Palo Alto Networks · Free Practice Questions · Last reviewed May 2026
54real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A company is deploying a new firewall in active/passive high availability. The two firewalls are connected directly via the HA1 and HA2 interfaces. After configuration, the passive firewall shows 'HA state: passive' but the active firewall shows 'HA state: non-functional'. What is the most likely cause?
The HA1 link is down or misconfigured.
The HA2 link is being used for management traffic.
The preemptive setting is enabled on both firewalls.
The HA2 link is down or misconfigured.
HA2 is required for session synchronization; if it fails, the active firewall reports non-functional.
A network engineer is configuring a new firewall to replace an existing one. The existing firewall has a policy that allows traffic from the 10.0.0.0/8 subnet to the internet. The new firewall must use the same policy but also log the traffic. The engineer creates a security rule with source zone 'Trust', destination zone 'Untrust', source address 10.0.0.0/8, and action 'allow'. Logging is set at rule end. However, traffic from 10.1.0.0/16 is not being logged. What is the reason?
Another rule earlier in the policy matches the traffic and allows it before reaching this rule.
If an earlier rule allows the traffic, this rule is never evaluated, and logging is not triggered.
The firewall is configured to not log interzone traffic.
The source address 10.1.0.0/16 is not part of the 10.0.0.0/8 subnet.
The logging profile is not applied to the rule.
A security engineer needs to allow inbound HTTPS traffic from the internet to a web server in the DMZ. The source zone is 'Untrust', destination zone is 'DMZ', and the destination address is the web server's IP. Which security policy action should be used?
allow
'allow' permits the traffic.
reset-both
deny
drop
An administrator configures a firewall with two virtual routers: VR1 and VR2. VR1 connects to the corporate network and VR2 to an ISP. The administrator creates a static route in VR1 to reach the internet via a next hop of 10.0.0.1, but traffic from VR1 to the internet fails. What is the most likely cause?
The static route in VR1 does not point to an interface or next hop that is reachable via VR2.
Without route redistribution, VR1 cannot use VR2's routes.
The firewall does not support multiple virtual routers.
The virtual routers are not connected to each other.
NAT is not configured on VR2.
An engineer is troubleshooting an inter-zone rule that should allow traffic from zone 'Trust' to zone 'Untrust'. The rule has a source address of 10.0.0.0/8 and destination address of any. The traffic is being denied. The engineer checks the log and sees the rule is not matched. What is the most likely reason?
The source address 10.0.0.0/8 is not included in the source zone.
The destination address is set to 'any', which is not valid.
The traffic is intra-zone, not inter-zone.
A rule with a 'deny' action appears earlier in the security policy.
If a deny rule matches before the allow rule, the traffic is denied.
Which TWO of the following are required when configuring a new virtual wire (vwire) on a Palo Alto Networks firewall?
Two physical or subinterfaces assigned to the vwire.
A vwire requires exactly two interfaces.
A management profile must be applied to the vwire.
A zone must be assigned to the vwire.
The interfaces must be of type 'aggregate'.
No IP addresses configured on the interfaces used in the vwire.
Interfaces in a vwire operate at layer 2 without IPs.
Want more Deploy and Configure Firewalls practice?
Practice this domainA security engineer notices that traffic from a trusted internal application is being blocked by the firewall. The application communicates using a proprietary protocol over TCP port 8443. The engineer has already created a custom App-ID for this application but the traffic is still being blocked. What is the most likely reason?
The custom App-ID must be added to a security profile group.
The custom App-ID needs a vulnerability profile to be activated.
The security policy rule uses the destination port instead of App-ID.
An application override rule must be configured to associate the custom App-ID with the traffic.
Application override is necessary to bypass signature-based identification and assign the custom App-ID.
During a security audit, it is discovered that some HTTP traffic is being incorrectly identified as 'web-browsing' instead of 'ssl' even though the traffic uses HTTPS. The firewall is positioned as a transparent bridge and no SSL decryption is configured. What is the most likely cause?
SSL decryption must be enabled for the firewall to correctly identify SSL traffic.
The firewall is not seeing the full SSL handshake due to asymmetric routing.
Asymmetric routing can prevent the firewall from seeing the SSL handshake, causing it to identify the traffic as HTTP.
The default interzone rule is blocking the SSL identification packets.
The security policy allows 'web-browsing' before 'ssl' in the rule order.
A network administrator wants to allow only specific applications such as 'facebook-base' and 'youtube' while blocking all other applications. Which type of security rule should be used to achieve this?
Create a security rule with application conditions set to 'facebook-base' and 'youtube' and action set to 'allow'.
This rule allows only the specified applications.
Create a security rule with destination port 80 and 443 and action set to 'allow'.
Create a security profile that blocks all applications not in the allow list.
Create a URL filtering rule to allow 'social-networking' and 'multimedia' categories.
A company deploys a Palo Alto Networks firewall in a data center. They have a critical application that uses a proprietary protocol over UDP port 12345. The firewall is not correctly identifying the traffic as the custom App-ID they created. They have verified that the custom App-ID is correctly configured and committed. What is the most likely cause?
The firewall must be rebooted for the custom App-ID to take effect.
An application override rule has not been configured to associate the traffic with the custom App-ID.
Application override is required to bypass signature-based identification and assign the custom App-ID.
The custom App-ID must be enabled in the 'Applications' section of the firewall settings.
The firewall cannot identify applications over UDP.
An administrator notices that traffic for a known application 'ms-update' is being blocked. The security policy has a rule allowing 'ms-update' from the internal network to the internet. However, the traffic is being denied. What should the administrator check first?
Confirm that the source and destination users are correctly configured.
Ensure that a security profile is applied to the rule to allow the application.
Check if the rule is placed after a deny-all rule.
Verify that the firewall is correctly identifying the traffic as 'ms-update' using App-ID.
If the traffic is not identified as 'ms-update', the rule will not match.
Which TWO of the following are valid methods to create a custom App-ID on a Palo Alto Networks firewall?
Right-clicking on a session in the Traffic log and selecting 'Create App-ID'.
Using the 'Application Command Center' to automatically generate custom App-IDs.
Using the 'set application' command in the CLI.
CLI allows configuration of custom applications.
Importing an App-ID definition file from a CSV.
Using the 'Objects' > 'Application Filters' menu in the web interface.
This is the standard method to create custom App-IDs.
Want more Securing Traffic and App-ID practice?
Practice this domainA company wants to enforce MFA for VPN users but allow users to authenticate without MFA when connecting from the corporate office. Which authentication policy configuration achieves this?
Disable MFA in the global Authentication Profile
Create an authentication policy with source zone 'Corporate' set to 'require MFA'
Create an authentication policy with source zone 'Corporate' set to 'allow' and authentication method 'no MFA'
This allows authentication without MFA from the corporate zone.
Create an authentication policy with source zone 'Corporate' set to 'no-auth' and action 'allow'
After configuring SAML authentication for GlobalProtect, users report they are repeatedly prompted for credentials even though they already authenticated via the IdP. The firewall logs show 'saml-auth-success' but the portal log shows 'user-login-failure: invalid saml assertion'. What is the most likely cause?
The IdP does not support IdP-initiated SAML flow
The user mapping agent is not configured
The firewall and IdP system clocks are out of sync
Time skew can cause SAML assertion validation failure.
The SAML identity provider certificate is expired
A network administrator needs to authenticate users accessing the internet through the firewall using Active Directory credentials. Which authentication method should be used to transparently authenticate users without requiring a browser-based captive portal?
LDAP
NTLM
SAML
Kerberos
Kerberos provides transparent authentication for domain users.
An organization has deployed GlobalProtect with certificate authentication. Users on macOS report that after updating their client, they cannot connect and see error 'Certificate validation failed: The certificate hash does not match.' What is the most likely cause?
The certificate pinning configuration on the gateway has a hash mismatch
Certificate pinning enforces specific hash; client update may change the hash.
The root CA certificate is not trusted on the client
The CRL is not reachable
The GlobalProtect gateway certificate is expired
An administrator configured the authentication profile shown. Users in the domain 'EXAMPLE' are unable to authenticate; logs show 'Authentication failed: user not found'. What is the likely issue?
The 'allow-list' is restricting authentication to only user1 and user2
Only those two users are allowed; others are denied.
The Kerberos server profile 'KDC-Profile' is misconfigured
The expiration time of 60 minutes is too short
The realm 'EXAMPLE.COM' does not match the domain 'EXAMPLE'
Which TWO authentication methods support single sign-on (SSO) capabilities in Palo Alto Networks firewalls?
LDAP
Local Database
Kerberos
Kerberos provides transparent SSO for domain users.
RADIUS
SAML
SAML enables SSO across different services.
Want more Securing Users and Applications with Authentication practice?
Practice this domainAn engineer is configuring SSL Forward Proxy decryption for internal users. The firewall must decrypt traffic to all external HTTPS sites except specific financial services domains that require end-to-end encryption. Which best practice should the engineer implement to achieve this?
Disable decryption globally and create a custom URL category for the financial domains to enable decryption only for those.
Create two Decryption Policy rules: one with 'ssl-decrypt' action for the general category and a second rule with 'no-decrypt' action for the financial domains.
This allows decryption of most traffic while exempting the specified domains, following best practice.
Upload the server certificates for the financial domains to the firewall and enable 'no-decrypt' on the Decryption Profile.
Configure a single Decryption Policy rule with a 'decrypt' action and add the financial domains to the 'Exclude Certificate' list.
Which THREE statements are true regarding SSL Forward Proxy decryption on Palo Alto Networks firewalls?
SSL Forward Proxy decryption can only be applied to traffic destined for TCP port 443.
Decryption policy rules can match on source zone, source user, destination IP, URL category, and service.
These are common match criteria for decryption policy rules.
The firewall must generate a certificate on-the-fly signed by a trusted CA for each decrypted session.
This is correct; the firewall acts as a man-in-the-middle and creates a certificate signed by the enterprise CA.
An 'ssl-decrypt' action in a decryption rule requires that the associated decryption profile includes a certificate for the firewall to use.
The firewall can inspect the Server Name Indication (SNI) field in the ClientHello to determine the destination hostname.
SNI is used for policy matching when decryption is not possible or not required.
You are a network security engineer at a multinational corporation. The company has a main data center and three branch offices connected via MPLS. The firewall at the data center is a PA-5250 running PAN-OS 10.2. The firewall is configured for SSL Forward Proxy decryption of all outbound HTTPS traffic from internal users to the internet. Recently, users in Branch Office A report that they cannot access several external HTTPS websites, while users at other branches and the data center have no issues. The decryption policy for Branch Office A is identical to the others. You check the decryption statistics and see that for Branch Office A, the number of 'SSL handshake failures' is high. You also notice that the firewall's system log shows errors like 'peer certificate chain validation failure' for sessions from Branch Office A. The firewall has a forward trust certificate issued by an internal CA, and the internal CA certificate is installed on all clients. What is the most likely cause of this issue?
The forward trust certificate has expired or is not trusted by the clients in Branch Office A.
The decryption profile for Branch Office A is configured with an incorrect cipher suite that is not supported by the external websites.
Traffic from Branch Office A is asymmetrically routed, causing the TLS handshake to be incomplete.
Asymmetric routing can cause the firewall to see only one side of the TCP handshake, leading to SSL handshake failures.
The decryption policy rule for Branch Office A is missing the 'ssl-decrypt' action.
A company is deploying SSL Forward Proxy decryption for outbound HTTPS traffic. They want to ensure that traffic to financial sites (e.g., *.bank.com) is not decrypted due to compliance requirements. Which method should be used to exclude this traffic from decryption?
Configure the SSL/TLS Service Profile to bypass decryption for the domain.
Configure a Decryption Profile to exclude the domain.
Create a Decryption Policy rule matching the traffic and set the action to 'No Decrypt'.
Decryption Policy rules with 'No Decrypt' action are the correct way to exclude traffic from decryption based on zone, URL category, etc.
Enable certificate revocation checking for the decryption zone.
Which TWO of the following are valid considerations when designing an SSL Forward Proxy decryption deployment in a Palo Alto Networks firewall?
Decryption is applied globally to all traffic; selective decryption is not possible.
The firewall can decrypt all TLS sessions regardless of client certificate authentication.
When deploying SSL Forward Proxy, the firewall must generate a certificate for each decrypted session to re-encrypt traffic to the client.
The firewall acts as a proxy, generating a certificate signed by a trusted CA to re-encrypt traffic to the client.
Traffic using Server Name Indication (SNI) in TLS must be decrypted at the firewall or it will be dropped.
The firewall uses a decryption policy to determine which traffic to decrypt.
Decryption policy rules define which traffic is decrypted based on source, destination, URL category, etc.
Order the steps to configure a static route on a Palo Alto Networks firewall.
Want more Decryption and SSL Inspection practice?
Practice this domainA company has two Palo Alto Networks firewalls configured in an active/passive HA pair. During a failover test, the passive firewall becomes active, but traffic stops passing through the new active firewall. The management interface on the new active firewall is reachable. What is the most likely cause?
The ARP table was not synchronized during failover.
The HA2 link is down, causing session table mismatch.
The new active firewall does not have a valid license.
The session setup rate exceeded the new active firewall's capacity.
If the session setup rate is too high, the firewall may drop new sessions while still being manageable.
A network engineer is troubleshooting an HA pair where both firewalls show as 'active' in the HA state. What is this condition called?
Link failure
Active/Active
This is the correct term for both firewalls being active.
Passive/Passive
Split brain
An engineer notices that after an HA failover, the new active firewall is not passing traffic. The show running ip route command shows the default route is missing. What is the most likely cause?
Floating static routes were not configured on the passive firewall.
Floating static routes are not synchronized and must be configured on both firewalls.
Static routes were not synchronized.
OSPF routes were not synchronized.
BGP routes were not synchronized.
During an HA failover, the new active firewall's session table is empty, causing all existing connections to be dropped. Which configuration change would prevent this?
Configure HA3 for stateful inspection.
Increase HA1 keepalive timer.
Enable config sync on HA1.
Enable session sync on HA2.
Session sync ensures sessions are replicated to the passive firewall.
Which TWO conditions can cause an HA pair to enter an 'active/active' state? (Choose two.)
Loss of HA keepalive on both sides
If keepalives are lost, each firewall assumes the other is dead and becomes active.
License expiration on one firewall
Session synchronization failure
Configuration mismatch between peers
HA1 link failure
If HA1 fails, firewalls cannot exchange heartbeats and may both become active.
Based on the exhibit, what caused the last failover?
The HA2 link went down.
A preemption event occurred.
The peer firewall was rebooted.
The HA1 keepalive from the peer was lost.
The output shows 'last failure reason: peer HA1 keepalive lost'.
Want more Managing Troubleshooting and High Availability practice?
Practice this domainA security engineer needs to deploy a Palo Alto Networks firewall in a high-availability (HA) pair with active/passive mode. The firewall will inspect traffic for multiple tenants, each requiring separate routing and policy configuration. Which feature should be used to isolate tenant configurations while using a single pair of firewalls?
Create separate virtual systems (VSYS) for each tenant on the same firewall.
VSYS provides complete logical separation of configuration, routing, and policies per tenant.
Deploy multiple VM-Series firewalls as separate instances on the same hypervisor.
Use active/active HA mode to assign each tenant to a different firewall.
Configure multiple virtual routers (VRFs) within the same virtual system.
A firewall administrator notices that traffic from a specific subnet is being unexpectedly dropped. The firewall log shows a 'flow_drop' reason of 'packet too long for interface MTU'. The interface MTU is set to 1500, and the packets are 1500 bytes. What is the most likely cause?
The route lookup for the destination requires a larger MTU.
The firewall is not performing TCP MSS clamping on the traffic.
The firewall is using jumbo frames on the internal interface.
The packet is being encapsulated (e.g., IPsec) after routing, increasing its size beyond 1500 bytes.
Encapsulation adds headers; if the original packet is near MTU, the encapsulated packet exceeds it.
An organization wants to simplify firewall rule management by grouping related rules into logical units and applying them to specific sets of users or devices. Which Palo Alto Networks feature supports this requirement?
Security profiles
Security zones
Security policy rule groups
Rule groups allow logical grouping of rules and assignment to user/device groups.
Application groups
During a traffic spike, the firewall CPU utilization remains below 30% but the dataplane packet buffer usage is consistently above 90%. What is the most likely impact on firewall performance?
Reduced new session setup rate.
Reduced committed information rate (CIR) on QoS policies.
Increased latency for management access.
Increased packet drops due to buffer exhaustion.
When packet buffers are full, new packets are dropped.
A Palo Alto Networks firewall is configured with two virtual routers: VR-A (trust) and VR-B (untrust). An interface is placed in VR-A. A static route to 10.0.0.0/8 via next-hop 192.168.1.1 exists in VR-A. The firewall receives a packet from the trust zone destined to 10.1.1.1. The route lookup succeeds in VR-A. Which statement is true about the forwarding decision?
The firewall will automatically redistribute the route to VR-B if needed.
The firewall will perform a reverse path forwarding (RPF) check on the source IP.
RPF ensures the source IP is reachable via the incoming interface; if not, the packet may be dropped.
The packet will be dropped because the destination is not in the same VR as the ingress interface.
The firewall will use the zone of the egress interface to determine the security policy.
A network engineer is configuring App-ID for a custom application that uses a proprietary protocol over TCP port 12345. The application's traffic is not being identified as expected. Which configuration change should the engineer make to ensure the firewall correctly identifies this application?
Create a security policy rule with an application override to match the port.
Define a custom application with the appropriate protocol, port, and optionally a signature.
Custom application objects allow the firewall to identify the traffic based on port and/or signature.
Enable SSL decryption on the traffic to inspect encrypted payloads.
Add the port to the default application's 'port' field in the application object.
Want more Core Concepts and Architecture practice?
Practice this domainAn administrator configures a GlobalProtect portal with an authentication profile that uses Kerberos. Users report they cannot connect from remote locations. What is the most likely cause?
The remote users' computers are not domain-joined.
Kerberos authentication requires the client to be domain-joined to obtain a ticket.
The external gateway is not configured for Kerberos authentication.
The authentication profile is not configured on the gateway.
The GlobalProtect gateway certificate is not trusted by the client.
A company is deploying GlobalProtect with internal gateways. They want to ensure that users who are inside the corporate network connect directly to internal resources without going through the firewall. Which configuration is required?
Configure the portal to assign the gateway only when the user is external.
Set the gateway's 'Tunnel Mode' to 'No' for internal users.
Configure the gateway agent with internal host detection.
Set the portal's 'Internal Host Detection' to detect the internal network and set 'Gateway' to 'None' for the internal network.
When the portal detects an internal host, it can be configured to not assign a gateway, allowing direct access.
A firewall is configured with a GlobalProtect gateway that uses an IPSec tunnel. Remote users can connect but cannot access any resources. The administrator verifies that the tunnel is established and the client receives an IP address. What is the most likely cause?
The tunnel interface is not in a virtual router.
The firewall does not have a route to the virtual IP pool.
Without a route for the virtual IP pool, the firewall cannot route return traffic to the tunnel interface.
The security policy does not allow traffic from the VPN zone.
The IP pool for the VPN client is exhausted.
A company configures site-to-site VPN between two Palo Alto Networks firewalls using IKEv2. The tunnel does not come up. The administrator checks the IKE gateway configuration on both sides and sees matching pre-shared keys, IKE version, and encryption algorithms. What is the most likely remaining issue?
The tunnel interface is not assigned to a security zone.
Dead peer detection (DPD) is not configured.
The local and peer IP addresses are swapped on one side.
If the local and peer IPs are reversed, the IKE negotiation will fail because the peer expects the opposite.
The MTU on the WAN interface is set too low.
An administrator is troubleshooting a GlobalProtect VPN where users report frequent disconnections. The administrator notices that the GlobalProtect gateway logs show 'Tunnel rekey failed' errors. What is the most likely cause?
The GlobalProtect app's cookie integrity is corrupted.
The IKE gateway's rekey lifetime is shorter than the IPSec security association lifetime.
If the IKE rekey lifetime expires before the IPSec SA, the tunnel may be torn down unexpectedly.
The GlobalProtect client needs to be reinstalled.
The user-id agent is not resolving usernames correctly.
A network engineer wants to allow remote users to access internal applications via GlobalProtect, but only for specific users. Which configuration method should be used to restrict access?
Use user-ID on the GlobalProtect gateway.
Configure group mapping on the GlobalProtect portal.
Create a HIP profile and assign it to the gateway.
Configure a security policy with user-ID matching the required users.
Security policies can use user-ID to allow or deny traffic based on authenticated user.
Want more Secure Access and VPN practice?
Practice this domainA security administrator notices that a specific user is generating excessive logs due to repeated authentication failures. The administrator wants to see only failed authentication events for that user in the monitor tab. Which filter string should be used in the log viewer?
(addr.src eq user@domain.com) or (eventid eq auth-fail)
(addr.src eq user@domain.com) and (severity ge medium)
(addr.src eq user@domain.com) and (eventid eq auth-fail)
Correctly combines user and auth-fail event.
(src eq user@domain.com) and (eventid eq auth)
An administrator wants to generate a report that shows the top applications by bandwidth usage over the last week. Which report type should be used to accomplish this?
URL Filtering Report
Application Report
Application Report provides top applications by bandwidth.
Traffic Report
Threat Report
A firewall administrator needs to troubleshoot a connectivity issue where users in the 10.0.1.0/24 subnet cannot reach the internet. The administrator suspects a missing policy. Which tool within the firewall's web interface can be used to test which security policy will be matched for a given traffic flow?
Network > Virtual Routers
Policy Optimizer > Test Policy Match
Test Policy Match simulates traffic and returns matching policy.
Monitor > Logs > Traffic
Device > Setup > Management
A company has a firewall with multiple virtual systems (vsys). The administrator wants to delegate management of one vsys to a junior administrator, allowing them to configure security policies but not access system settings or other vsys. Which administrative role should be assigned?
Virtual System Admin
Vsys admin can be scoped to a specific vsys with limited permissions.
Superuser
Device Admin
Role-Based Admin
An administrator is troubleshooting high CPU usage on a PA-5250 firewall. The CPU usage spikes every 5 minutes. Which CLI command should be used to identify the process causing the spike?
show session all
show dataplane
show running resource-monitor
Shows per-process CPU usage over time.
show system resources
A firewall is configured with two ISPs for redundancy. The administrator wants to ensure that traffic from internal users is load-balanced across both links based on source IP. Which configuration method should be used?
Static routes with different metrics
Policy-Based Forwarding (PBF)
Path monitoring
ECMP with source IP hash
ECMP with source IP hash load-balances traffic across equal-cost paths.
Want more Manage, Monitor and Operate practice?
Practice this domainA company is experiencing intermittent connectivity issues between two branch offices connected via an IPSec tunnel. Users report that they can access resources for a few minutes, then lose connectivity, and after a short time it comes back. Which troubleshooting step should be taken first?
Check the traffic logs for any denial events
Check the IPSec tunnel status and IKE/IPSEC SA rekey timers
Intermittent connectivity every few minutes often indicates a mismatch in SA lifetime or rekey failure.
Reboot the firewall to clear any stale sessions
Verify the routing table on both firewalls
An engineer is troubleshooting a case where users on a specific subnet cannot reach a web server behind a Palo Alto Networks firewall. The security policy allows the traffic, and the firewall sees the session hit the rule. However, the server does not receive the request. What is the most likely cause?
Session offload is causing the packet to bypass security checks
The firewall is unable to resolve the destination MAC address
Asymmetric routing causes the firewall to drop the SYN packet
The firewall might receive the SYN but if the return path is different, it can drop the packet or not forward it properly.
The destination NAT is misconfigured
A network administrator notices that traffic from a specific user to the internet is being blocked by the firewall. The user's IP is 10.1.1.100, and the destination is a public website. The security policy has a rule that allows traffic from subnet 10.1.1.0/24 to any. What is the first thing the administrator should verify?
Check the security policy rulebase order and matching
The traffic might be matching a deny rule placed before the allow rule.
Verify the user-ID agent is mapping the IP correctly
Check the service configuration for the destination port
Check the NAT configuration for the user's subnet
A company deploys a new application that uses UDP on port 12345. The security policy is configured to allow UDP traffic from the internal network to the application server. However, users report that the application does not work. The firewall logs show that the traffic is allowed. What is the most likely cause?
The application is using asymmetric routing
The security policy is not logging the traffic correctly
The firewall is not inspecting UDP traffic correctly
The firewall is dropping the return traffic due to a missing policy
The application may require responses; if the return traffic is not allowed by policy, the application breaks.
An engineer is troubleshooting an issue where GlobalProtect users are unable to connect to the portal. The portal is configured with a certificate signed by an internal CA. Users can reach the portal's IP address from the internet, but the connection fails. The firewall log shows 'TLS handshake failed'. What is the most likely cause?
The portal service is not running
The portal's IP address is not routable from the internet
The portal certificate's subject name does not match the portal URL
The client does not trust the certificate authority that signed the portal certificate
The TLS handshake fails because the client cannot verify the server certificate.
After upgrading a Palo Alto Networks firewall, the administrator notices that some URL filtering categories are not being blocked as configured. The URL filtering profile is applied to the security rule. What should the administrator verify first?
The SSL decryption policy is configured correctly
The security rule is still referencing the correct URL filtering profile
The URL filtering license is still valid
The URL filtering database is up-to-date
An upgrade may require a fresh download of the URL database to ensure proper categorization.
Want more Troubleshoot practice?
Practice this domainThe PCNSE exam has 75 questions and must be completed in 90 minutes. The passing score is 700/1000.
Scenario-based questions covering exam objectives with detailed answer explanations.
The exam covers 9 domains: Deploy and Configure Firewalls, Securing Traffic and App-ID, Securing Users and Applications with Authentication, Decryption and SSL Inspection, Managing Troubleshooting and High Availability, Core Concepts and Architecture, Secure Access and VPN, Manage, Monitor and Operate, Troubleshoot. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Palo Alto Networks PCNSE exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.