Practice PCNSA Decryption and Monitoring questions with full explanations on every answer.
Start practicing
Decryption and Monitoring — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security engineer notices that HTTPS traffic to a critical business application is being decrypted and re-encrypted, causing performance issues. The application uses a certificate from a public CA. The engineer wants to minimize decryption overhead while still inspecting for threats. Which decryption policy configuration best achieves this?
2A company implements SSL Forward Proxy decryption. Users report that some internal applications fail to load after deployment. The firewall is configured with a CA-signed certificate for decryption. What is the most likely cause of the application failures?
3A network administrator wants to monitor traffic that is not decrypted due to a 'No Decrypt' policy rule. Which log type would show that decryption was bypassed?
4A company has a decryption policy that decrypts all outbound SSL traffic. Recently, users accessing a partner website receive a certificate warning. The partner uses a self-signed certificate. The firewall is configured with a CA-signed certificate for decryption. Which action should the firewall take?
5Which monitoring tool in Palo Alto Networks firewall provides real-time visibility into decryption statistics, such as the number of sessions decrypted and certificate errors?
6An organization deploys SSL Forward Proxy decryption. They want to ensure that traffic to financial websites is not decrypted due to compliance requirements. Which decryption policy configuration should be used?
7During a security audit, it is discovered that some internal hosts are using TLS 1.0, which is deprecated. The firewall is configured to decrypt SSL traffic. How can the administrator use the firewall to detect and report these connections without breaking them?
8A company uses SSL Forward Proxy decryption. The firewall's decryption certificate expires. What immediate impact does this have on traffic?
9Which TWO of the following are best practices for configuring SSL Forward Proxy decryption? (Choose two.)
10Which THREE of the following are valid actions for a decryption policy rule? (Choose three.)
11Which TWO of the following are types of decryption supported by Palo Alto Networks firewalls? (Choose two.)
12Refer to the exhibit. An administrator notices a large number of decryption sessions. What is a valid conclusion based on the output?
13Refer to the exhibit. A user in the trust zone accesses a banking site (category: financial-services). What action will the firewall take on this HTTPS session?
14A mid-sized enterprise has deployed a Palo Alto Networks firewall with SSL Forward Proxy decryption for outbound traffic. The firewall uses a CA-signed certificate from a public CA, and the certificate is installed on all corporate-managed endpoints. Recently, the security team noticed that a few users are unable to access a specific external SaaS application (app.example.com) over HTTPS. Other users can access it without issues. The firewall logs show that for these users, the session is being decrypted and no threat is detected. The application uses a valid certificate from a public CA. The affected users are in the same IP subnet and use the same browser version. Which is the most likely cause?
15A university uses a Palo Alto Networks firewall to protect its network. They have implemented SSL Forward Proxy decryption for all student traffic. Recently, the IT helpdesk has received complaints from students that some websites (e.g., online banking, healthcare portals) are not loading properly. The firewall logs show that these sites are being decrypted, and no threats are detected. The university's legal team has advised that decryption of financial and healthcare sites may violate regulations. The network team wants to quickly resolve the issue while ensuring compliance. What is the best course of action?
16A security administrator needs to inspect traffic to a critical web server that uses HTTPS. The firewall is configured as a forward proxy for outbound traffic. Which decryption type should be used to decrypt the traffic inbound to the web server?
17A company wants to decrypt all SSL/TLS traffic from internal users except traffic to financial sites. The firewall is placed as a forward proxy. Which policy configuration ensures that traffic to financial sites is not decrypted?
18During troubleshooting, a firewall shows a large number of SSL decryption failures with error 'certificate_unknown'. The firewall is configured for forward proxy decryption. What is the most likely cause?
19A firewall is configured for inbound inspection decryption. Which certificate must be installed on the firewall for this to work?
20A network administrator wants to monitor HTTPS traffic without decrypting it, but still wants to identify the applications being used. Which feature can be used to identify HTTPS applications without decryption?
21A firewall administrator notices that traffic from an internal user is being decrypted, but the user's browser shows a certificate warning. The firewall uses a CA certificate issued by the company's internal PKI. What is the most likely reason for the browser warning?
22A firewall is configured to decrypt SSH traffic. Which type of decryption must be enabled?
23A company wants to ensure that decryption policies are applied based on the user identity. The firewall is integrated with Active Directory. Which decryption policy matching criteria should be used?
24A firewall is experiencing high CPU utilization due to SSL decryption. The administrator wants to reduce the load without completely disabling decryption. Which action should be taken?
25A security analyst is troubleshooting a decryption issue. Which TWO logs are most useful for identifying decryption failures? (Choose two.)
26Which TWO actions can be performed in a decryption policy? (Choose two.)
27A firewall administrator is configuring SSL decryption for internal users. Which THREE components are required for forward proxy decryption to function properly? (Choose three.)
28An administrator runs the command and sees the above output. What is the most likely cause of the large number of handshake failures?
29A user at IP 10.0.0.10 is accessing a server at 192.168.1.5. According to the decryption policy, what will happen to the traffic?
30An administrator sees the above traffic log entries. What can be concluded about the traffic to 192.168.1.1?
31A company uses forward proxy decryption. A user cannot access an HTTPS site. The decryption policy is configured with the default SSL/TLS service profile. What is the most likely issue?
32An admin notices that decryption is failing for some sites with error 'SSL Handshake Failed' in the traffic log. The decryption policy uses a custom SSL/TLS service profile with 'Allow Self-Signed Certificates' enabled. The firewall's certificate was issued by an internal CA. What should the admin check first?
33An organization uses inbound inspection decryption for their public-facing web servers. They have imported the server's certificate and private key into the firewall. However, some clients report 'untrusted certificate' warnings. What is the most likely cause?
34A security administrator wants to inspect decrypted traffic for threats. What is the minimum set of features required?
35A company has a decryption policy that decrypts all traffic except for traffic to financial sites. However, users report that some financial sites are still being decrypted. What should the admin check first?
36A firewall is configured with decryption and a custom SSL/TLS service profile that has 'Block Expired Certificates' enabled. After renewing a server certificate, some users are unable to access the site. The server certificate is correctly installed. What could be the issue?
37An administrator wants to view logs related to decryption failures. Which log type should they use?
38A decryption policy is configured to decrypt traffic to a specific external server. The admin notices that the traffic is not being decrypted. What is the first step in troubleshooting?
39A company uses SSL Forward Proxy decryption. After implementing, they notice that some internal applications that use client certificate authentication are failing. What is the most likely cause?
40Which TWO actions should be taken when configuring SSL Forward Proxy decryption? (Select exactly two.)
41Which THREE factors should be considered when deciding which traffic to decrypt? (Select exactly three.)
42Which TWO logs are most useful for troubleshooting SSL decryption issues? (Select exactly two.)
43Refer to the exhibit. The firewall raises a certificate expiry warning for the decryption CA. Which action is required?
44Refer to the exhibit. A decryption policy has two rules. Traffic destined to a web server is not being decrypted. What is the most likely cause?
45Refer to the exhibit. A firewall log shows a decryption failure for a session. What is the most probable cause?
46A company wants to decrypt all SSL traffic from internal users to external websites. They have deployed a Palo Alto Networks firewall in forward proxy mode and installed a trusted root CA certificate on all endpoints. Users, however, are complaining about certificate errors when accessing HTTPS sites. Which configuration step is most likely missing?
47A network administrator notices that some HTTPS sessions are not being decrypted by the firewall, even though the decryption policy rule is configured to decrypt traffic from a specific subnet. The firewall is in forward proxy mode. All other decryption rules work. What is the most likely cause?
48A security team wants to inspect traffic to and from a critical application server. They configure an inbound decryption rule to decrypt traffic destined to the server's IP address. After deploying, they find that traffic is not being decrypted. What is the first step to troubleshoot?
49A Palo Alto firewall administrator wants to monitor SSL decryption efficiency. Which log type provides the most detailed information about decryption actions and reasons for not decrypting?
50After enabling SSL decryption, users report that some websites fail to load. The firewall logs show 'decryption error' for these sites. Which decryption profile setting should the administrator check first?
51An organization is using outbound SSL decryption with a forward proxy. They notice that mobile devices (iOS/Android) are having trouble connecting to many HTTPS sites after decryption is enabled. IT has installed the root CA certificate on all devices. What is the most likely reason?
52An administrator is troubleshooting decryption-related connectivity issues. Which two log types should be examined to gather information about decryption actions and errors?
53During SSL decryption, which three factors can cause the firewall to fail to decrypt a session or to bypass decryption?
54A security analyst needs to monitor decryption performance and identify sessions that are bypassing decryption due to policy or technical reasons. Which two monitoring tools or methods can provide this insight?
55A hospital network uses a Palo Alto Networks firewall with outbound SSL decryption. The IT security team notices that during peak hours, the firewall CPU utilization spikes to 95% when decryption is enabled, causing latency for all users. They have already upgraded to maximum licensed throughput and added a dedicated decryption engine. However, the issue persists. The network has 10,000 endpoints and 500 Mbps throughput. The decryption policy includes rules to decrypt all traffic to critical medical cloud services (EHR, PACS) and social media sites. What should the administrator do first to reduce CPU load?
56A financial services firm deploys inbound SSL decryption to inspect all HTTPS traffic to their customer-facing web application. After enabling decryption, customers report that they are unable to connect to the web app and receive 'This site can’t provide a secure connection' errors. The firewall logs show no decryption errors, and traffic logs show the sessions are matched to the decryption rule but no decryption action is taken. The web app uses a wildcard certificate (*.example.com). The firewall's decryption certificate is imported from the server's private key. What is the most likely cause?
57A university uses a Palo Alto firewall for outbound SSL decryption. The IT helpdesk receives complaints that students cannot access certain educational resource websites (e.g., online libraries, research databases) after decryption was enabled. The firewall logs show 'decryption failure' for these sites with reason 'certificate validation failure'. The decryption profile is set to 'Block sessions with expired certificates' and 'Block sessions with untrusted issuers'. The helpdesk verifies that the root CA certificate is installed on all endpoints. The issue is intermittent and only affects a few sites. What should the administrator do?
58A company has a Palo Alto firewall with both inbound and outbound decryption. The security team notices that some traffic to a specific internal server is being double-decrypted: first by inbound decryption when the client is internal, and second by outbound decryption when the server initiates connections to external resources. This causes performance issues and certificate warnings. The firewall policy has separate rules for inbound and outbound decryption, and all internal traffic passes through the firewall. How should the administrator resolve this?
59Refer to the exhibit. An administrator notices a high number of decryption failures. What is the most likely cause?
60Which TWO actions are recommended for monitoring decrypted traffic on a Palo Alto Networks firewall?
61A large enterprise uses Palo Alto Networks firewalls with SSL Forward Proxy to inspect all HTTPS traffic (port 443) from internal users. Recently, users have reported slow web browsing and intermittent failures when accessing certain financial and healthcare websites. The firewall's dataplane CPU consistently reaches 85-95% during business hours. The decryption policy is configured with a single rule that decrypts all outbound HTTPS traffic using the default SSL Forward Proxy settings. The firewall is a PA-5250 with ample license capacity. What should the administrator do to resolve the performance issues while maintaining security posture?
62Refer to the exhibit. A network administrator notices that SSL decryption performance has degraded. Based on the exhibit, which factor is most likely contributing to the performance issue?
63Refer to the exhibit. A security analyst wants to ensure that all HTTPS traffic from internal users to the internet is decrypted for inspection. However, traffic from the 'corp-users' group is being blocked instead of decrypted. Which configuration change should be made?
64Refer to the exhibit. A network engineer observes a high number of SSL handshake failures. Which action is most likely to reduce these failures?
65Refer to the exhibit. An administrator notices that some HTTPS sessions are not being decrypted. Which configuration change would address the most common cause of decryption failures shown?
66Refer to the exhibit. An administrator configures decryption for HTTPS traffic from internal users. However, traffic using TLS 1.3 is not being decrypted. Which change should be made to decrypt TLS 1.3 traffic?
The Decryption and Monitoring domain covers the key concepts tested in this area of the PCNSA exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSA domains — no account required.
The Courseiva PCNSA question bank contains 66 questions in the Decryption and Monitoring domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Decryption and Monitoring domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included