuring SSL Forward Proxy decryption? (Select exactly two.)

41

Which THREE factors should be considered when deciding which traffic to decrypt? (Select exactly three.)

42

Which TWO logs are most useful for troubleshooting SSL decryption issues? (Select exactly two.)

43

Refer to the exhibit. The firewall raises a certificate expiry warning for the decryption CA. Which action is required?

44

Refer to the exhibit. A decryption policy has two rules. Traffic destined to a web server is not being decrypted. What is the most likely cause?

45

Refer to the exhibit. A firewall log shows a decryption failure for a session. What is the most probable cause?

46

A company wants to decrypt all SSL traffic from internal users to external websites. They have deployed a Palo Alto Networks firewall in forward proxy mode and installed a trusted root CA certificate on all endpoints. Users, however, are complaining about certificate errors when accessing HTTPS sites. Which configuration step is most likely missing?

47

A network administrator notices that some HTTPS sessions are not being decrypted by the firewall, even though the decryption policy rule is configured to decrypt traffic from a specific subnet. The firewall is in forward proxy mode. All other decryption rules work. What is the most likely cause?

48

A security team wants to inspect traffic to and from a critical application server. They configure an inbound decryption rule to decrypt traffic destined to the server's IP address. After deploying, they find that traffic is not being decrypted. What is the first step to troubleshoot?

49

A Palo Alto firewall administrator wants to monitor SSL decryption efficiency. Which log type provides the most detailed information about decryption actions and reasons for not decrypting?

50

After enabling SSL decryption, users report that some websites fail to load. The firewall logs show 'decryption error' for these sites. Which decryption profile setting should the administrator check first?

51

An organization is using outbound SSL decryption with a forward proxy. They notice that mobile devices (iOS/Android) are having trouble connecting to many HTTPS sites after decryption is enabled. IT has installed the root CA certificate on all devices. What is the most likely reason?

52

An administrator is troubleshooting decryption-related connectivity issues. Which two log types should be examined to gather information about decryption actions and errors?

53

During SSL decryption, which three factors can cause the firewall to fail to decrypt a session or to bypass decryption?

54

A security analyst needs to monitor decryption performance and identify sessions that are bypassing decryption due to policy or technical reasons. Which two monitoring tools or methods can provide this insight?

55

A hospital network uses a Palo Alto Networks firewall with outbound SSL decryption. The IT security team notices that during peak hours, the firewall CPU utilization spikes to 95% when decryption is enabled, causing latency for all users. They have already upgraded to maximum licensed throughput and added a dedicated decryption engine. However, the issue persists. The network has 10,000 endpoints and 500 Mbps throughput. The decryption policy includes rules to decrypt all traffic to critical medical cloud services (EHR, PACS) and social media sites. What should the administrator do first to reduce CPU load?

56

A financial services firm deploys inbound SSL decryption to inspect all HTTPS traffic to their customer-facing web application. After enabling decryption, customers report that they are unable to connect to the web app and receive 'This site can’t provide a secure connection' errors. The firewall logs show no decryption errors, and traffic logs show the sessions are matched to the decryption rule but no decryption action is taken. The web app uses a wildcard certificate (*.example.com). The firewall's decryption certificate is imported from the server's private key. What is the most likely cause?

57

A university uses a Palo Alto firewall for outbound SSL decryption. The IT helpdesk receives complaints that students cannot access certain educational resource websites (e.g., online libraries, research databases) after decryption was enabled. The firewall logs show 'decryption failure' for these sites with reason 'certificate validation failure'. The decryption profile is set to 'Block sessions with expired certificates' and 'Block sessions with untrusted issuers'. The helpdesk verifies that the root CA certificate is installed on all endpoints. The issue is intermittent and only affects a few sites. What should the administrator do?

58

A company has a Palo Alto firewall with both inbound and outbound decryption. The security team notices that some traffic to a specific internal server is being double-decrypted: first by inbound decryption when the client is internal, and second by outbound decryption when the server initiates connections to external resources. This causes performance issues and certificate warnings. The firewall policy has separate rules for inbound and outbound decryption, and all internal traffic passes through the firewall. How should the administrator resolve this?

59

Refer to the exhibit. An administrator notices a high number of decryption failures. What is the most likely cause?

60

Which TWO actions are recommended for monitoring decrypted traffic on a Palo Alto Networks firewall?

61

A large enterprise uses Palo Alto Networks firewalls with SSL Forward Proxy to inspect all HTTPS traffic (port 443) from internal users. Recently, users have reported slow web browsing and intermittent failures when accessing certain financial and healthcare websites. The firewall's dataplane CPU consistently reaches 85-95% during business hours. The decryption policy is configured with a single rule that decrypts all outbound HTTPS traffic using the default SSL Forward Proxy settings. The firewall is a PA-5250 with ample license capacity. What should the administrator do to resolve the performance issues while maintaining security posture?

62

Refer to the exhibit. A network administrator notices that SSL decryption performance has degraded. Based on the exhibit, which factor is most likely contributing to the performance issue?

63

Refer to the exhibit. A security analyst wants to ensure that all HTTPS traffic from internal users to the internet is decrypted for inspection. However, traffic from the 'corp-users' group is being blocked instead of decrypted. Which configuration change should be made?

64

Refer to the exhibit. A network engineer observes a high number of SSL handshake failures. Which action is most likely to reduce these failures?

65

Refer to the exhibit. An administrator notices that some HTTPS sessions are not being decrypted. Which configuration change would address the most common cause of decryption failures shown?

66

Refer to the exhibit. An administrator configures decryption for HTTPS traffic from internal users. However, traffic using TLS 1.3 is not being decrypted. Which change should be made to decrypt TLS 1.3 traffic?

Practice all 66 Decryption and Monitoring questions

Other PCNSA exam domains

Managing ObjectsPolicy Evaluation and ManagementSecuring TrafficCore ConceptsPalo Alto Networks Platforms and ArchitectureDevice Management and ServicesApp-ID and Content-ID

Frequently asked questions

What does the Decryption and Monitoring domain cover on the PCNSA exam?

The Decryption and Monitoring domain covers the key concepts tested in this area of the PCNSA exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSA domains — no account required.

How many Decryption and Monitoring questions are in the PCNSA question bank?

The Courseiva PCNSA question bank contains 66 questions in the Decryption and Monitoring domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Decryption and Monitoring for PCNSA?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Decryption and Monitoring questions for PCNSA?

Yes — the session launcher on this page draws questions exclusively from the Decryption and Monitoring domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your PCNSA domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide