Practice PCNSE Deploy and Configure Firewalls questions with full explanations on every answer.
Start practicing
Deploy and Configure Firewalls — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company is deploying a new firewall in active/passive high availability. The two firewalls are connected directly via the HA1 and HA2 interfaces. After configuration, the passive firewall shows 'HA state: passive' but the active firewall shows 'HA state: non-functional'. What is the most likely cause?
2A network engineer is configuring a new firewall to replace an existing one. The existing firewall has a policy that allows traffic from the 10.0.0.0/8 subnet to the internet. The new firewall must use the same policy but also log the traffic. The engineer creates a security rule with source zone 'Trust', destination zone 'Untrust', source address 10.0.0.0/8, and action 'allow'. Logging is set at rule end. However, traffic from 10.1.0.0/16 is not being logged. What is the reason?
3A security engineer needs to allow inbound HTTPS traffic from the internet to a web server in the DMZ. The source zone is 'Untrust', destination zone is 'DMZ', and the destination address is the web server's IP. Which security policy action should be used?
4An administrator configures a firewall with two virtual routers: VR1 and VR2. VR1 connects to the corporate network and VR2 to an ISP. The administrator creates a static route in VR1 to reach the internet via a next hop of 10.0.0.1, but traffic from VR1 to the internet fails. What is the most likely cause?
5An engineer is troubleshooting an inter-zone rule that should allow traffic from zone 'Trust' to zone 'Untrust'. The rule has a source address of 10.0.0.0/8 and destination address of any. The traffic is being denied. The engineer checks the log and sees the rule is not matched. What is the most likely reason?
6Which TWO of the following are required when configuring a new virtual wire (vwire) on a Palo Alto Networks firewall?
7Which THREE of the following are valid methods to enable traffic logging when configuring a security rule?
8You are deploying a pair of PA-5250 firewalls in active/passive HA mode for a large enterprise. The firewalls are configured with multiple virtual routers (VRs) to segment traffic: VR-A for internal corporate network, VR-B for DMZ, and VR-C for Internet edge. Each VR is associated with a separate Vsys. The HA pair uses IPsec tunnel monitoring to determine failover. The customer reports that after a recent configuration change, failover does not occur when the primary firewall's Internet-facing interface (ethernet1/1) goes down. You verify that the primary firewall detects the interface failure, but the secondary does not take over. The HA configuration shows: 'monitor failure only' set to 'link-status', 'monitor hold time' 1000ms, 'promotion hold time' 2000ms, and 'monitor failure condition' is 'any'. The IPsec tunnel monitoring is configured for tunnel to a remote site. The path monitoring includes the Internet-facing interface under VR-C. What is the most likely reason for the failover failure?
9A company has deployed two PA-5250 firewalls in an active/passive high-availability pair. The passive firewall shows the status 'non-functional' after a reboot. The active firewall is still passing traffic. The administrator checks the HA configuration and sees that the preemptive setting is enabled on both firewalls. What is the most likely cause of the passive firewall showing 'non-functional'?
10A security engineer is deploying a Palo Alto Networks firewall in a branch office. The firewall must enforce the following security policies: (1) Allow outbound HTTPS traffic from internal users to the internet. (2) Block all inbound traffic from the internet to the internal network except for SMTP traffic to a specific mail server. (3) Allow outbound DNS traffic from internal DNS servers to external DNS servers. Which TWO security rules should the engineer create to satisfy these requirements? (Choose two.)
11Refer to the exhibit. An administrator is troubleshooting traffic from a host at 10.2.2.10 to a server at 10.3.3.10. The firewall has a security rule allowing the traffic. However, traffic is failing. Based on the routing table, what is the most likely cause?
12Order the steps to configure an IPsec VPN tunnel between two Palo Alto firewalls.
13Match each type of route to its description.
14What is the most likely reason the traffic from 192.168.1.100 to 203.0.113.50 is being denied?
15The administrator intended to create a sub-interface for VLAN 10 with IP 192.168.10.1/24. However, traffic from VLAN 10 is not being routed through this interface. Based on the exhibit, what is the cause?
16The source NAT rule 'SNAT-Outside' is configured to translate traffic from 10.0.0.0/8 to the interface address of ethernet1/1. However, traffic from 10.1.1.1 to the internet is not being translated. What is the most likely reason?
17A company needs to provide internet access to 500 internal users using a single public IP address. Which NAT method should be configured?
18A security administrator notices that traffic to a specific website is being denied. The traffic log shows that the application is 'ssl' and the action is 'deny' with the rule being 'Allow-SSL'. What is the most likely cause?
19By default, what is the action on traffic between two different zones without any security rule?
20An administrator adds a new security rule to allow outbound 'web-browsing' and 'ssl' traffic. After committing, users report that some HTTPS sites are still blocked. Traffic logs show that the traffic matches the new rule but is denied. What is the most likely cause?
21Which of the following is NOT a valid method to identify users for User-ID on a Palo Alto Networks firewall?
22In an Active/Passive HA pair, which statement is true regarding configuration synchronization?
23A company uses a custom application definition for a proprietary application that runs on UDP port 12345. The security rule allowing the application is configured, but traffic logs show the application as 'unknown' instead of matching the custom app. What is the most likely cause?
24An administrator wants to ensure that all traffic from the 'Trust' zone to the 'Untrust' zone is inspected by WildFire. Which configuration is required?
25In a Panorama-managed deployment, the device group has a rule called 'Allow-Web' that allows 'web-browsing'. The local firewall also has a rule with the same name and content. After Panorama pushes the device group configuration, what happens to the local rule?
26Which TWO of the following are prerequisites for configuring User-ID on an interface?
27Which TWO of the following are required for stateful failover in an Active/Passive HA pair?
28Which THREE of the following are mandatory components for GlobalProtect client connectivity?
29A company has a firewall with multiple virtual routers. They need to ensure that traffic from a specific subnet (10.1.1.0/24) can reach the internet but not other internal subnets. What is the best way to achieve this?
30An administrator notices that URL filtering is not blocking a specific category as configured. What is the first troubleshooting step?
31A firewall's management interface becomes unresponsive. The administrator can still ping the management IP. What is the most likely cause?
32A company uses User-ID to map users to IPs. Some users report that their traffic is being blocked even though they are in the correct user group for access. The security policy uses user-based conditions. What is a likely cause?
33An administrator wants to ensure that all traffic from the internal network to the internet uses a specific public IP address for source NAT. There are multiple public IP addresses available. What is the best way to achieve this?
34A firewall is configured with two ISPs for load balancing. Traffic from certain sources should always egress via ISP-1. What is the correct configuration?
35A firewall receives traffic with IP options enabled. How does the firewall handle this traffic by default?
36An organization has a firewall in HA active-passive mode. After a failover, the new active firewall does not have the latest session table. What should be configured to ensure session synchronization?
37A firewall is configured with multiple virtual wire interfaces. Traffic passes through but the firewall cannot enforce security policies based on source/destination IP addresses. What is the reason?
38Which TWO statements are true about Palo Alto Networks firewall management access?
39Which TWO factors can cause a firewall to not show any User-ID mapping for a user who is actively logged in?
40Which THREE are valid methods to provide redundancy for outbound internet traffic in a Palo Alto Networks firewall?
41Refer to the exhibit. A user in the trust zone attempts to access HTTPS to an external server. Which rule will match?
42Refer to the exhibit. An administrator has configured this decryption policy but users in the 10.1.1.0/24 subnet receive certificate warnings when accessing HTTPS sites. What is the most likely cause?
43A company has a pair of Palo Alto Networks firewalls in active/passive HA. The active firewall manages all traffic. Recently, the network team reconfigured the virtual router by adding a new static route to a remote subnet via a next-hop IP on the same interface. After committing, they noticed that the passive firewall's management IP became unreachable. The active firewall continues to pass traffic normally. What is the most likely cause?
44A company has two Palo Alto Networks firewalls configured in an active/passive HA pair. After a recent maintenance window, the passive firewall fails to synchronize its configuration from the active. The active firewall shows the HA1 link as down. Which two configuration settings must be verified to resolve this issue?
45A network engineer is deploying a new firewall to inspect traffic between two VLANs. The requirement is to block all traffic except HTTP and HTTPS from the internal network to a specific web server in the DMZ. The engineer applies a security policy with the following configuration: source zone Internal, destination zone DMZ, source address internal_subnet, destination address web_server, application set to 'web-browsing' and 'ssl', and action set to 'allow'. However, users report that they cannot access the web server. Which change must be made to the policy to resolve the issue?
46Which TWO actions should be taken when deploying a Palo Alto Networks firewall in a branch office to ensure secure and efficient operation? (Choose two.)
47A medium-sized enterprise recently deployed a PA-5250 firewall in a data center as the primary internet gateway. The network team configured the security policies to allow all outbound web traffic (HTTP/HTTPS) from the internal trust zone to the untrust zone, with URL filtering and threat prevention enabled. After the deployment, users complain that some legitimate websites, such as banking and healthcare portals, are being blocked. The team checks the URL filtering logs and sees that these sites are categorized as 'web-hosting' or 'dynamic-dns', which are in the block list. The company's compliance requires that all web traffic be inspected. What should the network engineer do to resolve the issue without reducing security?
48A global company uses a pair of PAN-220 firewalls in an active/passive HA configuration at its headquarters. The firewalls have multiple virtual routers and dozens of zones. Recently, a network upgrade changed the physical topology: a new switch was placed between the firewalls and the ISP routers. After the upgrade, the passive firewall continuously shows 'suspended' state. The HA control link (HA1) and data link (HA2) are on separate dedicated interfaces. The Active firewall logs show: 'HA monitor peer unreachable' every few seconds. The engineer has verified IP connectivity between the HA interfaces using ping from the active to the passive HA1 IP. What is the most likely cause of the HA state issue?
49A security engineer is deploying a new PA-5220 firewall to replace an existing legacy firewall. The environment has complex routing with OSPF and BGP. The engineer configures the firewall with multiple virtual routers: one for the internal network, one for the DMZ, and one for the external connection to two ISPs. The firewall is placed in Layer 3 mode. After the cutover, users report that they can access the internet but internal traffic between two different subnets that are both in the internal virtual router fails to route properly. The engineer checks the routing table on the internal virtual router and sees correct OSPF learned routes. The security policies allow all traffic between those subnets. What is the most likely cause of the routing failure?
50Which TWO of the following are required to configure a Palo Alto Networks firewall for centralized management by Panorama?
51Refer to the exhibit. A user in the 10.0.0.0/8 network is unable to access a web server at 172.16.1.10 which is in the DMZ zone. The firewall's security policy is shown. What is the most likely reason for the failure?
52A company has deployed a Palo Alto Networks firewall in an active/passive high-availability (HA) pair. The firewall uses BGP for dynamic routing with two upstream ISPs to provide load-balanced internet connectivity. After an HA failover event, the network team notices that outbound traffic from internal hosts is now using only one of the two ISPs, even though BGP sessions are established on both firewalls and the passive firewall has learned the same routes as the active one. The security policy permits all outbound traffic. No changes were made to the BGP configuration. Which of the following is the most likely cause of this behavior, and what is the appropriate solution?
The Deploy and Configure Firewalls domain covers the key concepts tested in this area of the PCNSE exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSE domains — no account required.
The Courseiva PCNSE question bank contains 52 questions in the Deploy and Configure Firewalls domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Deploy and Configure Firewalls domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included