Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCNSEDomainsDeploy and Configure Firewalls
PCNSEFree — No Signup

Deploy and Configure Firewalls

Practice PCNSE Deploy and Configure Firewalls questions with full explanations on every answer.

52questions

Start practicing

Deploy and Configure Firewalls — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

PCNSE Domains

Manage, Monitor and OperateSecuring Traffic and App-IDSecuring Users and Applications with AuthenticationDecryption and SSL InspectionManaging Troubleshooting and High AvailabilityDeploy and Configure FirewallsCore Concepts and ArchitectureSecure Access and VPNTroubleshoot

Practice Deploy and Configure Firewalls questions

10Q20Q30Q50Q

All PCNSE Deploy and Configure Firewalls questions (52)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company is deploying a new firewall in active/passive high availability. The two firewalls are connected directly via the HA1 and HA2 interfaces. After configuration, the passive firewall shows 'HA state: passive' but the active firewall shows 'HA state: non-functional'. What is the most likely cause?

2

A network engineer is configuring a new firewall to replace an existing one. The existing firewall has a policy that allows traffic from the 10.0.0.0/8 subnet to the internet. The new firewall must use the same policy but also log the traffic. The engineer creates a security rule with source zone 'Trust', destination zone 'Untrust', source address 10.0.0.0/8, and action 'allow'. Logging is set at rule end. However, traffic from 10.1.0.0/16 is not being logged. What is the reason?

3

A security engineer needs to allow inbound HTTPS traffic from the internet to a web server in the DMZ. The source zone is 'Untrust', destination zone is 'DMZ', and the destination address is the web server's IP. Which security policy action should be used?

4

An administrator configures a firewall with two virtual routers: VR1 and VR2. VR1 connects to the corporate network and VR2 to an ISP. The administrator creates a static route in VR1 to reach the internet via a next hop of 10.0.0.1, but traffic from VR1 to the internet fails. What is the most likely cause?

5

An engineer is troubleshooting an inter-zone rule that should allow traffic from zone 'Trust' to zone 'Untrust'. The rule has a source address of 10.0.0.0/8 and destination address of any. The traffic is being denied. The engineer checks the log and sees the rule is not matched. What is the most likely reason?

6

Which TWO of the following are required when configuring a new virtual wire (vwire) on a Palo Alto Networks firewall?

7

Which THREE of the following are valid methods to enable traffic logging when configuring a security rule?

8

You are deploying a pair of PA-5250 firewalls in active/passive HA mode for a large enterprise. The firewalls are configured with multiple virtual routers (VRs) to segment traffic: VR-A for internal corporate network, VR-B for DMZ, and VR-C for Internet edge. Each VR is associated with a separate Vsys. The HA pair uses IPsec tunnel monitoring to determine failover. The customer reports that after a recent configuration change, failover does not occur when the primary firewall's Internet-facing interface (ethernet1/1) goes down. You verify that the primary firewall detects the interface failure, but the secondary does not take over. The HA configuration shows: 'monitor failure only' set to 'link-status', 'monitor hold time' 1000ms, 'promotion hold time' 2000ms, and 'monitor failure condition' is 'any'. The IPsec tunnel monitoring is configured for tunnel to a remote site. The path monitoring includes the Internet-facing interface under VR-C. What is the most likely reason for the failover failure?

9

A company has deployed two PA-5250 firewalls in an active/passive high-availability pair. The passive firewall shows the status 'non-functional' after a reboot. The active firewall is still passing traffic. The administrator checks the HA configuration and sees that the preemptive setting is enabled on both firewalls. What is the most likely cause of the passive firewall showing 'non-functional'?

10

A security engineer is deploying a Palo Alto Networks firewall in a branch office. The firewall must enforce the following security policies: (1) Allow outbound HTTPS traffic from internal users to the internet. (2) Block all inbound traffic from the internet to the internal network except for SMTP traffic to a specific mail server. (3) Allow outbound DNS traffic from internal DNS servers to external DNS servers. Which TWO security rules should the engineer create to satisfy these requirements? (Choose two.)

11

Refer to the exhibit. An administrator is troubleshooting traffic from a host at 10.2.2.10 to a server at 10.3.3.10. The firewall has a security rule allowing the traffic. However, traffic is failing. Based on the routing table, what is the most likely cause?

12

Order the steps to configure an IPsec VPN tunnel between two Palo Alto firewalls.

13

Match each type of route to its description.

14

What is the most likely reason the traffic from 192.168.1.100 to 203.0.113.50 is being denied?

15

The administrator intended to create a sub-interface for VLAN 10 with IP 192.168.10.1/24. However, traffic from VLAN 10 is not being routed through this interface. Based on the exhibit, what is the cause?

16

The source NAT rule 'SNAT-Outside' is configured to translate traffic from 10.0.0.0/8 to the interface address of ethernet1/1. However, traffic from 10.1.1.1 to the internet is not being translated. What is the most likely reason?

17

A company needs to provide internet access to 500 internal users using a single public IP address. Which NAT method should be configured?

18

A security administrator notices that traffic to a specific website is being denied. The traffic log shows that the application is 'ssl' and the action is 'deny' with the rule being 'Allow-SSL'. What is the most likely cause?

19

By default, what is the action on traffic between two different zones without any security rule?

20

An administrator adds a new security rule to allow outbound 'web-browsing' and 'ssl' traffic. After committing, users report that some HTTPS sites are still blocked. Traffic logs show that the traffic matches the new rule but is denied. What is the most likely cause?

21

Which of the following is NOT a valid method to identify users for User-ID on a Palo Alto Networks firewall?

22

In an Active/Passive HA pair, which statement is true regarding configuration synchronization?

23

A company uses a custom application definition for a proprietary application that runs on UDP port 12345. The security rule allowing the application is configured, but traffic logs show the application as 'unknown' instead of matching the custom app. What is the most likely cause?

24

An administrator wants to ensure that all traffic from the 'Trust' zone to the 'Untrust' zone is inspected by WildFire. Which configuration is required?

25

In a Panorama-managed deployment, the device group has a rule called 'Allow-Web' that allows 'web-browsing'. The local firewall also has a rule with the same name and content. After Panorama pushes the device group configuration, what happens to the local rule?

26

Which TWO of the following are prerequisites for configuring User-ID on an interface?

27

Which TWO of the following are required for stateful failover in an Active/Passive HA pair?

28

Which THREE of the following are mandatory components for GlobalProtect client connectivity?

29

A company has a firewall with multiple virtual routers. They need to ensure that traffic from a specific subnet (10.1.1.0/24) can reach the internet but not other internal subnets. What is the best way to achieve this?

30

An administrator notices that URL filtering is not blocking a specific category as configured. What is the first troubleshooting step?

31

A firewall's management interface becomes unresponsive. The administrator can still ping the management IP. What is the most likely cause?

32

A company uses User-ID to map users to IPs. Some users report that their traffic is being blocked even though they are in the correct user group for access. The security policy uses user-based conditions. What is a likely cause?

33

An administrator wants to ensure that all traffic from the internal network to the internet uses a specific public IP address for source NAT. There are multiple public IP addresses available. What is the best way to achieve this?

34

A firewall is configured with two ISPs for load balancing. Traffic from certain sources should always egress via ISP-1. What is the correct configuration?

35

A firewall receives traffic with IP options enabled. How does the firewall handle this traffic by default?

36

An organization has a firewall in HA active-passive mode. After a failover, the new active firewall does not have the latest session table. What should be configured to ensure session synchronization?

37

A firewall is configured with multiple virtual wire interfaces. Traffic passes through but the firewall cannot enforce security policies based on source/destination IP addresses. What is the reason?

38

Which TWO statements are true about Palo Alto Networks firewall management access?

39

Which TWO factors can cause a firewall to not show any User-ID mapping for a user who is actively logged in?

40

Which THREE are valid methods to provide redundancy for outbound internet traffic in a Palo Alto Networks firewall?

41

Refer to the exhibit. A user in the trust zone attempts to access HTTPS to an external server. Which rule will match?

42

Refer to the exhibit. An administrator has configured this decryption policy but users in the 10.1.1.0/24 subnet receive certificate warnings when accessing HTTPS sites. What is the most likely cause?

43

A company has a pair of Palo Alto Networks firewalls in active/passive HA. The active firewall manages all traffic. Recently, the network team reconfigured the virtual router by adding a new static route to a remote subnet via a next-hop IP on the same interface. After committing, they noticed that the passive firewall's management IP became unreachable. The active firewall continues to pass traffic normally. What is the most likely cause?

44

A company has two Palo Alto Networks firewalls configured in an active/passive HA pair. After a recent maintenance window, the passive firewall fails to synchronize its configuration from the active. The active firewall shows the HA1 link as down. Which two configuration settings must be verified to resolve this issue?

45

A network engineer is deploying a new firewall to inspect traffic between two VLANs. The requirement is to block all traffic except HTTP and HTTPS from the internal network to a specific web server in the DMZ. The engineer applies a security policy with the following configuration: source zone Internal, destination zone DMZ, source address internal_subnet, destination address web_server, application set to 'web-browsing' and 'ssl', and action set to 'allow'. However, users report that they cannot access the web server. Which change must be made to the policy to resolve the issue?

46

Which TWO actions should be taken when deploying a Palo Alto Networks firewall in a branch office to ensure secure and efficient operation? (Choose two.)

47

A medium-sized enterprise recently deployed a PA-5250 firewall in a data center as the primary internet gateway. The network team configured the security policies to allow all outbound web traffic (HTTP/HTTPS) from the internal trust zone to the untrust zone, with URL filtering and threat prevention enabled. After the deployment, users complain that some legitimate websites, such as banking and healthcare portals, are being blocked. The team checks the URL filtering logs and sees that these sites are categorized as 'web-hosting' or 'dynamic-dns', which are in the block list. The company's compliance requires that all web traffic be inspected. What should the network engineer do to resolve the issue without reducing security?

48

A global company uses a pair of PAN-220 firewalls in an active/passive HA configuration at its headquarters. The firewalls have multiple virtual routers and dozens of zones. Recently, a network upgrade changed the physical topology: a new switch was placed between the firewalls and the ISP routers. After the upgrade, the passive firewall continuously shows 'suspended' state. The HA control link (HA1) and data link (HA2) are on separate dedicated interfaces. The Active firewall logs show: 'HA monitor peer unreachable' every few seconds. The engineer has verified IP connectivity between the HA interfaces using ping from the active to the passive HA1 IP. What is the most likely cause of the HA state issue?

49

A security engineer is deploying a new PA-5220 firewall to replace an existing legacy firewall. The environment has complex routing with OSPF and BGP. The engineer configures the firewall with multiple virtual routers: one for the internal network, one for the DMZ, and one for the external connection to two ISPs. The firewall is placed in Layer 3 mode. After the cutover, users report that they can access the internet but internal traffic between two different subnets that are both in the internal virtual router fails to route properly. The engineer checks the routing table on the internal virtual router and sees correct OSPF learned routes. The security policies allow all traffic between those subnets. What is the most likely cause of the routing failure?

50

Which TWO of the following are required to configure a Palo Alto Networks firewall for centralized management by Panorama?

51

Refer to the exhibit. A user in the 10.0.0.0/8 network is unable to access a web server at 172.16.1.10 which is in the DMZ zone. The firewall's security policy is shown. What is the most likely reason for the failure?

52

A company has deployed a Palo Alto Networks firewall in an active/passive high-availability (HA) pair. The firewall uses BGP for dynamic routing with two upstream ISPs to provide load-balanced internet connectivity. After an HA failover event, the network team notices that outbound traffic from internal hosts is now using only one of the two ISPs, even though BGP sessions are established on both firewalls and the passive firewall has learned the same routes as the active one. The security policy permits all outbound traffic. No changes were made to the BGP configuration. Which of the following is the most likely cause of this behavior, and what is the appropriate solution?

Practice all 52 Deploy and Configure Firewalls questions

Other PCNSE exam domains

Manage, Monitor and OperateSecuring Traffic and App-IDSecuring Users and Applications with AuthenticationDecryption and SSL InspectionManaging Troubleshooting and High AvailabilityCore Concepts and ArchitectureSecure Access and VPNTroubleshoot

Frequently asked questions

What does the Deploy and Configure Firewalls domain cover on the PCNSE exam?

The Deploy and Configure Firewalls domain covers the key concepts tested in this area of the PCNSE exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSE domains — no account required.

How many Deploy and Configure Firewalls questions are in the PCNSE question bank?

The Courseiva PCNSE question bank contains 52 questions in the Deploy and Configure Firewalls domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Deploy and Configure Firewalls for PCNSE?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Deploy and Configure Firewalls questions for PCNSE?

Yes — the session launcher on this page draws questions exclusively from the Deploy and Configure Firewalls domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your PCNSE domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide