Practice PCNSE Manage, Monitor and Operate questions with full explanations on every answer.
Start practicing
Manage, Monitor and Operate — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security administrator notices that a specific user is generating excessive logs due to repeated authentication failures. The administrator wants to see only failed authentication events for that user in the monitor tab. Which filter string should be used in the log viewer?
2An administrator wants to generate a report that shows the top applications by bandwidth usage over the last week. Which report type should be used to accomplish this?
3A firewall administrator needs to troubleshoot a connectivity issue where users in the 10.0.1.0/24 subnet cannot reach the internet. The administrator suspects a missing policy. Which tool within the firewall's web interface can be used to test which security policy will be matched for a given traffic flow?
4A company has a firewall with multiple virtual systems (vsys). The administrator wants to delegate management of one vsys to a junior administrator, allowing them to configure security policies but not access system settings or other vsys. Which administrative role should be assigned?
5An administrator is troubleshooting high CPU usage on a PA-5250 firewall. The CPU usage spikes every 5 minutes. Which CLI command should be used to identify the process causing the spike?
6A firewall is configured with two ISPs for redundancy. The administrator wants to ensure that traffic from internal users is load-balanced across both links based on source IP. Which configuration method should be used?
7An administrator receives an alert that a firewall's disk usage is at 85%. The administrator wants to reduce disk usage by automatically deleting older log files. Which action should be taken?
8A firewall is deployed in an Active/Passive HA pair. The administrator notices that the passive firewall is not synchronizing configuration changes. The 'show high-availability state' command shows the passive firewall in a 'non-functional' state. What is the most likely cause?
9A security team needs to capture traffic for forensic analysis of a specific application that uses non-standard ports. The administrator wants to capture packets on the firewall for that application only, without affecting performance. Which method should be used?
10Which TWO of the following are valid methods to upgrade the PAN-OS software on a firewall? (Choose two.)
11Which THREE of the following are valid actions that can be taken on a dynamic block list entry? (Choose three.)
12Which TWO of the following are valid considerations when configuring Log Forwarding for Panorama? (Choose two.)
13Refer to the exhibit. The firewall's disk usage is at 85% overall, and the /opt/panlogs partition is at 92%. The administrator wants to free up space without losing important log data. Which action should be taken first?
14Refer to the exhibit. The firewall is experiencing high dataplane CPU usage (85%) with 45,000 active sessions out of a maximum of 100,000. Which of the following is the most likely cause of the high CPU?
15Refer to the exhibit. The firewall is active in an HA pair, but the peer is non-functional. The HA2 link is down. What is the most likely cause of the peer being non-functional?
16A medium-sized enterprise has a PA-3220 firewall deployed in a data center with two ISPs (ISP-A and ISP-B) for redundancy. The firewall is configured with two virtual routers: VR-Trust for internal networks and VR-Untrust for external connections. Each ISP is connected to a separate physical interface (ethernet1/1 for ISP-A, ethernet1/2 for ISP-B) and both are placed in VR-Untrust with static default routes. The internal network uses 10.0.0.0/16. The firewall has a security policy that allows all outbound traffic from internal to external. Recently, users have reported that internet access is slow during peak hours. The administrator checks the dataplane CPU and sees it averaging 80-90%. The session count is 200,000 out of a maximum of 500,000. The administrator also notices that the firewall is using only ISP-A for all outbound traffic, even though both ISPs have equal bandwidth. The administrator wants to reduce CPU usage and utilize both ISP links. Which action should the administrator take?
17A large organization has a PA-5250 firewall pair in active/passive HA mode. The firewalls are managed by Panorama. The security team recently created a new security policy rule to block a specific application (app-block-rule) and pushed the configuration from Panorama. After the push, the active firewall shows the new rule in the security policy list, but traffic matching the rule is not being blocked. The administrator checks the traffic logs and sees that the traffic is being allowed by a different rule with a higher priority. The administrator also notices that the 'app-block-rule' has an 'any' source and destination zone, but the allowed rule has specific zones. The administrator runs 'show session info' and sees that the sessions are being created before the policy push. The administrator wants to ensure that existing sessions are subject to the new policy. Which action should the administrator take?
18Arrange the steps to configure a new zone on a Palo Alto Networks firewall in the correct order.
19Arrange the steps to configure a new administrator account with role-based access.
20Match each Palo Alto Networks feature to its primary function.
21Match each Palo Alto Networks product to its primary use case.
22A network administrator notices that traffic logs are not being sent to the external Syslog server. The log forwarding profile is configured correctly. Which CLI command should be used to verify the Syslog server connectivity from the firewall?
23A security team is implementing SSL Decryption. They want to ensure that traffic to health-related websites is not decrypted due to privacy concerns. Which method should they use to exclude this traffic?
24Two firewalls in an active/passive HA configuration are not synchronizing sessions. The 'show high-availability state' command shows both peers as 'active' and 'passive' correctly, but session synchronization is not working. What is the most likely cause?
25An administrator wants to receive SNMP traps from the firewall for critical events such as failed login attempts and high CPU usage. Which configuration step is required?
26A team uses the Panorama API to generate custom reports. They need to retrieve a list of all rules that have logging at session end enabled. Which API endpoint should be used?
27During a Panorama upgrade from version 9.0 to 9.1, the administrator notices that the commit fails on one of the managed firewalls with the error: 'Mismatched content version'. What is the most likely cause?
28An administrator needs to generate a tech support file for TAC. Which CLI command accomplishes this?
29A company wants to forward logs from a firewall to a SIEM system with high reliability. Which log forwarding method ensures that logs are not lost if the SIEM is temporarily unreachable?
30A firewall is experiencing slow performance. The administrator runs 'show counter global' and sees that the 'flow_aged_error_tcp_mss' counter is incrementing rapidly. What does this indicate?
31Which TWO methods can be used to monitor traffic passing through a Palo Alto Networks firewall?
32Which THREE steps should be performed when upgrading an active/passive HA pair to a new PAN-OS version?
33Which TWO configurations are required for User-ID to work using the Windows User-ID Agent (WUA) in a distributed environment?
34Refer to the exhibit. What does the uptime indicate?
35Refer to the exhibit. Which SSL protocol version is blocked as per this decryption profile?
36Refer to the exhibit. Based on the log entry, what action was taken on this traffic?
37A firewall is dropping traffic that should be allowed. The security policy appears correct. An administrator checks the session table and notices the session state is 'CLOSE'. What is the most likely cause of the traffic being dropped?
38A network engineer needs to configure SNMP traps on a PA-5250 running PAN-OS 10.2 to alert when CPU usage exceeds 80% for more than 10 minutes. Which CLI command should be used to set this threshold?
39An administrator wants to see only the candidate configuration changes that have not yet been committed. Which CLI command should be used?
40An engineer notices a decrease in network performance and wants to verify if a specific security policy is being triggered frequently. Which CLI command will show the hit count for a specific policy?
41A company uses Panorama to manage multiple firewalls. An administrator pushes a template that includes a new Security Profiles group, but the firewalls do not receive the profile group. What is the most likely cause?
42A firewall is experiencing performance issues. The administrator wants to collect diagnostic data for TAC analysis. Which command generates a comprehensive support file?
43An administrator reviews a traffic log entry: 'Source: 10.0.0.10, Destination: 8.8.8.8, Application: web-browsing, Action: allow, Bytes Sent: 500, Bytes Received: 1200'. What does this log entry indicate about the traffic?
44Two firewalls in an active/passive HA pair are not synchronizing. The administrator checks 'show high-availability state' and sees 'active' on both firewalls. What is the most likely cause?
45An administrator wants to view real-time CPU and memory usage on the firewall. Which CLI command should be used?
46Which TWO are required for SNMP monitoring of a Palo Alto Networks firewall? (Choose two.)
47Which THREE are valid methods to collect logs from a firewall to Panorama? (Choose three.)
48Which THREE are common causes of high CPU utilization on a Palo Alto Networks firewall? (Choose three.)
49What does the session state 'SYN_SENT' indicate about this traffic flow?
50An administrator has applied the above configuration on a firewall. What will happen to traffic destined to TCP port 2525?
51The traffic log shows a threat severity 'medium' and the threat log shows action 'allow' for the same session. What is the most likely reason that the threat was allowed?
52A network administrator notices that traffic from a specific internal subnet is not being logged to the firewall's system logs despite log forwarding being configured. The firewall is running PAN-OS 10.1. Which configuration is most likely causing the issue?
53After upgrading a PA-5250 from PAN-OS 9.1 to PAN-OS 10.1, the firewall fails to establish IPsec VPN tunnels with remote peers. The crypto profiles and IKE gateways appear unchanged. What is the most likely cause?
54An organization is experiencing intermittent connectivity issues with their GlobalProtect remote access VPN. Users report that they can connect but after a random period (20-40 minutes) the tunnel drops and reconnects. The firewall has sufficient licensing. Which setting should be reviewed first?
55A firewall administrator needs to ensure that traffic matching a specific security policy rule is always logged to Panorama even if the local firewall's management plane is temporarily unreachable. Which configuration should be used?
56An engineer is troubleshooting a security policy that is not matching traffic as expected. The traffic is from source IP 10.1.1.10 to destination 172.16.0.1 port 443. The policy has source zone 'Internal', destination zone 'DMZ', source address '10.1.1.0/24', destination address '172.16.0.0/24', application 'ssl'. The firewall shows the traffic hitting a different rule. What is the most likely cause?
57A company has a PA-3260 firewall configured with multiple virtual routers for segmentation. A new subnet 192.168.30.0/24 is added behind a layer3 interface that is part of virtual router 'VR-A'. The administrator adds a static route on the firewall to reach the subnet via next-hop 10.0.0.1. However, hosts in another virtual router 'VR-B' cannot reach the new subnet. The route is present in VR-A's routing table. What should the administrator do to resolve the issue?
58A user complains that they cannot access internal resources via GlobalProtect. The firewall shows the user is connected with an IP address from the tunnel pool. Which log type should the administrator check first to determine if traffic is being allowed or denied?
59An organization is migrating from a legacy firewall to a Palo Alto Networks firewall and needs to ensure that all existing application-based policies are accurately replicated. The engineer exports the configuration from the old firewall and imports it using the 'Config Audit' feature. After import, the engineer notices that many security policy rules have the application set to 'any' instead of the specific applications from the old firewall. What is the most likely reason?
60A firewall is configured with User-ID using the 'Server Monitoring' method via LDAP. The administrator notices that user-to-IP mappings are only being updated every 60 minutes instead of the configured 15-minute polling interval. The LDAP server is reachable and responds quickly. What configuration parameter is most likely causing the delayed update?
61A firewall administrator needs to configure a new security policy rule to block traffic from the 'Guest' zone to the 'Corporate' zone for all ports except HTTP and HTTPS. Which two configuration steps are required? (Choose two.)
62A security engineer is investigating a potential data exfiltration incident. The firewall logs show that a host in the DMZ made outbound connections to multiple external IPs on port 443, but the traffic was allowed. The engineer wants to review detailed session information including the amount of data transferred and the application used. Which three log types or tools should the engineer use? (Choose three.)
63An administrator needs to configure a firewall to send email alerts when a specific security policy rule is triggered. Which two configuration elements are required? (Choose two.)
64The security policy rule shown in the exhibit has log-start and log-end both set to 'no', but a log-forwarding profile is configured. Which statement best describes the logging behavior for sessions matching this rule?
65A GlobalProtect gateway is configured as shown. Remote users report that they can connect to the gateway but cannot authenticate. The users are using the GlobalProtect client with certificate authentication. What is the most likely cause?
66The firewall log shows repeated IKE phase 1 negotiation failures. The remote peer is a third-party VPN device. Which of the following is the most likely cause?
67A network administrator notices that traffic from a specific IP address is being blocked unexpectedly. The traffic is allowed in the security policy. What is the most likely cause?
68A company has configured User-ID with Active Directory polling. Some users cannot access resources even though their security policy rules appear correct. The administrator verifies that the User-ID agent is connected and polling. What additional step should the administrator take?
69A firewall is configured with two virtual routers in an active/passive HA pair. The active firewall fails over, and after failover, traffic is not passing through the new active firewall. The interface IP addresses are configured as virtual IPs. What is the most likely cause?
70An administrator needs to generate a report showing all traffic denied by the firewall over the past week. Which type of report in the firewall web interface should be used?
71A network engineer is troubleshooting high latency on the firewall. Which THREE commands from the CLI should be used to identify potential bottlenecks? (Choose three.)
72A firewall is part of a Panorama-managed environment. The administrator needs to ensure that only specific administrators can commit changes to devices. Which TWO actions are required? (Choose two.)
73A small business uses a single PA-220 firewall with PAN-OS 10.2. The administrator notices that the firewall is no longer receiving automatic threat updates. The License page shows the Threat Prevention license is active with 200 days remaining. The administrator can manually download updates from the Palo Alto Networks update server. What is the most likely cause?
74An organization has a pair of PA-5250 firewalls in active/passive HA. During a maintenance window, the active firewall is rebooted. After the reboot, the firewall that was passive becomes active and passes traffic. However, the other firewall remains in a non-functional state and shows 'unknown' as HA state. The administrator checks the HA configuration and finds both firewalls have the same HA settings. What is the most likely issue?
75A large enterprise uses Panorama to manage 100+ firewalls. The security team wants to deploy a new security policy rule to block a specific application across all firewalls. The rule must be placed before the existing rules. The administrator creates the rule in the appropriate rulebase in the device group and pushes. However, the rule appears at the end of the rulebase on the managed firewalls. What is the most likely cause?
76A network administrator is troubleshooting an issue where HTTPS traffic to a particular website is being blocked. The security policy rule allows SSL traffic to that website. The firewall logs show the traffic is being blocked by the URL Filtering profile. The URL Filtering profile is set to allow the category 'Business-and-Economy'. The website belongs to the category 'Shopping'. What action should the administrator take?
77A financial institution operates a pair of PA-5260 firewalls in active/active HA using Virtual Wire mode. They are experiencing intermittent asymmetric traffic flows causing session setup failures. The firewall logs show sessions being created with a one-sided flow. Which configuration change is most likely to resolve this issue?
78A security operations center (SOC) uses Panorama to monitor all firewalls. They notice that some log entries show a severity of 'critical' but the alerting system does not fire. The log forwarding profile on Panorama is configured to send syslog alerts for severity 'critical'. The syslog server receives other logs from Panorama but not these critical logs. The administrator checks the Panorama configuration and finds that the log forwarding profile is applied to the correct log types. What is the most likely issue?
79A systems administrator needs to configure log forwarding to an external syslog server for Security policies. Which two actions are required to achieve this? (Choose two.)
80Refer to the exhibit. A network engineer notices that logs for this rule are not being forwarded to the external syslog server. The syslog server profile is configured correctly. What is the most likely cause?
81A large enterprise has deployed two Palo Alto Networks PA-5250 firewalls in active/passive HA mode with Panorama for centralized management. The network contains over 10,000 users across multiple sites. Recently, the security team deployed a new security policy rule to block a set of high-risk applications. After the commit, the firewall's CPU utilization spiked to 95% and sessions started to drop intermittently. The firewall logs show a high number of session setup failures and timeouts. The existing security policy contains over 5,000 rules. The new rule uses application-based filtering and is placed near the top of the rulebase. What is the most effective course of action to reduce CPU load while maintaining security?
The Manage, Monitor and Operate domain covers the key concepts tested in this area of the PCNSE exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSE domains — no account required.
The Courseiva PCNSE question bank contains 81 questions in the Manage, Monitor and Operate domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Manage, Monitor and Operate domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included