Practice PCNSE Core Concepts and Architecture questions with full explanations on every answer.
Start practicing
Core Concepts and Architecture — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security engineer needs to deploy a Palo Alto Networks firewall in a high-availability (HA) pair with active/passive mode. The firewall will inspect traffic for multiple tenants, each requiring separate routing and policy configuration. Which feature should be used to isolate tenant configurations while using a single pair of firewalls?
2A firewall administrator notices that traffic from a specific subnet is being unexpectedly dropped. The firewall log shows a 'flow_drop' reason of 'packet too long for interface MTU'. The interface MTU is set to 1500, and the packets are 1500 bytes. What is the most likely cause?
3An organization wants to simplify firewall rule management by grouping related rules into logical units and applying them to specific sets of users or devices. Which Palo Alto Networks feature supports this requirement?
4During a traffic spike, the firewall CPU utilization remains below 30% but the dataplane packet buffer usage is consistently above 90%. What is the most likely impact on firewall performance?
5A Palo Alto Networks firewall is configured with two virtual routers: VR-A (trust) and VR-B (untrust). An interface is placed in VR-A. A static route to 10.0.0.0/8 via next-hop 192.168.1.1 exists in VR-A. The firewall receives a packet from the trust zone destined to 10.1.1.1. The route lookup succeeds in VR-A. Which statement is true about the forwarding decision?
6A network engineer is configuring App-ID for a custom application that uses a proprietary protocol over TCP port 12345. The application's traffic is not being identified as expected. Which configuration change should the engineer make to ensure the firewall correctly identifies this application?
7Which Panorama deployment mode allows centralized management of firewalls while storing logs locally on each firewall instead of sending them to the Panorama log collector?
8A firewall has the routing table shown. A packet arrives on ethernet1/2 with source IP 10.0.0.50 and destination IP 10.0.0.100. Which route will be used for forwarding?
9An administrator runs the commands and sees the output. The session shows an SSL application from trust to untrust. However, the traffic is actually a custom application over TCP 44321 that the firewall incorrectly identifies as SSL. Which configuration step will most accurately identify the custom application?
10Which TWO are valid dataplane components in a Palo Alto Networks firewall? (Choose two.)
11Which THREE factors are considered when a Palo Alto Networks firewall performs application identification (App-ID) on a session? (Choose three.)
12A company runs a mixed environment of physical and virtual Palo Alto Networks firewalls (PA-5250, VM-300) managed by a single Panorama. The company recently deployed a new application that uses the QUIC protocol (UDP 443) for performance. After the deployment, the security team notices that the firewall is not accurately identifying the QUIC traffic, and some QUIC sessions are being dropped unexpectedly. The firewall logs show 'application: incomplete' for these sessions. The security team wants to ensure QUIC traffic is properly identified and allowed. The team has configured a security policy rule to allow 'ssl' application (thinking QUIC is similar to SSL) but the problem persists. The firewall is running PAN-OS 10.1. Which of the following is the best course of action?
13A security engineer is troubleshooting a traffic drop issue on a Palo Alto Networks firewall. The traffic is allowed by the security policy, but the session is being terminated. Which two features could cause this behavior? (Choose two.)
14A network administrator is configuring a new Palo Alto Networks firewall in a high-availability active/passive setup. The firewall will be placed in Layer 3 mode. Which THREE steps are required to ensure proper operation? (Choose three.)
15Refer to the exhibit. A firewall administrator is investigating why traffic from a source IP 10.1.1.100 to destination 192.168.1.50 is not establishing sessions. The firewall has been up for 45 days. Based on the counters shown, what is the most likely cause?
16A company recently deployed a Palo Alto Networks PA-5250 firewall in a data center. The firewall is configured with multiple virtual routers and is connected to an MPLS WAN router and an internet router. The network team reports that users can access internet resources but cannot reach a critical application hosted in a remote branch office over the MPLS link. The application uses TCP port 443 and is accessed via a fully qualified domain name (FQDN). The security policy includes a rule that allows traffic from the internal zone to the MPLS zone with the application 'ssl' and the destination address set to the FQDN of the application server. The internal DNS server resolves the FQDN correctly to the private IP address 10.20.30.40. The firewall has DNS proxy enabled, but the DNS server is configured as the internal DNS server. The administrator runs a packet capture and sees that the firewall is sending DNS queries for the FQDN to the internal DNS server but the response is not being used to update the dynamic address group (DAG) that is referenced in the security policy. The DAG is configured with a 'FQDN' match criteria. What is the most likely cause?
17A security administrator is troubleshooting a traffic drop between two internal zones. The firewall shows that the session is being terminated with a 'tcp-fin' reason. The administrator verifies that the application is set to 'web-browsing' and the service is 'application-default'. What is the most likely cause of the session termination?
18An organization is deploying a pair of PA-5250 firewalls in active/passive high availability. The network team notices that the passive firewall is not receiving synchronization updates. Both devices have the same software version and licenses. The HA1 control link is connected and shows 'up' in 'show high-availability state'. What is the most likely reason for the synchronization failure?
19A network engineer is configuring a new PA-220 firewall. They need to allow HTTP traffic from the 'trust' zone to the 'untrust' zone. However, the traffic is being dropped. A packet capture shows that the SYN packet is received but no SYN-ACK is sent. What is the most likely cause?
20Arrange the steps to perform a factory reset on a Palo Alto Networks firewall.
21Match each log type to its content.
22A company needs to deploy a firewall in transparent inline mode to filter traffic between two switches without requiring any IP address changes on existing devices. Which interface type should be configured?
23An administrator notices that traffic from zone A to zone B is being dropped silently. Security rules are in place. Troubleshooting shows that the session does not appear in the session table. What is the most likely cause?
24An enterprise requires separate administrative domains within a single firewall chassis for different business units. Each domain must have its own virtual router, security policies, and interface configuration. What is the appropriate PAN-OS feature?
25Which component of the PAN-OS architecture is responsible for processing security policies and performing packet inspection?
26An organization wants to map user identity from Active Directory for traffic coming from internal LAN users without installing any agent on domain controllers. Which User-ID mapping method should be used?
27A firewall's dataplane CPU is consistently at 95% utilization even though session count is normal. Analysis shows that a large number of small packets are being processed. Which feature could be causing excessive dataplane processing?
28A security engineer wants to identify applications in SSL/TLS encrypted traffic without decrypting the payload. Which method can be used?
29In an active/passive high-availability pair, the firewall fails over unexpectedly. Investigation shows that the active unit lost connectivity to the upstream router but the link is still up. Which monitoring feature should be configured to prevent false failovers due to temporary router unreachability?
30A firewall is configured with multiple virtual systems (vsys). The administrator notices that one vsys is consuming excessive dataplane resources, affecting others. Which feature should be used to guarantee each vsys a minimum share of CPU and session capacity?
31Which TWO components are part of the PAN-OS management plane?
32Which THREE are valid methods for User-ID mapping in PAN-OS?
33Which TWO statements correctly describe the role of the data plane in PAN-OS architecture?
34Refer to the exhibit. What does the serial number '0123456789' indicate?
35Refer to the exhibit. A packet from 10.0.0.5 to 8.8.8.8 on TCP port 443 (HTTPS) arrives. Source zone is trust, destination zone is untrust. The packet is dropped. What is the most likely reason?
36Refer to the exhibit. An administrator sees this log entry. What does it indicate?
37A company has configured a security policy that allows HTTP traffic from the internal network 10.0.0.0/8 to the internet. However, users from subnet 10.2.0.0/24 are unable to access external websites. The firewall logs show that traffic from 10.2.0.100 to 203.0.113.1 on port 80 is being denied. Which action should the administrator take to resolve the issue?
38A company implements SSL Forward Proxy decryption. Users complain that accessing certain websites, such as video streaming and software updates, is slow. Which action should the administrator take to improve performance?
39A multinational organization uses a pair of PA-5250 firewalls in an active/passive high-availability configuration across two data centers. They need to ensure that all management traffic (SSH, HTTPS) to the firewalls is encrypted and sourced only from a dedicated management network (10.10.0.0/24). Which configuration meets these requirements?
40Refer to the exhibit. A user with IP 10.1.1.100 from the internal zone is trying to access http://203.0.113.1. What will the firewall do?
41Refer to the exhibit. A user attempts to access a banking site (category: finance) over HTTPS. What will happen?
42Refer to the exhibit. What does the 'Session End Reason: aged-out' indicate about the traffic?
43Which two are valid methods for collecting User-ID information on a Palo Alto Networks firewall? (Choose two.)
44Which two are prerequisites for deploying a Palo Alto Networks firewall in a high-availability active/passive pair? (Choose two.)
45Which three are valid security policy rule actions on a Palo Alto Networks firewall? (Choose three.)
46An administrator needs to allow FTP traffic from the internal network to an external server. The firewall is configured with a security policy that has the application 'ftp' and service 'service-http'. What is the most likely cause of the traffic being denied?
47A company uses Panorama to manage multiple firewalls. They want to push a security policy that applies to all firewalls but with a specific exception for one firewall in a different region. Which Panorama method should be used?
48A security engineer is troubleshooting a connectivity issue where traffic from a specific internal host is allowed by security policy but fails to establish a connection to an external server. The firewall logs show the session was created, but no response packets are seen. What is the most likely cause?
49An administrator configures the management interface with IP 192.168.1.1/24 and can ping it from a host on the same subnet, but cannot access the web interface. What is the likely cause?
50A Palo Alto Networks firewall is configured with multiple virtual routers. Traffic between two different virtual routers is not being forwarded. What is required to enable routing between them?
51An organization uses GlobalProtect for remote access. Users report that they can connect but cannot access internal resources. The firewall logs show that the traffic from the GlobalProtect IP pool to internal servers is allowed. What is the most likely cause?
52A company has two Palo Alto Networks firewalls configured in an active/passive HA pair. Traffic fails over correctly, but after a failover, existing sessions from external users to internal servers are broken. The security team wants to prevent this disruption. Which feature must be enabled?
53A network engineer is troubleshooting why traffic from the 10.0.1.0/24 subnet to the internet is being dropped. The firewall has the following security policies (in order): 1) Allow from 10.0.1.0/24 to 10.0.2.0/24, 2) Allow from any to any, 3) Deny from 10.0.1.0/24 to any. What is the most likely cause of the traffic being dropped?
54An organization is implementing SSL Forward Proxy decryption to inspect outbound HTTPS traffic. They want to exclude traffic to specific internal applications that cannot handle decryption due to certificate pinning. The firewall is configured with a decryption policy that decrypts all traffic from the internal network to the internet. To exclude the pinned applications, which approach is best practice?
55A firewall has two virtual routers: VR1 (for internal networks) and VR2 (for DMZ). An internal server in VR1 needs to reach a DMZ server in VR2. Both virtual routers have routes to each other's subnets via a shared inter-connect. The firewall is receiving traffic but is dropping packets between the virtual routers. What configuration is missing?
56A security administrator wants to block traffic from IP address 192.168.1.100 to the internet. The firewall has a security policy that allows all outbound traffic. Which action should be taken to most efficiently block this specific host?
57An organization uses User-ID with agent-based mapping on a Palo Alto Networks firewall. Users authenticate to a domain but some user-to-IP mappings are not showing up in the firewall's user cache. The firewall can reach the domain controllers. What is the most likely cause?
58A firewall is configured with a destination NAT rule to translate public IP 203.0.113.10 to internal server 10.0.0.5 on port 443. Internal users from 10.0.0.0/24 can access the server using its private IP, but cannot access using the public IP. What should be configured to allow internal users to reach the server using the public IP?
59A help desk ticket reports that a user cannot access the firewall's web management interface (HTTPS) from the management network. The management interface is on a dedicated MGMT network. Which setting must be enabled on the firewall to allow this access?
60A firewall is using App-ID to identify applications running on non-standard ports. The administrator has configured a custom application with a default port of 8080, but traffic on port 8080 is still not being identified correctly. The application uses multiple connections on different ports. What is the most likely cause?
61Which TWO of the following are true regarding Panorama's templates and device groups?
62Which THREE of the following are key differences between the Palo Alto Networks Next-Generation Firewall and Cloud-Delivered Security Services (CDSS)?
63Which TWO of the following are valid methods to collect logs from a Palo Alto Networks firewall for reporting and forensics?
64A company is deploying a Palo Alto Networks firewall in an existing Layer 2 switched environment. They need to inspect traffic between VLAN 10 and VLAN 20 without changing the IP addresses of hosts and without performing any routing. Which firewall mode should be used?
65An organization runs a pair of Palo Alto Networks firewalls in an active/passive HA configuration. During a maintenance window, the active firewall experiences a link down event on one of its data interfaces. The passive firewall does not assume the active role. What is the most likely reason?
66A company configures its Palo Alto Networks firewall to decrypt outbound SSL traffic using a forward proxy. After applying the decryption policy, users report that their browsers display certificate errors when accessing HTTPS websites. The firewall's decryption certificate is self-signed. What is the most likely cause?
67A security administrator configures a new network template in Panorama and assigns it to a template stack. The template stack is associated with a device group containing several firewalls. After committing the Panorama configuration and pushing to devices, some firewalls in the device group do not have the new template settings. What is the most likely cause?
68Which TWO of the following are minimum required configurations to enable User-ID on a Palo Alto Networks firewall? (Choose exactly two.)
69Which TWO of the following are mandatory requirements for forming an active/passive HA pair between two Palo Alto Networks firewalls? (Choose exactly two.)
70Which THREE of the following are core components of the GlobalProtect solution? (Choose exactly three.)
71A network engineer configures a Source NAT policy on a Palo Alto Networks firewall to translate internal private IP addresses to the public IP of the external interface. The NAT rule is configured with source zone 'internal', destination zone 'external', and uses 'interface address' as the translated address. The associated security rule allows traffic from 'internal' to 'external' with the translated IP as the source. After committing, users cannot access the internet. Traceroute from an internal host to 8.8.8.8 shows: Hop 1: 192.168.1.1 (firewall internal IP), Hop 2: * * * (no response). The firewall's external interface has a public IP and is in the 'external' zone. What is the most likely cause of the issue?
72A company uses a Palo Alto Networks firewall to decrypt all outbound SSL traffic. Recently, users have reported slow internet performance. The network administrator notices that the firewall's CPU utilization is consistently above 90%. The traffic logs show that a large portion of decrypted traffic is from software update services (e.g., Windows Update, Adobe, etc.) that do not require inspection. The firewall is a mid-range model with hardware decryption acceleration. What is the most effective action to reduce CPU usage while maintaining security?
73An organization uses GlobalProtect to provide VPN access to remote users. After connecting, users can access internal resources, but the firewall's User-ID does not show the usernames in the logs or policy matches. The GlobalProtect gateway is configured to use the authentication server for user mapping. The authentication server (LDAP) is reachable from the firewall. The firewall's User-ID settings have the 'GlobalProtect' mapping method enabled. What is the most likely reason that users are not being identified?
74A company has a security policy rule that allows application 'ssl' from the internal zone to the external zone. Users report that they cannot access certain HTTPS websites. Logs show that the traffic is being matched by a later rule that denies application 'web-browsing'. The administrator verifies that the target websites are using standard HTTPS (port 443). The firewall's application identification has correctly identified the traffic as 'web-browsing' instead of 'ssl'. What is the most likely reason?
75Two Palo Alto Networks firewalls are configured in an active/passive HA pair. During a scheduled maintenance, the network team reboots both firewalls simultaneously. After reboot, both firewalls appear as 'active' in the HA state. What is the most likely cause and the correct troubleshooting step?
76A company uses Policy-Based Forwarding (PBF) to route specific traffic from internal users to a partner network through an MPLS connection. The PBF rule is configured to match source addresses 10.1.1.0/24 and forward to a next-hop of 10.2.1.1. The administrator verifies that the MPLS router is reachable from the firewall. Traffic from the 10.1.1.0/24 network does not go through the MPLS link; instead, it takes the default route out the internet connection. Logs show that the traffic hits the PBF rule. What is the most likely issue?
The Core Concepts and Architecture domain covers the key concepts tested in this area of the PCNSE exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSE domains — no account required.
The Courseiva PCNSE question bank contains 76 questions in the Core Concepts and Architecture domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Core Concepts and Architecture domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included