Practice PCNSE Securing Traffic and App-ID questions with full explanations on every answer.
Start practicing
Securing Traffic and App-ID — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security engineer notices that traffic from a trusted internal application is being blocked by the firewall. The application communicates using a proprietary protocol over TCP port 8443. The engineer has already created a custom App-ID for this application but the traffic is still being blocked. What is the most likely reason?
2During a security audit, it is discovered that some HTTP traffic is being incorrectly identified as 'web-browsing' instead of 'ssl' even though the traffic uses HTTPS. The firewall is positioned as a transparent bridge and no SSL decryption is configured. What is the most likely cause?
3A network administrator wants to allow only specific applications such as 'facebook-base' and 'youtube' while blocking all other applications. Which type of security rule should be used to achieve this?
4A company deploys a Palo Alto Networks firewall in a data center. They have a critical application that uses a proprietary protocol over UDP port 12345. The firewall is not correctly identifying the traffic as the custom App-ID they created. They have verified that the custom App-ID is correctly configured and committed. What is the most likely cause?
5An administrator notices that traffic for a known application 'ms-update' is being blocked. The security policy has a rule allowing 'ms-update' from the internal network to the internet. However, the traffic is being denied. What should the administrator check first?
6Which TWO of the following are valid methods to create a custom App-ID on a Palo Alto Networks firewall?
7Which THREE of the following can cause App-ID to incorrectly identify traffic?
8Refer to the exhibit. A firewall administrator is troubleshooting why some applications are not being correctly identified. The firewall is running App-ID version 8000-7120. What does the 'appid packet buffer: 1024 KB' indicate?
9Refer to the exhibit. A network engineer wants to allow only 'ms-update' and 'facebook-base' traffic. After committing the above security policy, they find that 'ssl' traffic is also being allowed. What is the most likely reason?
10A security engineer is troubleshooting a Palo Alto Networks firewall where HTTP traffic is being incorrectly identified by App-ID. The engineer has verified that the application is correctly configured in the application override policy. Which two factors could cause App-ID to fail to recognize the application?
11Refer to the exhibit. A network engineer notices high CPU utilization on the firewall. The output shows that 4500 sessions are pending App-ID identification. What is the most likely cause of the high number of pending sessions?
12A company uses App-ID to identify traffic on their Palo Alto Networks firewall. They notice that a particular application, custom-db-sync, is not being identified correctly. The traffic uses a proprietary protocol over TCP port 4444. The firewall currently has a security rule allowing any application on that port. Which step should the engineer take to enable App-ID to correctly identify custom-db-sync?
13A network engineer is troubleshooting an issue where a web application is being incorrectly identified as 'web-browsing' instead of 'webmail-gmail' by the Palo Alto Networks firewall. The firewall has App-ID enabled and all signatures are up to date. Which TWO actions should the engineer take to resolve this misidentification?
14Order the steps to configure a security policy allowing HTTP traffic from the inside to the outside zone.
15Order the steps to upgrade the PAN-OS software on a standalone firewall.
16Match each PAN-OS component to its description.
17Match each decryption type to its description.
18An administrator needs to create a custom application for a proprietary database protocol that uses TCP port 7890. What is the first step in defining this application in App-ID?
19An engineer wants to block all peer-to-peer file sharing traffic using App-ID. What security policy action should be used?
20A network engineer notices that traffic from an internal user to a web application is being incorrectly identified as 'web-browsing' instead of the custom application 'my-app'. The engineer has already created a custom application 'my-app' with the correct signature. What is the most likely reason for the misidentification?
21A security team is deploying SSL Decryption for inbound traffic to protect against threats hidden in encrypted traffic. However, they want to exclude financial transactions that use client certificates for authentication. What is the best approach?
22An engineer wants to block the use of file-sharing application BitTorrent, but allow file transfers over SFTP which also uses port 22. What is the most effective way to achieve this using App-ID?
23During an audit, it is discovered that some traffic from a legacy application is being incorrectly identified as 'ssl' because the application uses a custom encryption scheme over TCP port 443. The engineer has created a custom application signature that matches the legacy application's handshake. What additional configuration is needed to ensure the legacy application is correctly identified?
24A company has a Palo Alto Networks firewall in a high-availability active/passive setup. After a failover event, the new active firewall is not correctly identifying some custom applications. The custom application objects and signatures are synchronized via Panorama. What is the most likely cause?
25An administrator is configuring SSL Forward Proxy decryption and wants to ensure that traffic to internal servers with self-signed certificates is decrypted, but traffic to external banking sites is excluded from decryption. They have created a decryption policy with two rules: first rule with 'No Decrypt' for the external banking URLs, second rule with 'Decrypt' for all other traffic. However, the banking traffic is still being decrypted. What is the most likely issue?
26A network security engineer is troubleshooting an issue where certain VoIP traffic is being dropped by the firewall. The traffic logs show that the application is identified as 'voip' and the security rule allows 'voip'. However, the traffic is still being dropped. What should the engineer check next?
27A security administrator needs to block an application that uses multiple ports, including dynamic ports. Which of the following methods can be used to block this application using App-ID? (Choose two.)
28An engineer is configuring App-ID for a network that uses both standard and custom applications. Which of the following are best practices for using App-ID effectively? (Choose three.)
29During a security incident, an analyst notices that certain malware traffic is using port 443 but is being identified as 'ssl'. The malware uses a unique handshake that differs from standard SSL. Which two actions should the analyst take to correctly identify and block this malware? (Choose two.)
30Given the security policy above, what will happen to an HTTP request from a user to a public website?
31An engineer checks the application counter and sees that my-custom-app has zero packets, but they expected traffic from 10.0.0.0/24 to 10.1.0.0/24 to be identified as my-custom-app. What is the most likely reason?
32A threat log entry shows a threat detected in SSL traffic to 10.0.0.5, which is a server in the internal network. However, the decryption policy has a rule to no-decrypt traffic to 10.0.0.0/8 from internal sources. What is the most likely reason the threat was detected?
33A network administrator notices that web-browsing traffic is being classified as 'incomplete' in the App-ID table. What is the most likely cause?
34A company uses a custom application for internal VoIP traffic. The custom App-ID signature is configured with the correct protocol and port, but traffic is still not matching. The firewall shows the application as 'unknown-tcp'. What should the administrator check next?
35An organization has two different applications (AppA and AppB) that both use TCP port 8080. The firewall must apply different security policies to each application. What is the recommended approach?
36A firewall shows session logs with application 'incomplete' for many SSL connections. Which action should be taken to improve App-ID accuracy?
37A network engineer wants to reduce the number of applications in security policies by combining several applications that are always used together. What is the best practice?
38A firewall in a high-availability pair shows that App-ID signatures are not syncing between units. Sessions are failing over but application identification is incorrect on the passive unit. What should the administrator verify?
39When configuring a custom application signature, which field is mandatory to define the application?
40A security policy has an application list with 'facebook-chat' and 'facebook-base'. A user reports that Facebook messages are being blocked. The firewall logs show the application as 'facebook-base' but not as 'facebook-chat'. What is the most likely reason?
41During a security audit, it is discovered that a custom application signature matches too broadly, causing benign traffic to be classified as the custom app. What change should be made to narrow the signature?
42Which TWO factors can cause traffic to be classified as 'incomplete' by App-ID? (Choose two.)
43Which THREE attributes can be used in a custom App-ID signature to identify an application? (Choose three.)
44Which TWO are best practices when configuring App-ID for a production environment? (Choose two.)
45A security administrator notices that HTTP traffic is correctly identified as web-browsing but HTTPS traffic is showing as ssl. The company uses a custom HTTPS-based application that needs to be identified by its own App-ID. What should the administrator do?
46A company has an application signature for an internal ERP system that uses a proprietary protocol over TCP port 4444. The ERP traffic is sometimes misidentified as unknown-tcp. Which App-ID mechanism should be used to improve identification without affecting the default App-ID engine?
47During a security audit, an administrator finds that traffic on TCP port 443 is classified as web-browsing, but the firewall is configured to use SSL decryption. However, the traffic is not decrypted because it uses a self-signed certificate from an internal CA that is not trusted by the firewall. How should the administrator fix this to enable proper App-ID?
48An administrator wants to apply different security policies for different applications that may use the same IP addresses and ports. Which firewall configuration feature should be used?
49After upgrading PAN-OS from version 9.1 to 10.0, an administrator notices that traffic for an internal custom application is now classified as unknown-tcp instead of the expected custom application. The application was defined using a custom App-ID in the previous version. What is the most likely cause?
50A network administrator wants to ensure that all traffic traversing the firewall is correctly identified by App-ID before any security policies are evaluated. Which step is essential?
51An organization uses a SaaS application that runs on a dynamic set of IP addresses. The application traffic is currently identified as ssl and not as the specific application. How can the administrator improve application identification for this SaaS application?
52Which TWO actions can help App-ID correctly identify a custom application that communicates over TCP port 8443 using SSL/TLS with a known internal hostname?
53An administrator is troubleshooting low throughput for a business-critical application that is identified as web-browsing instead of the custom app. The firewall is in inline mode. Which THREE potential causes should be investigated?
54Which TWO settings must be configured in a security policy rule to ensure the rule only matches when a specific application is detected on its standard port?
55Refer to the exhibit. An administrator notices that HTTPS traffic to a specific website is being denied. What is the most likely cause?
56A large enterprise uses a custom application that communicates over TCP port 8080 using HTTP. The application traffic is correctly identified as 'custom-app' by App-ID. Recently, the development team changed the application to use HTTPS on the same port. The firewall administrator updated the security policy to allow the application, using the same application name, but now the traffic is being denied. The firewall logs show the application as 'ssl' and the action 'deny'. The security policy has a rule that allows 'custom-app' from inside to outside. What should the administrator do to resolve this issue?
57A managed security service provider (MSSP) manages firewalls for multiple customers. One customer reports that their ERP application traffic is being dropped intermittently. The firewall logs show that the traffic is sometimes identified as 'erp-app' and allowed, and other times identified as 'unknown-tcp' and denied. The ERP application uses a proprietary protocol over TCP port 5555. The firewall has a custom application definition for 'erp-app' that uses a data pattern. The administrator verifies that the data pattern is correct. What should the administrator do to ensure consistent identification?
58A school district wants to allow YouTube for Education (a subcategory of YouTube) but block general YouTube traffic. The firewall uses URL filtering and App-ID. Currently, all YouTube traffic is identified as 'youtube' application, and the URL filtering category is 'educational-videos' for the education version. The administrator creates a security rule that allows application 'youtube' and URL category 'educational-videos'. However, all YouTube traffic is being blocked. What is the most likely cause?
59A financial trading firm has a low-latency network. The firewall administrator notices that some trading application traffic is being dropped sporadically. The security policy allows the application 'trading-app' over default port 5000. The logs show the application is identified correctly as 'trading-app', but the action is deny. The administrator checks the security policy and finds that there is a prior rule that denies all traffic with application 'unknown-tcp'. What could be causing the trading application traffic to match the deny rule?
60Dynamics Inc., a mid-sized company, uses Palo Alto Networks PA-5250 firewalls at their data center. They recently deployed a new web-based CRM application that uses HTTPS and WebSocket connections on TCP port 8443. The security team configured a custom application 'crm-app' with a signature that matches the 'Host' header in HTTP requests, and set the protocol decoder to 'tcp' and the port to 8443. The application is used in a security policy to allow traffic from internal users to the CRM server. However, after deployment, the traffic logs show the application is identified as 'ssl' instead of 'crm-app'. The firewall's App-ID and threat prevention subscriptions are active and up to date. The team has verified that the custom application signature is correctly configured, and the traffic clearly matches the defined host header. Which action should be taken to ensure the CRM traffic is correctly identified by App-ID?
61Refer to the exhibit. A user at 10.1.1.100 reports that they cannot access a website at 10.2.2.200 over HTTPS. The firewall shows the session is allowed with application web-browsing, but the security policy rule "Allow-Web" has application set to ssl. What is the most likely cause?
62A security administrator is configuring App-ID to identify custom applications over TCP port 8080. The traffic is HTTP-based but the firewall is classifying it as 'web-browsing'. Which two steps should the administrator take to ensure the traffic is correctly identified as the custom application? (Choose two.)
63A company uses a Palo Alto Networks firewall with App-ID enabled. They have a custom application that communicates over TCP port 5001. The administrator has created a custom App-ID signature and a security rule that allows this application from the internal zone (trust) to the external zone (untrust). Users report that the custom application traffic is being blocked. The administrator checks the traffic logs and sees that the sessions are being matched to a different security rule that denies any traffic from trust to untrust. The deny rule appears before the custom allow rule in the policy list. The custom App-ID signature is properly defined and tested. What should the administrator do to resolve this issue?
The Securing Traffic and App-ID domain covers the key concepts tested in this area of the PCNSE exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSE domains — no account required.
The Courseiva PCNSE question bank contains 63 questions in the Securing Traffic and App-ID domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Securing Traffic and App-ID domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included