Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCNSEExam Questions

Palo Alto Networks · Free Practice Questions · Last reviewed May 2026

PCNSE Exam Questions and Answers

54real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

75 exam questions
90 min time limit
Pass: 700/1000 / 1000
9 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Deploy and Configure Firewalls2. Securing Traffic and App-ID3. Securing Users and Applications with Authentication4. Decryption and SSL Inspection5. Managing Troubleshooting and High Availability6. Core Concepts and Architecture7. Secure Access and VPN8. Manage, Monitor and Operate9. Troubleshoot
1

Domain 1: Deploy and Configure Firewalls

All Deploy and Configure Firewalls questions
Q1
mediumFull explanation →

A company is deploying a new firewall in active/passive high availability. The two firewalls are connected directly via the HA1 and HA2 interfaces. After configuration, the passive firewall shows 'HA state: passive' but the active firewall shows 'HA state: non-functional'. What is the most likely cause?

A

The HA1 link is down or misconfigured.

B

The HA2 link is being used for management traffic.

C

The preemptive setting is enabled on both firewalls.

D

The HA2 link is down or misconfigured.

HA2 is required for session synchronization; if it fails, the active firewall reports non-functional.

Why: In active/passive HA, the HA2 link is used for session synchronization and state propagation. If the HA2 link is down or misconfigured, the active firewall cannot synchronize session state to the passive unit, causing it to report 'non-functional' even though the passive unit sees itself as 'passive'. The HA1 link handles heartbeats and configuration sync, which may still be operational, but without a functional HA2 link, the HA pair cannot maintain proper state synchronization, leading to the active firewall's non-functional state.
Q2
hardFull explanation →

A network engineer is configuring a new firewall to replace an existing one. The existing firewall has a policy that allows traffic from the 10.0.0.0/8 subnet to the internet. The new firewall must use the same policy but also log the traffic. The engineer creates a security rule with source zone 'Trust', destination zone 'Untrust', source address 10.0.0.0/8, and action 'allow'. Logging is set at rule end. However, traffic from 10.1.0.0/16 is not being logged. What is the reason?

A

Another rule earlier in the policy matches the traffic and allows it before reaching this rule.

If an earlier rule allows the traffic, this rule is never evaluated, and logging is not triggered.

B

The firewall is configured to not log interzone traffic.

C

The source address 10.1.0.0/16 is not part of the 10.0.0.0/8 subnet.

D

The logging profile is not applied to the rule.

Why: Option A is correct because in a Palo Alto Networks firewall, security rules are evaluated from top to bottom, and the first matching rule is applied. If an earlier rule in the policy matches the traffic from 10.1.0.0/16 and allows it, the rule with logging at rule end will never be evaluated, and thus no log entry is generated for that traffic.
Q3
easyFull explanation →

A security engineer needs to allow inbound HTTPS traffic from the internet to a web server in the DMZ. The source zone is 'Untrust', destination zone is 'DMZ', and the destination address is the web server's IP. Which security policy action should be used?

A

allow

'allow' permits the traffic.

B

reset-both

C

deny

D

drop

Why: The correct action is 'allow' because the security engineer needs to permit inbound HTTPS traffic from the Untrust zone to the DMZ web server. In Palo Alto Networks firewalls, the security policy action 'allow' explicitly permits the traffic to pass through the firewall, which is required for legitimate inbound web traffic.
Q4
mediumFull explanation →

An administrator configures a firewall with two virtual routers: VR1 and VR2. VR1 connects to the corporate network and VR2 to an ISP. The administrator creates a static route in VR1 to reach the internet via a next hop of 10.0.0.1, but traffic from VR1 to the internet fails. What is the most likely cause?

A

The static route in VR1 does not point to an interface or next hop that is reachable via VR2.

Without route redistribution, VR1 cannot use VR2's routes.

B

The firewall does not support multiple virtual routers.

C

The virtual routers are not connected to each other.

D

NAT is not configured on VR2.

Why: Virtual routers in Palo Alto Networks firewalls are isolated routing tables; traffic in VR1 cannot reach VR2 unless there is a route leaking or redistribution policy configured. The static route in VR1 points to 10.0.0.1, which is a next-hop IP that exists only in VR2’s routing table (the ISP-facing side). Since VR1 has no direct path or inter-virtual-router connection to reach that next hop, the route is considered unreachable and will not be installed in the forwarding table, causing the failure.
Q5
hardFull explanation →

An engineer is troubleshooting an inter-zone rule that should allow traffic from zone 'Trust' to zone 'Untrust'. The rule has a source address of 10.0.0.0/8 and destination address of any. The traffic is being denied. The engineer checks the log and sees the rule is not matched. What is the most likely reason?

A

The source address 10.0.0.0/8 is not included in the source zone.

B

The destination address is set to 'any', which is not valid.

C

The traffic is intra-zone, not inter-zone.

D

A rule with a 'deny' action appears earlier in the security policy.

If a deny rule matches before the allow rule, the traffic is denied.

Why: The most likely reason the inter-zone rule is not matched is that a preceding rule with a 'deny' action is matching the traffic first. In Palo Alto Networks firewalls, security rules are evaluated in order from top to bottom, and the first matching rule determines the action. If an earlier rule denies the traffic, the later allow rule will never be evaluated, even if it would otherwise match.
Q6
mediumFull explanation →

Which TWO of the following are required when configuring a new virtual wire (vwire) on a Palo Alto Networks firewall?

A

Two physical or subinterfaces assigned to the vwire.

A vwire requires exactly two interfaces.

B

A management profile must be applied to the vwire.

C

A zone must be assigned to the vwire.

D

The interfaces must be of type 'aggregate'.

E

No IP addresses configured on the interfaces used in the vwire.

Interfaces in a vwire operate at layer 2 without IPs.

Why: Option A is correct because a virtual wire (vwire) requires exactly two interfaces to function as a transparent bridge between two network segments. These interfaces can be physical or subinterfaces, and they must be assigned to the vwire to pass traffic without Layer 3 processing. Without two interfaces, the vwire cannot forward frames between the connected devices.

Want more Deploy and Configure Firewalls practice?

Practice this domain
2

Domain 2: Securing Traffic and App-ID

All Securing Traffic and App-ID questions
Q1
mediumFull explanation →

A security engineer notices that traffic from a trusted internal application is being blocked by the firewall. The application communicates using a proprietary protocol over TCP port 8443. The engineer has already created a custom App-ID for this application but the traffic is still being blocked. What is the most likely reason?

A

The custom App-ID must be added to a security profile group.

B

The custom App-ID needs a vulnerability profile to be activated.

C

The security policy rule uses the destination port instead of App-ID.

D

An application override rule must be configured to associate the custom App-ID with the traffic.

Application override is necessary to bypass signature-based identification and assign the custom App-ID.

Why: Option D is correct because when a custom App-ID is created for a proprietary protocol, the firewall cannot automatically identify the application by inspecting the traffic. An application override rule is required to explicitly map the traffic (based on IP, port, or other criteria) to the custom App-ID, bypassing the firewall's default App-ID identification process. Without this override, the firewall continues to apply its default classification, which may block the traffic if it doesn't match any known application.
Q2
hardFull explanation →

During a security audit, it is discovered that some HTTP traffic is being incorrectly identified as 'web-browsing' instead of 'ssl' even though the traffic uses HTTPS. The firewall is positioned as a transparent bridge and no SSL decryption is configured. What is the most likely cause?

A

SSL decryption must be enabled for the firewall to correctly identify SSL traffic.

B

The firewall is not seeing the full SSL handshake due to asymmetric routing.

Asymmetric routing can prevent the firewall from seeing the SSL handshake, causing it to identify the traffic as HTTP.

C

The default interzone rule is blocking the SSL identification packets.

D

The security policy allows 'web-browsing' before 'ssl' in the rule order.

Why: When a firewall operates as a transparent bridge without SSL decryption, it relies on the Server Name Indication (SNI) field or the certificate exchange during the TLS handshake to identify HTTPS traffic as 'ssl'. Asymmetric routing causes the firewall to see only one direction of the TCP handshake (e.g., only the SYN or only the SYN-ACK), preventing it from observing the full TLS handshake. Without the complete handshake, App-ID cannot extract the necessary signatures (e.g., TLS version, cipher suites, certificate details) and falls back to classifying the traffic as 'web-browsing' based on port 443.
Q3
easyFull explanation →

A network administrator wants to allow only specific applications such as 'facebook-base' and 'youtube' while blocking all other applications. Which type of security rule should be used to achieve this?

A

Create a security rule with application conditions set to 'facebook-base' and 'youtube' and action set to 'allow'.

This rule allows only the specified applications.

B

Create a security rule with destination port 80 and 443 and action set to 'allow'.

C

Create a security profile that blocks all applications not in the allow list.

D

Create a URL filtering rule to allow 'social-networking' and 'multimedia' categories.

Why: Option A is correct because App-ID allows you to create a security rule that explicitly allows only the specified applications ('facebook-base' and 'youtube') while implicitly denying all other traffic. Since the default action for any traffic not matching an allow rule is 'deny', this rule achieves the goal of blocking all other applications without needing an explicit block rule.
Q4
hardFull explanation →

A company deploys a Palo Alto Networks firewall in a data center. They have a critical application that uses a proprietary protocol over UDP port 12345. The firewall is not correctly identifying the traffic as the custom App-ID they created. They have verified that the custom App-ID is correctly configured and committed. What is the most likely cause?

A

The firewall must be rebooted for the custom App-ID to take effect.

B

An application override rule has not been configured to associate the traffic with the custom App-ID.

Application override is required to bypass signature-based identification and assign the custom App-ID.

C

The custom App-ID must be enabled in the 'Applications' section of the firewall settings.

D

The firewall cannot identify applications over UDP.

Why: The custom App-ID is correctly configured and committed, but the firewall still does not identify the traffic because App-IDs are based on application signatures and behavioral analysis. For a proprietary protocol over UDP, the firewall may not have a signature to match it, so an application override rule is required to explicitly associate the traffic (based on IP, port, or protocol) with the custom App-ID. Without this override, the firewall will continue to treat the traffic as unknown or attempt to match it against built-in App-IDs.
Q5
mediumFull explanation →

An administrator notices that traffic for a known application 'ms-update' is being blocked. The security policy has a rule allowing 'ms-update' from the internal network to the internet. However, the traffic is being denied. What should the administrator check first?

A

Confirm that the source and destination users are correctly configured.

B

Ensure that a security profile is applied to the rule to allow the application.

C

Check if the rule is placed after a deny-all rule.

D

Verify that the firewall is correctly identifying the traffic as 'ms-update' using App-ID.

If the traffic is not identified as 'ms-update', the rule will not match.

Why: App-ID is the core mechanism that identifies applications by inspecting traffic beyond port numbers. If the firewall misidentifies the traffic (e.g., as 'ssl' or 'web-browsing' instead of 'ms-update'), the security rule specifically allowing 'ms-update' will not match, and the traffic will be denied by the implicit deny rule. Therefore, verifying App-ID identification is the first logical step.
Q6
mediumFull explanation →

Which TWO of the following are valid methods to create a custom App-ID on a Palo Alto Networks firewall?

A

Right-clicking on a session in the Traffic log and selecting 'Create App-ID'.

B

Using the 'Application Command Center' to automatically generate custom App-IDs.

C

Using the 'set application' command in the CLI.

CLI allows configuration of custom applications.

D

Importing an App-ID definition file from a CSV.

E

Using the 'Objects' > 'Application Filters' menu in the web interface.

This is the standard method to create custom App-IDs.

Why: Option C is correct because the 'set application' CLI command allows you to define a custom App-ID by specifying characteristics such as protocol, port, and signature. This is a direct method to create a custom application object on a Palo Alto Networks firewall, as documented in the administrator's guide.

Want more Securing Traffic and App-ID practice?

Practice this domain
3

Domain 3: Securing Users and Applications with Authentication

All Securing Users and Applications with Authentication questions
Q1
mediumFull explanation →

A company wants to enforce MFA for VPN users but allow users to authenticate without MFA when connecting from the corporate office. Which authentication policy configuration achieves this?

A

Disable MFA in the global Authentication Profile

B

Create an authentication policy with source zone 'Corporate' set to 'require MFA'

C

Create an authentication policy with source zone 'Corporate' set to 'allow' and authentication method 'no MFA'

This allows authentication without MFA from the corporate zone.

D

Create an authentication policy with source zone 'Corporate' set to 'no-auth' and action 'allow'

Why: Option C is correct because it creates an authentication policy that explicitly allows users from the 'Corporate' source zone to authenticate without MFA by setting the authentication method to 'no MFA'. This meets the requirement of enforcing MFA for VPN users (typically from untrusted zones) while exempting corporate office users. The authentication policy evaluates the source zone and applies the specified authentication method, overriding the global authentication profile for matching traffic.
Q2
hardFull explanation →

After configuring SAML authentication for GlobalProtect, users report they are repeatedly prompted for credentials even though they already authenticated via the IdP. The firewall logs show 'saml-auth-success' but the portal log shows 'user-login-failure: invalid saml assertion'. What is the most likely cause?

A

The IdP does not support IdP-initiated SAML flow

B

The user mapping agent is not configured

C

The firewall and IdP system clocks are out of sync

Time skew can cause SAML assertion validation failure.

D

The SAML identity provider certificate is expired

Why: The firewall logs show 'saml-auth-success' (meaning the IdP successfully authenticated the user and issued a SAML assertion), but the portal log shows 'user-login-failure: invalid saml assertion'. This indicates the firewall received the assertion but rejected it as invalid. The most common cause for a validly signed assertion to be rejected is clock skew between the firewall and the IdP, because SAML assertions contain timestamps (NotBefore and NotOnOrAfter conditions) that are checked against the local system clock. If the clocks differ by more than the allowed skew (typically 5 minutes), the assertion is considered invalid even though it was correctly signed.
Q3
easyFull explanation →

A network administrator needs to authenticate users accessing the internet through the firewall using Active Directory credentials. Which authentication method should be used to transparently authenticate users without requiring a browser-based captive portal?

A

LDAP

B

NTLM

C

SAML

D

Kerberos

Kerberos provides transparent authentication for domain users.

Why: Kerberos is the correct choice because it enables transparent, single sign-on (SSO) authentication in a Windows Active Directory domain. When a user logs into their domain-joined workstation, Kerberos obtains a Ticket-Granting Ticket (TGT) from the Key Distribution Center (KDC). The firewall can then use Kerberos authentication to verify the user's identity without requiring any browser-based captive portal, as the TGT or service ticket is presented automatically by the client.
Q4
hardFull explanation →

An organization has deployed GlobalProtect with certificate authentication. Users on macOS report that after updating their client, they cannot connect and see error 'Certificate validation failed: The certificate hash does not match.' What is the most likely cause?

A

The certificate pinning configuration on the gateway has a hash mismatch

Certificate pinning enforces specific hash; client update may change the hash.

B

The root CA certificate is not trusted on the client

C

The CRL is not reachable

D

The GlobalProtect gateway certificate is expired

Why: Option A is correct because the error 'Certificate validation failed: The certificate hash does not match' specifically indicates a certificate pinning mismatch. GlobalProtect certificate pinning allows the gateway to enforce that the client's certificate matches a specific hash (SHA-256 fingerprint). When the client updates, its certificate may change (e.g., due to a new key pair or renewal), causing the hash stored in the gateway's pinning configuration to no longer match, resulting in this exact error.
Q5
mediumFull explanation →

An administrator configured the authentication profile shown. Users in the domain 'EXAMPLE' are unable to authenticate; logs show 'Authentication failed: user not found'. What is the likely issue?

A

The 'allow-list' is restricting authentication to only user1 and user2

Only those two users are allowed; others are denied.

B

The Kerberos server profile 'KDC-Profile' is misconfigured

C

The expiration time of 60 minutes is too short

D

The realm 'EXAMPLE.COM' does not match the domain 'EXAMPLE'

Why: Option A is correct because the authentication profile includes an 'allow-list' that explicitly restricts authentication to only 'user1' and 'user2'. When a user from the 'EXAMPLE' domain attempts to authenticate, the firewall checks the allow-list first; since the user is not in that list, the authentication fails with the 'user not found' error, even if the user exists in the domain.
Q6
easyFull explanation →

Which TWO authentication methods support single sign-on (SSO) capabilities in Palo Alto Networks firewalls?

A

LDAP

B

Local Database

C

Kerberos

Kerberos provides transparent SSO for domain users.

D

RADIUS

E

SAML

SAML enables SSO across different services.

Why: Kerberos (option C) supports SSO because it uses ticket-based authentication where the client obtains a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC) and presents it to the firewall without re-entering credentials. SAML (option E) supports SSO by exchanging signed XML assertions between an identity provider (IdP) and the firewall, enabling browser-based federated single sign-on.

Want more Securing Users and Applications with Authentication practice?

Practice this domain
4

Domain 4: Decryption and SSL Inspection

All Decryption and SSL Inspection questions
Q1
mediumFull explanation →

An engineer is configuring SSL Forward Proxy decryption for internal users. The firewall must decrypt traffic to all external HTTPS sites except specific financial services domains that require end-to-end encryption. Which best practice should the engineer implement to achieve this?

A

Disable decryption globally and create a custom URL category for the financial domains to enable decryption only for those.

B

Create two Decryption Policy rules: one with 'ssl-decrypt' action for the general category and a second rule with 'no-decrypt' action for the financial domains.

This allows decryption of most traffic while exempting the specified domains, following best practice.

C

Upload the server certificates for the financial domains to the firewall and enable 'no-decrypt' on the Decryption Profile.

D

Configure a single Decryption Policy rule with a 'decrypt' action and add the financial domains to the 'Exclude Certificate' list.

Why: Option B is correct because it follows the best practice of using a 'no-decrypt' rule with higher priority than the 'ssl-decrypt' rule to exclude specific traffic from decryption. This ensures that traffic to financial services domains is not decrypted, while all other external HTTPS traffic is decrypted as required.
Q2
hardFull explanation →

Which THREE statements are true regarding SSL Forward Proxy decryption on Palo Alto Networks firewalls?

A

SSL Forward Proxy decryption can only be applied to traffic destined for TCP port 443.

B

Decryption policy rules can match on source zone, source user, destination IP, URL category, and service.

These are common match criteria for decryption policy rules.

C

The firewall must generate a certificate on-the-fly signed by a trusted CA for each decrypted session.

This is correct; the firewall acts as a man-in-the-middle and creates a certificate signed by the enterprise CA.

D

An 'ssl-decrypt' action in a decryption rule requires that the associated decryption profile includes a certificate for the firewall to use.

E

The firewall can inspect the Server Name Indication (SNI) field in the ClientHello to determine the destination hostname.

SNI is used for policy matching when decryption is not possible or not required.

Why: Option B is correct because Palo Alto Networks decryption policy rules can match on a wide range of criteria including source zone, source user, destination IP, URL category, and service. This granularity allows administrators to selectively decrypt traffic based on business needs and security policies, not just basic IP/port matching.
Q3
hardFull explanation →

You are a network security engineer at a multinational corporation. The company has a main data center and three branch offices connected via MPLS. The firewall at the data center is a PA-5250 running PAN-OS 10.2. The firewall is configured for SSL Forward Proxy decryption of all outbound HTTPS traffic from internal users to the internet. Recently, users in Branch Office A report that they cannot access several external HTTPS websites, while users at other branches and the data center have no issues. The decryption policy for Branch Office A is identical to the others. You check the decryption statistics and see that for Branch Office A, the number of 'SSL handshake failures' is high. You also notice that the firewall's system log shows errors like 'peer certificate chain validation failure' for sessions from Branch Office A. The firewall has a forward trust certificate issued by an internal CA, and the internal CA certificate is installed on all clients. What is the most likely cause of this issue?

A

The forward trust certificate has expired or is not trusted by the clients in Branch Office A.

B

The decryption profile for Branch Office A is configured with an incorrect cipher suite that is not supported by the external websites.

C

Traffic from Branch Office A is asymmetrically routed, causing the TLS handshake to be incomplete.

Asymmetric routing can cause the firewall to see only one side of the TCP handshake, leading to SSL handshake failures.

D

The decryption policy rule for Branch Office A is missing the 'ssl-decrypt' action.

Why: C is correct because asymmetric routing causes the firewall to see only one side of the TCP handshake, preventing it from completing the TLS handshake. When traffic from Branch Office A takes a different return path (e.g., via another MPLS link or direct internet breakout), the firewall cannot associate the server's SYN-ACK with the original client SYN, leading to SSL handshake failures and 'peer certificate chain validation failure' errors in the logs. The decryption policy and certificates are identical across branches, so the issue is specific to the network path.
Q4
mediumFull explanation →

A company is deploying SSL Forward Proxy decryption for outbound HTTPS traffic. They want to ensure that traffic to financial sites (e.g., *.bank.com) is not decrypted due to compliance requirements. Which method should be used to exclude this traffic from decryption?

A

Configure the SSL/TLS Service Profile to bypass decryption for the domain.

B

Configure a Decryption Profile to exclude the domain.

C

Create a Decryption Policy rule matching the traffic and set the action to 'No Decrypt'.

Decryption Policy rules with 'No Decrypt' action are the correct way to exclude traffic from decryption based on zone, URL category, etc.

D

Enable certificate revocation checking for the decryption zone.

Why: Option C is correct because in Palo Alto Networks firewalls, SSL Forward Proxy decryption is controlled by Decryption Policy rules. To exclude specific traffic from decryption, you create a Decryption Policy rule that matches the traffic (e.g., destination domain *.bank.com) and set the action to 'No Decrypt'. This ensures the firewall forwards the traffic without intercepting or decrypting it, meeting compliance requirements.
Q5
hardFull explanation →

Which TWO of the following are valid considerations when designing an SSL Forward Proxy decryption deployment in a Palo Alto Networks firewall?

A

Decryption is applied globally to all traffic; selective decryption is not possible.

B

The firewall can decrypt all TLS sessions regardless of client certificate authentication.

C

When deploying SSL Forward Proxy, the firewall must generate a certificate for each decrypted session to re-encrypt traffic to the client.

The firewall acts as a proxy, generating a certificate signed by a trusted CA to re-encrypt traffic to the client.

D

Traffic using Server Name Indication (SNI) in TLS must be decrypted at the firewall or it will be dropped.

E

The firewall uses a decryption policy to determine which traffic to decrypt.

Decryption policy rules define which traffic is decrypted based on source, destination, URL category, etc.

Why: In an SSL Forward Proxy deployment, the firewall acts as a man-in-the-middle: it terminates the client's TLS connection, inspects the decrypted traffic, and then initiates a new TLS connection to the server. To re-encrypt the traffic back to the client, the firewall must dynamically generate a certificate for each session, signed by a trusted CA certificate installed on the client devices. This ensures the client sees a valid certificate chain and does not generate a certificate warning.
Q6
mediumFull explanation →

Order the steps to configure a static route on a Palo Alto Networks firewall.

Why: Static routes are defined per virtual router with destination and next-hop.

Want more Decryption and SSL Inspection practice?

Practice this domain
5

Domain 5: Managing Troubleshooting and High Availability

All Managing Troubleshooting and High Availability questions
Q1
hardFull explanation →

A company has two Palo Alto Networks firewalls configured in an active/passive HA pair. During a failover test, the passive firewall becomes active, but traffic stops passing through the new active firewall. The management interface on the new active firewall is reachable. What is the most likely cause?

A

The ARP table was not synchronized during failover.

B

The HA2 link is down, causing session table mismatch.

C

The new active firewall does not have a valid license.

D

The session setup rate exceeded the new active firewall's capacity.

If the session setup rate is too high, the firewall may drop new sessions while still being manageable.

Why: Option D is correct because when a passive firewall becomes active, it must process all new session setups from scratch. If the session setup rate exceeds the new active firewall's capacity (e.g., due to licensing limits on session count or throughput), traffic will be dropped even though the management interface remains reachable. The management plane is separate from the data plane, so management access can still work while forwarding fails.
Q2
easyFull explanation →

A network engineer is troubleshooting an HA pair where both firewalls show as 'active' in the HA state. What is this condition called?

A

Link failure

B

Active/Active

This is the correct term for both firewalls being active.

C

Passive/Passive

D

Split brain

Why: In an active/passive HA pair, only one firewall should be active at a time. When both firewalls show as 'active', this is known as a split-brain condition. It occurs when the HA heartbeat link fails and each firewall assumes the other is down, causing both to transition to the active state and process traffic independently.
Q3
mediumFull explanation →

An engineer notices that after an HA failover, the new active firewall is not passing traffic. The show running ip route command shows the default route is missing. What is the most likely cause?

A

Floating static routes were not configured on the passive firewall.

Floating static routes are not synchronized and must be configured on both firewalls.

B

Static routes were not synchronized.

C

OSPF routes were not synchronized.

D

BGP routes were not synchronized.

Why: In an active/passive HA pair, static routes are not automatically synchronized from the active to the passive firewall. The passive firewall must have its own static routes configured, often as floating static routes with a higher administrative distance to avoid conflicts during normal operation. When a failover occurs, the new active firewall (formerly passive) lacks the default route because it was never configured or synchronized, causing traffic to fail.
Q4
mediumFull explanation →

During an HA failover, the new active firewall's session table is empty, causing all existing connections to be dropped. Which configuration change would prevent this?

A

Configure HA3 for stateful inspection.

B

Increase HA1 keepalive timer.

C

Enable config sync on HA1.

D

Enable session sync on HA2.

Session sync ensures sessions are replicated to the passive firewall.

Why: Option D is correct because enabling session sync on the HA2 link ensures that session state information is continuously replicated from the active firewall to the standby firewall. During a failover, the new active firewall already has the session table populated, so existing connections are preserved and not dropped. Without session sync, the standby firewall starts with an empty session table, causing all existing TCP/UDP sessions to be torn down.
Q5
hardFull explanation →

Which TWO conditions can cause an HA pair to enter an 'active/active' state? (Choose two.)

A

Loss of HA keepalive on both sides

If keepalives are lost, each firewall assumes the other is dead and becomes active.

B

License expiration on one firewall

C

Session synchronization failure

D

Configuration mismatch between peers

E

HA1 link failure

If HA1 fails, firewalls cannot exchange heartbeats and may both become active.

Why: A is correct because when both firewalls lose the HA keepalive (sent over HA1 link), each firewall assumes the peer is dead and transitions to active state to ensure traffic continuity. This is a fail-safe mechanism: without keepalive, each unit independently becomes active, resulting in an active/active condition that can cause duplicate IP addresses and traffic loops.
Q6
mediumFull explanation →

Based on the exhibit, what caused the last failover?

A

The HA2 link went down.

B

A preemption event occurred.

C

The peer firewall was rebooted.

D

The HA1 keepalive from the peer was lost.

The output shows 'last failure reason: peer HA1 keepalive lost'.

Why: The exhibit shows 'HA1 keepalive from the peer was lost' as the last failover reason. In an active/passive HA pair, the passive firewall monitors HA1 keepalive messages from the active peer. When these keepalives are not received within the configured hello interval (default 1 second) and hold timer (default 3 seconds), the passive firewall assumes the active peer has failed and initiates a failover to become active.

Want more Managing Troubleshooting and High Availability practice?

Practice this domain
6

Domain 6: Core Concepts and Architecture

All Core Concepts and Architecture questions
Q1
mediumFull explanation →

A security engineer needs to deploy a Palo Alto Networks firewall in a high-availability (HA) pair with active/passive mode. The firewall will inspect traffic for multiple tenants, each requiring separate routing and policy configuration. Which feature should be used to isolate tenant configurations while using a single pair of firewalls?

A

Create separate virtual systems (VSYS) for each tenant on the same firewall.

VSYS provides complete logical separation of configuration, routing, and policies per tenant.

B

Deploy multiple VM-Series firewalls as separate instances on the same hypervisor.

C

Use active/active HA mode to assign each tenant to a different firewall.

D

Configure multiple virtual routers (VRFs) within the same virtual system.

Why: Virtual systems (VSYS) allow a single Palo Alto Networks firewall to be partitioned into multiple independent logical firewalls, each with its own routing table, security policies, and administrative domains. This enables tenant isolation on a single HA pair without requiring separate hardware or instances, making option A correct for the described requirement.
Q2
hardFull explanation →

A firewall administrator notices that traffic from a specific subnet is being unexpectedly dropped. The firewall log shows a 'flow_drop' reason of 'packet too long for interface MTU'. The interface MTU is set to 1500, and the packets are 1500 bytes. What is the most likely cause?

A

The route lookup for the destination requires a larger MTU.

B

The firewall is not performing TCP MSS clamping on the traffic.

C

The firewall is using jumbo frames on the internal interface.

D

The packet is being encapsulated (e.g., IPsec) after routing, increasing its size beyond 1500 bytes.

Encapsulation adds headers; if the original packet is near MTU, the encapsulated packet exceeds it.

Why: When a packet is encapsulated (e.g., by IPsec) after the routing decision, the original packet's size remains 1500 bytes, but the encapsulation adds overhead (e.g., IPsec ESP headers/trailers, typically 50–60 bytes). This causes the resulting frame to exceed the interface MTU of 1500, triggering a 'packet too long for interface MTU' drop. The firewall logs the drop at the physical interface after encapsulation, not before.
Q3
easyFull explanation →

An organization wants to simplify firewall rule management by grouping related rules into logical units and applying them to specific sets of users or devices. Which Palo Alto Networks feature supports this requirement?

A

Security profiles

B

Security zones

C

Security policy rule groups

Rule groups allow logical grouping of rules and assignment to user/device groups.

D

Application groups

Why: Security policy rule groups allow administrators to organize related firewall rules into logical units, which can then be applied to specific users or devices via policy-based forwarding or rule placement. This feature simplifies management by grouping rules that share a common purpose, such as those for a particular department or application, and enables targeted application without manual rule reordering. It directly addresses the requirement for logical grouping and selective application to users or devices.
Q4
mediumFull explanation →

During a traffic spike, the firewall CPU utilization remains below 30% but the dataplane packet buffer usage is consistently above 90%. What is the most likely impact on firewall performance?

A

Reduced new session setup rate.

B

Reduced committed information rate (CIR) on QoS policies.

C

Increased latency for management access.

D

Increased packet drops due to buffer exhaustion.

When packet buffers are full, new packets are dropped.

Why: When dataplane packet buffer usage exceeds 90% during a traffic spike, the firewall's packet buffers are nearly exhausted, leading to a condition where incoming packets cannot be stored temporarily for processing. This directly causes packet drops because the dataplane has no available buffers to enqueue new packets, even though CPU utilization remains low. Option D correctly identifies this as the primary impact, as buffer exhaustion results in tail-drop behavior for new packets.
Q5
hardFull explanation →

A Palo Alto Networks firewall is configured with two virtual routers: VR-A (trust) and VR-B (untrust). An interface is placed in VR-A. A static route to 10.0.0.0/8 via next-hop 192.168.1.1 exists in VR-A. The firewall receives a packet from the trust zone destined to 10.1.1.1. The route lookup succeeds in VR-A. Which statement is true about the forwarding decision?

A

The firewall will automatically redistribute the route to VR-B if needed.

B

The firewall will perform a reverse path forwarding (RPF) check on the source IP.

RPF ensures the source IP is reachable via the incoming interface; if not, the packet may be dropped.

C

The packet will be dropped because the destination is not in the same VR as the ingress interface.

D

The firewall will use the zone of the egress interface to determine the security policy.

Why: Option B is correct because when a packet enters a Palo Alto Networks firewall, after a successful route lookup, the firewall performs an RPF check on the source IP address to ensure that the source is reachable via the ingress interface. This is a fundamental security mechanism to prevent spoofed traffic. Since the ingress interface is in VR-A and the route lookup succeeded, the RPF check verifies that the source IP of the packet is reachable through that same interface; if not, the packet is dropped.
Q6
mediumFull explanation →

A network engineer is configuring App-ID for a custom application that uses a proprietary protocol over TCP port 12345. The application's traffic is not being identified as expected. Which configuration change should the engineer make to ensure the firewall correctly identifies this application?

A

Create a security policy rule with an application override to match the port.

B

Define a custom application with the appropriate protocol, port, and optionally a signature.

Custom application objects allow the firewall to identify the traffic based on port and/or signature.

C

Enable SSL decryption on the traffic to inspect encrypted payloads.

D

Add the port to the default application's 'port' field in the application object.

Why: Option B is correct because when a custom application uses a proprietary protocol over a non-standard port, the firewall cannot rely on its built-in App-ID signatures. By defining a custom application object with the correct protocol (TCP), port (12345), and optionally a protocol-level signature (e.g., a byte pattern or sequence), the firewall can accurately identify the traffic. This ensures that App-ID can match the traffic even if the port is not commonly associated with any known application.

Want more Core Concepts and Architecture practice?

Practice this domain
7

Domain 7: Secure Access and VPN

All Secure Access and VPN questions
Q1
easyFull explanation →

An administrator configures a GlobalProtect portal with an authentication profile that uses Kerberos. Users report they cannot connect from remote locations. What is the most likely cause?

A

The remote users' computers are not domain-joined.

Kerberos authentication requires the client to be domain-joined to obtain a ticket.

B

The external gateway is not configured for Kerberos authentication.

C

The authentication profile is not configured on the gateway.

D

The GlobalProtect gateway certificate is not trusted by the client.

Why: Kerberos authentication relies on the client being a member of the Active Directory domain to obtain a ticket-granting ticket (TGT) from the Key Distribution Center (KDC). Remote users whose computers are not domain-joined cannot acquire or present Kerberos tickets, causing authentication to fail. This is the most common reason for connection failures when Kerberos is used for GlobalProtect portal authentication.
Q2
mediumFull explanation →

A company is deploying GlobalProtect with internal gateways. They want to ensure that users who are inside the corporate network connect directly to internal resources without going through the firewall. Which configuration is required?

A

Configure the portal to assign the gateway only when the user is external.

B

Set the gateway's 'Tunnel Mode' to 'No' for internal users.

C

Configure the gateway agent with internal host detection.

D

Set the portal's 'Internal Host Detection' to detect the internal network and set 'Gateway' to 'None' for the internal network.

When the portal detects an internal host, it can be configured to not assign a gateway, allowing direct access.

Why: Option D is correct because GlobalProtect's Internal Host Detection (IHD) feature allows the portal to detect whether a user is inside the corporate network. When the portal detects the user is internal, it can be configured to assign 'None' as the gateway, meaning the client will not establish a VPN tunnel and will connect directly to internal resources. This ensures traffic does not hairpin through the firewall.
Q3
hardFull explanation →

A firewall is configured with a GlobalProtect gateway that uses an IPSec tunnel. Remote users can connect but cannot access any resources. The administrator verifies that the tunnel is established and the client receives an IP address. What is the most likely cause?

A

The tunnel interface is not in a virtual router.

B

The firewall does not have a route to the virtual IP pool.

Without a route for the virtual IP pool, the firewall cannot route return traffic to the tunnel interface.

C

The security policy does not allow traffic from the VPN zone.

D

The IP pool for the VPN client is exhausted.

Why: When a GlobalProtect gateway uses an IPSec tunnel, the client receives an IP address from a virtual IP pool assigned to the tunnel interface. If the firewall lacks a route to that virtual IP pool, return traffic from internal resources cannot reach the client, even though the tunnel is established and the client has an IP. This is a common misconfiguration because the tunnel interface itself does not automatically inject a route for the pool into the virtual router.
Q4
mediumFull explanation →

A company configures site-to-site VPN between two Palo Alto Networks firewalls using IKEv2. The tunnel does not come up. The administrator checks the IKE gateway configuration on both sides and sees matching pre-shared keys, IKE version, and encryption algorithms. What is the most likely remaining issue?

A

The tunnel interface is not assigned to a security zone.

B

Dead peer detection (DPD) is not configured.

C

The local and peer IP addresses are swapped on one side.

If the local and peer IPs are reversed, the IKE negotiation will fail because the peer expects the opposite.

D

The MTU on the WAN interface is set too low.

Why: Option C is correct because if the local and peer IP addresses are swapped on one side, the IKE gateway configuration will not match the expected endpoints. IKEv2 requires that each side's local address corresponds to the other side's peer address; a mismatch prevents the initial IKE_SA_INIT exchange from completing, as the firewalls will not recognize each other as valid peers despite matching pre-shared keys and algorithms.
Q5
hardFull explanation →

An administrator is troubleshooting a GlobalProtect VPN where users report frequent disconnections. The administrator notices that the GlobalProtect gateway logs show 'Tunnel rekey failed' errors. What is the most likely cause?

A

The GlobalProtect app's cookie integrity is corrupted.

B

The IKE gateway's rekey lifetime is shorter than the IPSec security association lifetime.

If the IKE rekey lifetime expires before the IPSec SA, the tunnel may be torn down unexpectedly.

C

The GlobalProtect client needs to be reinstalled.

D

The user-id agent is not resolving usernames correctly.

Why: The 'Tunnel rekey failed' error indicates that the IPsec security association (SA) rekey process failed. This most commonly occurs when the IKE gateway's rekey lifetime is shorter than the IPsec SA lifetime, causing the IKE phase 1 SA to expire before the IPsec phase 2 SA can be rekeyed. As a result, the tunnel drops and the client disconnects.
Q6
easyFull explanation →

A network engineer wants to allow remote users to access internal applications via GlobalProtect, but only for specific users. Which configuration method should be used to restrict access?

A

Use user-ID on the GlobalProtect gateway.

B

Configure group mapping on the GlobalProtect portal.

C

Create a HIP profile and assign it to the gateway.

D

Configure a security policy with user-ID matching the required users.

Security policies can use user-ID to allow or deny traffic based on authenticated user.

Why: Option D is correct because the security policy is the enforcement point that controls access to internal applications. By configuring a security policy with user-ID matching the required users, the firewall can restrict traffic based on the authenticated user identity, ensuring only specific users can reach the internal applications via GlobalProtect.

Want more Secure Access and VPN practice?

Practice this domain
8

Domain 8: Manage, Monitor and Operate

All Manage, Monitor and Operate questions
Q1
easyFull explanation →

A security administrator notices that a specific user is generating excessive logs due to repeated authentication failures. The administrator wants to see only failed authentication events for that user in the monitor tab. Which filter string should be used in the log viewer?

A

(addr.src eq user@domain.com) or (eventid eq auth-fail)

B

(addr.src eq user@domain.com) and (severity ge medium)

C

(addr.src eq user@domain.com) and (eventid eq auth-fail)

Correctly combines user and auth-fail event.

D

(src eq user@domain.com) and (eventid eq auth)

Why: Option C is correct because the filter (addr.src eq user@domain.com) and (eventid eq auth-fail) uses the proper source address field (addr.src) to match the user's IP or identity and the exact event ID for authentication failures (auth-fail). This combination ensures only failed authentication events from that specific user are displayed in the monitor tab, meeting the administrator's requirement precisely.
Q2
easyFull explanation →

An administrator wants to generate a report that shows the top applications by bandwidth usage over the last week. Which report type should be used to accomplish this?

A

URL Filtering Report

B

Application Report

Application Report provides top applications by bandwidth.

C

Traffic Report

D

Threat Report

Why: The Application Report is designed to provide visibility into application usage, including bandwidth consumption, top applications, and application-level trends over a specified time period. This report type leverages the App-ID engine to classify traffic by application, regardless of port or protocol, making it the correct choice for identifying top applications by bandwidth usage.
Q3
easyFull explanation →

A firewall administrator needs to troubleshoot a connectivity issue where users in the 10.0.1.0/24 subnet cannot reach the internet. The administrator suspects a missing policy. Which tool within the firewall's web interface can be used to test which security policy will be matched for a given traffic flow?

A

Network > Virtual Routers

B

Policy Optimizer > Test Policy Match

Test Policy Match simulates traffic and returns matching policy.

C

Monitor > Logs > Traffic

D

Device > Setup > Management

Why: Option B is correct because the 'Test Policy Match' tool under Policy Optimizer allows an administrator to simulate a specific traffic flow (source/destination IP, port, protocol) and see which security policy rule it matches. This directly addresses the need to verify whether a missing or misconfigured policy is blocking internet access for the 10.0.1.0/24 subnet.
Q4
mediumFull explanation →

A company has a firewall with multiple virtual systems (vsys). The administrator wants to delegate management of one vsys to a junior administrator, allowing them to configure security policies but not access system settings or other vsys. Which administrative role should be assigned?

A

Virtual System Admin

Vsys admin can be scoped to a specific vsys with limited permissions.

B

Superuser

C

Device Admin

D

Role-Based Admin

Why: A Virtual System Admin role is specifically designed to delegate administrative access to a single virtual system (vsys) within a Palo Alto Networks firewall. This role allows the junior administrator to configure security policies and objects within their assigned vsys, while explicitly preventing access to system settings, device-level configurations, or other virtual systems. This matches the requirement exactly.
Q5
mediumFull explanation →

An administrator is troubleshooting high CPU usage on a PA-5250 firewall. The CPU usage spikes every 5 minutes. Which CLI command should be used to identify the process causing the spike?

A

show session all

B

show dataplane

C

show running resource-monitor

Shows per-process CPU usage over time.

D

show system resources

Why: The 'show running resource-monitor' command displays real-time CPU and memory usage per process on Palo Alto Networks firewalls. Since the CPU spikes every 5 minutes, this command can identify which specific process (e.g., management-plane daemon, dataplane task) is consuming the most CPU during those intervals, enabling targeted troubleshooting.
Q6
mediumFull explanation →

A firewall is configured with two ISPs for redundancy. The administrator wants to ensure that traffic from internal users is load-balanced across both links based on source IP. Which configuration method should be used?

A

Static routes with different metrics

B

Policy-Based Forwarding (PBF)

C

Path monitoring

D

ECMP with source IP hash

ECMP with source IP hash load-balances traffic across equal-cost paths.

Why: D is correct because ECMP (Equal-Cost Multi-Path) with source IP hash enables the firewall to load-balance traffic across multiple equal-cost routes by hashing the source IP address, ensuring that all packets from the same source IP consistently use the same link. This method provides per-source-IP stickiness while distributing traffic across both ISPs, meeting the requirement for load balancing based on source IP.

Want more Manage, Monitor and Operate practice?

Practice this domain
9

Domain 9: Troubleshoot

All Troubleshoot questions
Q1
mediumFull explanation →

A company is experiencing intermittent connectivity issues between two branch offices connected via an IPSec tunnel. Users report that they can access resources for a few minutes, then lose connectivity, and after a short time it comes back. Which troubleshooting step should be taken first?

A

Check the traffic logs for any denial events

B

Check the IPSec tunnel status and IKE/IPSEC SA rekey timers

Intermittent connectivity every few minutes often indicates a mismatch in SA lifetime or rekey failure.

C

Reboot the firewall to clear any stale sessions

D

Verify the routing table on both firewalls

Why: The intermittent connectivity pattern (works for a few minutes, drops, then recovers) strongly indicates a phase 2 (IPsec SA) rekey failure. When the IPsec SA lifetime expires and the rekey fails, traffic stops until the SA is re-established, causing the described symptoms. Checking the IKE/IPsec SA rekey timers is the first logical step because it directly addresses the most likely root cause without introducing unnecessary changes.
Q2
hardFull explanation →

An engineer is troubleshooting a case where users on a specific subnet cannot reach a web server behind a Palo Alto Networks firewall. The security policy allows the traffic, and the firewall sees the session hit the rule. However, the server does not receive the request. What is the most likely cause?

A

Session offload is causing the packet to bypass security checks

B

The firewall is unable to resolve the destination MAC address

C

Asymmetric routing causes the firewall to drop the SYN packet

The firewall might receive the SYN but if the return path is different, it can drop the packet or not forward it properly.

D

The destination NAT is misconfigured

Why: The most likely cause is asymmetric routing, where the SYN packet traverses one firewall path but the SYN-ACK returns via a different path that does not go through the same firewall. Since Palo Alto Networks firewalls are stateful and require both directions of a TCP handshake to pass through the same device to build the session table entry, the SYN-ACK arriving on a different interface or firewall is treated as a non-session packet and dropped, even though the security policy permits the initial SYN. This explains why the firewall sees the session hit the rule but the server never receives the request.
Q3
easyFull explanation →

A network administrator notices that traffic from a specific user to the internet is being blocked by the firewall. The user's IP is 10.1.1.100, and the destination is a public website. The security policy has a rule that allows traffic from subnet 10.1.1.0/24 to any. What is the first thing the administrator should verify?

A

Check the security policy rulebase order and matching

The traffic might be matching a deny rule placed before the allow rule.

B

Verify the user-ID agent is mapping the IP correctly

C

Check the service configuration for the destination port

D

Check the NAT configuration for the user's subnet

Why: The first thing to verify is the security policy rulebase order and matching because Palo Alto Networks firewalls evaluate rules in a top-down order and apply the first matching rule. Even if a rule exists that allows traffic from subnet 10.1.1.0/24 to any, a preceding rule with a deny action or a more specific match could be blocking the traffic from 10.1.1.100. Checking rule order ensures that the intended allow rule is actually being hit before investigating other potential issues.
Q4
mediumFull explanation →

A company deploys a new application that uses UDP on port 12345. The security policy is configured to allow UDP traffic from the internal network to the application server. However, users report that the application does not work. The firewall logs show that the traffic is allowed. What is the most likely cause?

A

The application is using asymmetric routing

B

The security policy is not logging the traffic correctly

C

The firewall is not inspecting UDP traffic correctly

D

The firewall is dropping the return traffic due to a missing policy

The application may require responses; if the return traffic is not allowed by policy, the application breaks.

Why: Option D is correct because even though the outbound UDP traffic is allowed by the security policy, the firewall must also have a corresponding policy to allow the return traffic from the application server back to the internal clients. Without a return policy, the firewall drops the response packets, breaking the UDP communication. The logs show the outbound traffic as allowed, but the return traffic is silently dropped, which is why users report the application not working.
Q5
hardFull explanation →

An engineer is troubleshooting an issue where GlobalProtect users are unable to connect to the portal. The portal is configured with a certificate signed by an internal CA. Users can reach the portal's IP address from the internet, but the connection fails. The firewall log shows 'TLS handshake failed'. What is the most likely cause?

A

The portal service is not running

B

The portal's IP address is not routable from the internet

C

The portal certificate's subject name does not match the portal URL

D

The client does not trust the certificate authority that signed the portal certificate

The TLS handshake fails because the client cannot verify the server certificate.

Why: The firewall log shows 'TLS handshake failed', which indicates that the SSL/TLS negotiation between the GlobalProtect client and the portal failed. Since users can reach the portal's IP address from the internet, the issue is not network connectivity but certificate validation. The most common cause is that the client does not trust the internal CA that signed the portal certificate, so the client rejects the certificate during the TLS handshake, causing the failure.
Q6
mediumFull explanation →

After upgrading a Palo Alto Networks firewall, the administrator notices that some URL filtering categories are not being blocked as configured. The URL filtering profile is applied to the security rule. What should the administrator verify first?

A

The SSL decryption policy is configured correctly

B

The security rule is still referencing the correct URL filtering profile

C

The URL filtering license is still valid

D

The URL filtering database is up-to-date

An upgrade may require a fresh download of the URL database to ensure proper categorization.

Why: After a firewall upgrade, the URL filtering database may become outdated or corrupted, causing the firewall to fail to block categories as configured. Option D is correct because the administrator should first verify that the URL filtering database is up-to-date, as the upgrade process can reset or invalidate the local database, and a fresh download is required to restore accurate categorization and blocking.

Want more Troubleshoot practice?

Practice this domain

Frequently asked questions

How many questions are on the PCNSE exam?

The PCNSE exam has 75 questions and must be completed in 90 minutes. The passing score is 700/1000.

What types of questions appear on the PCNSE exam?

Scenario-based questions covering exam objectives with detailed answer explanations.

How are PCNSE questions organised by domain?

The exam covers 9 domains: Deploy and Configure Firewalls, Securing Traffic and App-ID, Securing Users and Applications with Authentication, Decryption and SSL Inspection, Managing Troubleshooting and High Availability, Core Concepts and Architecture, Secure Access and VPN, Manage, Monitor and Operate, Troubleshoot. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual PCNSE exam questions?

No. These are original exam-style practice questions written against the official Palo Alto Networks PCNSE exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 75 PCNSE questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all PCNSE questionsTake a timed practice test