Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Core Concepts and Architecture practice sets

PCNSE Core Concepts and Architecture • Complete Question Bank

PCNSE Core Concepts and Architecture — All Questions With Answers

Complete PCNSE Core Concepts and Architecture question bank — all 0 questions with answers and detailed explanations.

76
Questions
Free
No signup
Certifications/PCNSE/Practice Test/Core Concepts and Architecture/All Questions
Question 1mediummultiple choice
Review the full routing breakdown →

A security engineer needs to deploy a Palo Alto Networks firewall in a high-availability (HA) pair with active/passive mode. The firewall will inspect traffic for multiple tenants, each requiring separate routing and policy configuration. Which feature should be used to isolate tenant configurations while using a single pair of firewalls?

Question 2hardmultiple choice
Review the full subnetting walkthrough →

A firewall administrator notices that traffic from a specific subnet is being unexpectedly dropped. The firewall log shows a 'flow_drop' reason of 'packet too long for interface MTU'. The interface MTU is set to 1500, and the packets are 1500 bytes. What is the most likely cause?

Question 3easymultiple choice
Read the full Core Concepts and Architecture explanation →

An organization wants to simplify firewall rule management by grouping related rules into logical units and applying them to specific sets of users or devices. Which Palo Alto Networks feature supports this requirement?

Question 4mediummultiple choice
Read the full Core Concepts and Architecture explanation →

During a traffic spike, the firewall CPU utilization remains below 30% but the dataplane packet buffer usage is consistently above 90%. What is the most likely impact on firewall performance?

Question 5hardmultiple choice
Review the full routing breakdown →

A Palo Alto Networks firewall is configured with two virtual routers: VR-A (trust) and VR-B (untrust). An interface is placed in VR-A. A static route to 10.0.0.0/8 via next-hop 192.168.1.1 exists in VR-A. The firewall receives a packet from the trust zone destined to 10.1.1.1. The route lookup succeeds in VR-A. Which statement is true about the forwarding decision?

Question 6mediummultiple choice
Read the full Core Concepts and Architecture explanation →

A network engineer is configuring App-ID for a custom application that uses a proprietary protocol over TCP port 12345. The application's traffic is not being identified as expected. Which configuration change should the engineer make to ensure the firewall correctly identifies this application?

Question 7easymultiple choice
Read the full Core Concepts and Architecture explanation →

Which Panorama deployment mode allows centralized management of firewalls while storing logs locally on each firewall instead of sending them to the Panorama log collector?

Question 8mediummultiple choice
Read the full NAT/PAT explanation →

A firewall has the routing table shown. A packet arrives on ethernet1/2 with source IP 10.0.0.50 and destination IP 10.0.0.100. Which route will be used for forwarding?

Exhibit

Refer to the exhibit.

```
admin@PA-5050> show routing route

IPv4 Virtual Router: default

destination nexthop interface metric flags
0.0.0.0/0 10.0.0.1 ethernet1/1 10 A S
10.0.0.0/8 10.0.0.1 ethernet1/1 10 A S
10.0.0.0/24 10.0.0.2 ethernet1/2 10 A S
10.0.1.0/24 10.0.0.3 ethernet1/3 10 A S
172.16.0.0/12 10.0.0.4 ethernet1/4 10 A S
192.168.0.0/16 10.0.0.5 ethernet1/5 10 A S
```
Question 9hardmultiple choice
Read the full Core Concepts and Architecture explanation →

An administrator runs the commands and sees the output. The session shows an SSL application from trust to untrust. However, the traffic is actually a custom application over TCP 44321 that the firewall incorrectly identifies as SSL. Which configuration step will most accurately identify the custom application?

Exhibit

Refer to the exhibit.

```
admin@PA-3020> show session info

session id 12345, application: ssl, vsys vsys1, zone trust->untrust
source 10.1.1.10:443 -> destination 192.168.1.1:44321
state: active, type: dynamic
session age: 120 sec, timeout: 3600 sec

admin@PA-3020> show system info | match uptime
Uptime: 30 days, 4 hours, 12 minutes
```
Question 10mediummulti select
Read the full Core Concepts and Architecture explanation →

Which TWO are valid dataplane components in a Palo Alto Networks firewall? (Choose two.)

Question 11hardmulti select
Read the full Core Concepts and Architecture explanation →

Which THREE factors are considered when a Palo Alto Networks firewall performs application identification (App-ID) on a session? (Choose three.)

Question 12hardmultiple choice
Read the full Core Concepts and Architecture explanation →

A company runs a mixed environment of physical and virtual Palo Alto Networks firewalls (PA-5250, VM-300) managed by a single Panorama. The company recently deployed a new application that uses the QUIC protocol (UDP 443) for performance. After the deployment, the security team notices that the firewall is not accurately identifying the QUIC traffic, and some QUIC sessions are being dropped unexpectedly. The firewall logs show 'application: incomplete' for these sessions. The security team wants to ensure QUIC traffic is properly identified and allowed. The team has configured a security policy rule to allow 'ssl' application (thinking QUIC is similar to SSL) but the problem persists. The firewall is running PAN-OS 10.1. Which of the following is the best course of action?

Question 13mediummulti select
Read the full NAT/PAT explanation →

A security engineer is troubleshooting a traffic drop issue on a Palo Alto Networks firewall. The traffic is allowed by the security policy, but the session is being terminated. Which two features could cause this behavior? (Choose two.)

Question 14hardmulti select
Read the full Core Concepts and Architecture explanation →

A network administrator is configuring a new Palo Alto Networks firewall in a high-availability active/passive setup. The firewall will be placed in Layer 3 mode. Which THREE steps are required to ensure proper operation? (Choose three.)

Question 15hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A firewall administrator is investigating why traffic from a source IP 10.1.1.100 to destination 192.168.1.50 is not establishing sessions. The firewall has been up for 45 days. Based on the counters shown, what is the most likely cause?

Exhibit

Refer to the exhibit.

admin@PA-5050> show system info | match uptime
Uptime: 45 days 3 hours 22 mins

admin@PA-5050> show session all filter source 10.1.1.100 destination 192.168.1.50
Session filter returned 0 sessions

admin@PA-5050> show counter global | match flow_tcp_non_syn
flow_tcp_non_syn: 15

admin@PA-5050> show counter global | match flow_tcp_handshake_fail
flow_tcp_handshake_fail: 8
Question 16mediummultiple choice
Read the full MPLS explanation →

A company recently deployed a Palo Alto Networks PA-5250 firewall in a data center. The firewall is configured with multiple virtual routers and is connected to an MPLS WAN router and an internet router. The network team reports that users can access internet resources but cannot reach a critical application hosted in a remote branch office over the MPLS link. The application uses TCP port 443 and is accessed via a fully qualified domain name (FQDN). The security policy includes a rule that allows traffic from the internal zone to the MPLS zone with the application 'ssl' and the destination address set to the FQDN of the application server. The internal DNS server resolves the FQDN correctly to the private IP address 10.20.30.40. The firewall has DNS proxy enabled, but the DNS server is configured as the internal DNS server. The administrator runs a packet capture and sees that the firewall is sending DNS queries for the FQDN to the internal DNS server but the response is not being used to update the dynamic address group (DAG) that is referenced in the security policy. The DAG is configured with a 'FQDN' match criteria. What is the most likely cause?

Question 17mediummultiple choice
Read the full NAT/PAT explanation →

A security administrator is troubleshooting a traffic drop between two internal zones. The firewall shows that the session is being terminated with a 'tcp-fin' reason. The administrator verifies that the application is set to 'web-browsing' and the service is 'application-default'. What is the most likely cause of the session termination?

Question 18hardmultiple choice
Read the full Core Concepts and Architecture explanation →

An organization is deploying a pair of PA-5250 firewalls in active/passive high availability. The network team notices that the passive firewall is not receiving synchronization updates. Both devices have the same software version and licenses. The HA1 control link is connected and shows 'up' in 'show high-availability state'. What is the most likely reason for the synchronization failure?

Question 19easymultiple choice
Read the full Core Concepts and Architecture explanation →

A network engineer is configuring a new PA-220 firewall. They need to allow HTTP traffic from the 'trust' zone to the 'untrust' zone. However, the traffic is being dropped. A packet capture shows that the SYN packet is received but no SYN-ACK is sent. What is the most likely cause?

Question 20mediumdrag order
Read the full Core Concepts and Architecture explanation →

Arrange the steps to perform a factory reset on a Palo Alto Networks firewall.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 21mediummatching
Read the full Core Concepts and Architecture explanation →

Match each log type to its content.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Records session start, end, and bytes transferred

Logs blocked malware, exploits, or spyware

Logs web requests and category matches

Tracks files sent for cloud analysis

Records administrative actions and system events

Question 22easymultiple choice
Read the full Core Concepts and Architecture explanation →

A company needs to deploy a firewall in transparent inline mode to filter traffic between two switches without requiring any IP address changes on existing devices. Which interface type should be configured?

Question 23mediummultiple choice
Read the full Core Concepts and Architecture explanation →

An administrator notices that traffic from zone A to zone B is being dropped silently. Security rules are in place. Troubleshooting shows that the session does not appear in the session table. What is the most likely cause?

Question 24hardmultiple choice
Review the full routing breakdown →

An enterprise requires separate administrative domains within a single firewall chassis for different business units. Each domain must have its own virtual router, security policies, and interface configuration. What is the appropriate PAN-OS feature?

Question 25easymultiple choice
Read the full Core Concepts and Architecture explanation →

Which component of the PAN-OS architecture is responsible for processing security policies and performing packet inspection?

Question 26mediummultiple choice
Read the full Core Concepts and Architecture explanation →

An organization wants to map user identity from Active Directory for traffic coming from internal LAN users without installing any agent on domain controllers. Which User-ID mapping method should be used?

Question 27hardmultiple choice
Read the full Core Concepts and Architecture explanation →

A firewall's dataplane CPU is consistently at 95% utilization even though session count is normal. Analysis shows that a large number of small packets are being processed. Which feature could be causing excessive dataplane processing?

Question 28mediummultiple choice
Read the full Core Concepts and Architecture explanation →

A security engineer wants to identify applications in SSL/TLS encrypted traffic without decrypting the payload. Which method can be used?

Question 29mediummultiple choice
Review the full routing breakdown →

In an active/passive high-availability pair, the firewall fails over unexpectedly. Investigation shows that the active unit lost connectivity to the upstream router but the link is still up. Which monitoring feature should be configured to prevent false failovers due to temporary router unreachability?

Question 30hardmultiple choice
Read the full Core Concepts and Architecture explanation →

A firewall is configured with multiple virtual systems (vsys). The administrator notices that one vsys is consuming excessive dataplane resources, affecting others. Which feature should be used to guarantee each vsys a minimum share of CPU and session capacity?

Question 31easymulti select
Read the full Core Concepts and Architecture explanation →

Which TWO components are part of the PAN-OS management plane?

Question 32hardmulti select
Read the full Core Concepts and Architecture explanation →

Which THREE are valid methods for User-ID mapping in PAN-OS?

Question 33mediummulti select
Read the full Core Concepts and Architecture explanation →

Which TWO statements correctly describe the role of the data plane in PAN-OS architecture?

Question 34easymultiple choice
Read the full Core Concepts and Architecture explanation →

Refer to the exhibit. What does the serial number '0123456789' indicate?

Exhibit

admin@firewall> show system info
System info:
hostname: PA-500-1
model: PA-500
serial: 0123456789
sw-version: 9.1.5
uptime: 45 days, 3:12:08
Question 35hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A packet from 10.0.0.5 to 8.8.8.8 on TCP port 443 (HTTPS) arrives. Source zone is trust, destination zone is untrust. The packet is dropped. What is the most likely reason?

Exhibit

admin@firewall> show running rulebase security
entry @name "Allow-Internal" {
    from "trust";
    to "untrust";
    source 10.0.0.0/24;
    destination any;
    application "web-browsing";
    service application-default;
    action allow;
    log-start yes;
}
Question 36easymultiple choice
Read the full Core Concepts and Architecture explanation →

Refer to the exhibit. An administrator sees this log entry. What does it indicate?

Exhibit

2019/10/15 14:23:45, drop, 192.168.1.10, 10.0.0.1, any, 0, (no rule), drop, session end reason: no-match
Question 37easymultiple choice
Review the full subnetting walkthrough →

A company has configured a security policy that allows HTTP traffic from the internal network 10.0.0.0/8 to the internet. However, users from subnet 10.2.0.0/24 are unable to access external websites. The firewall logs show that traffic from 10.2.0.100 to 203.0.113.1 on port 80 is being denied. Which action should the administrator take to resolve the issue?

Question 38mediummultiple choice
Read the full Core Concepts and Architecture explanation →

A company implements SSL Forward Proxy decryption. Users complain that accessing certain websites, such as video streaming and software updates, is slow. Which action should the administrator take to improve performance?

Question 39hardmultiple choice
Read the full NAT/PAT explanation →

A multinational organization uses a pair of PA-5250 firewalls in an active/passive high-availability configuration across two data centers. They need to ensure that all management traffic (SSH, HTTPS) to the firewalls is encrypted and sourced only from a dedicated management network (10.10.0.0/24). Which configuration meets these requirements?

Question 40easymultiple choice
Read the full Core Concepts and Architecture explanation →

Refer to the exhibit. A user with IP 10.1.1.100 from the internal zone is trying to access http://203.0.113.1. What will the firewall do?

Exhibit

admin@PA-3020# show running security-policy
set security-policy rule 1 from zone internal to zone external source 10.0.0.0/8 destination 0.0.0.0/0 application web-browsing service service-http action deny
set security-policy rule 2 from zone internal to zone external source 10.1.0.0/16 destination 0.0.0.0/0 application web-browsing service service-http action allow
Question 41mediummultiple choice
Read the full Core Concepts and Architecture explanation →

Refer to the exhibit. A user attempts to access a banking site (category: finance) over HTTPS. What will happen?

Exhibit

set decryption rule decrypt-ssl from zone untrust to zone trust source any destination any application ssl action decrypt ssl-forward-proxy
set decryption rule no-decrypt from zone untrust to zone trust source any destination any application ssl category finance,healthcare action no-decrypt
Question 42hardmultiple choice
Read the full Core Concepts and Architecture explanation →

Refer to the exhibit. What does the 'Session End Reason: aged-out' indicate about the traffic?

Exhibit

# Timestamp: 2020-07-10 12:34:56
# Source IP: 10.0.0.1
# Destination IP: 203.0.113.2
# Application: ssl
# Action: allow
# Session End Reason: aged-out
# Bytes In: 5000
# Bytes Out: 12000
Question 43mediummulti select
Read the full Core Concepts and Architecture explanation →

Which two are valid methods for collecting User-ID information on a Palo Alto Networks firewall? (Choose two.)

Question 44hardmulti select
Read the full Core Concepts and Architecture explanation →

Which two are prerequisites for deploying a Palo Alto Networks firewall in a high-availability active/passive pair? (Choose two.)

Question 45easymulti select
Read the full Core Concepts and Architecture explanation →

Which three are valid security policy rule actions on a Palo Alto Networks firewall? (Choose three.)

Question 46easymultiple choice
Read the full Core Concepts and Architecture explanation →

An administrator needs to allow FTP traffic from the internal network to an external server. The firewall is configured with a security policy that has the application 'ftp' and service 'service-http'. What is the most likely cause of the traffic being denied?

Question 47mediummultiple choice
Read the full Core Concepts and Architecture explanation →

A company uses Panorama to manage multiple firewalls. They want to push a security policy that applies to all firewalls but with a specific exception for one firewall in a different region. Which Panorama method should be used?

Question 48hardmultiple choice
Read the full Core Concepts and Architecture explanation →

A security engineer is troubleshooting a connectivity issue where traffic from a specific internal host is allowed by security policy but fails to establish a connection to an external server. The firewall logs show the session was created, but no response packets are seen. What is the most likely cause?

Question 49easymultiple choice
Review the full subnetting walkthrough →

An administrator configures the management interface with IP 192.168.1.1/24 and can ping it from a host on the same subnet, but cannot access the web interface. What is the likely cause?

Question 50mediummultiple choice
Review the full routing breakdown →

A Palo Alto Networks firewall is configured with multiple virtual routers. Traffic between two different virtual routers is not being forwarded. What is required to enable routing between them?

Question 51hardmultiple choice
Read the full Core Concepts and Architecture explanation →

An organization uses GlobalProtect for remote access. Users report that they can connect but cannot access internal resources. The firewall logs show that the traffic from the GlobalProtect IP pool to internal servers is allowed. What is the most likely cause?

Question 52mediummultiple choice
Read the full Core Concepts and Architecture explanation →

A company has two Palo Alto Networks firewalls configured in an active/passive HA pair. Traffic fails over correctly, but after a failover, existing sessions from external users to internal servers are broken. The security team wants to prevent this disruption. Which feature must be enabled?

Question 53easymultiple choice
Review the full subnetting walkthrough →

A network engineer is troubleshooting why traffic from the 10.0.1.0/24 subnet to the internet is being dropped. The firewall has the following security policies (in order): 1) Allow from 10.0.1.0/24 to 10.0.2.0/24, 2) Allow from any to any, 3) Deny from 10.0.1.0/24 to any. What is the most likely cause of the traffic being dropped?

Question 54hardmultiple choice
Read the full Core Concepts and Architecture explanation →

An organization is implementing SSL Forward Proxy decryption to inspect outbound HTTPS traffic. They want to exclude traffic to specific internal applications that cannot handle decryption due to certificate pinning. The firewall is configured with a decryption policy that decrypts all traffic from the internal network to the internet. To exclude the pinned applications, which approach is best practice?

Question 55mediummultiple choice
Review the full subnetting walkthrough →

A firewall has two virtual routers: VR1 (for internal networks) and VR2 (for DMZ). An internal server in VR1 needs to reach a DMZ server in VR2. Both virtual routers have routes to each other's subnets via a shared inter-connect. The firewall is receiving traffic but is dropping packets between the virtual routers. What configuration is missing?

Question 56easymultiple choice
Read the full Core Concepts and Architecture explanation →

A security administrator wants to block traffic from IP address 192.168.1.100 to the internet. The firewall has a security policy that allows all outbound traffic. Which action should be taken to most efficiently block this specific host?

Question 57hardmultiple choice
Read the full Core Concepts and Architecture explanation →

An organization uses User-ID with agent-based mapping on a Palo Alto Networks firewall. Users authenticate to a domain but some user-to-IP mappings are not showing up in the firewall's user cache. The firewall can reach the domain controllers. What is the most likely cause?

Question 58mediummultiple choice
Read the full NAT/PAT explanation →

A firewall is configured with a destination NAT rule to translate public IP 203.0.113.10 to internal server 10.0.0.5 on port 443. Internal users from 10.0.0.0/24 can access the server using its private IP, but cannot access using the public IP. What should be configured to allow internal users to reach the server using the public IP?

Question 59easymultiple choice
Read the full Core Concepts and Architecture explanation →

A help desk ticket reports that a user cannot access the firewall's web management interface (HTTPS) from the management network. The management interface is on a dedicated MGMT network. Which setting must be enabled on the firewall to allow this access?

Question 60hardmultiple choice
Read the full Core Concepts and Architecture explanation →

A firewall is using App-ID to identify applications running on non-standard ports. The administrator has configured a custom application with a default port of 8080, but traffic on port 8080 is still not being identified correctly. The application uses multiple connections on different ports. What is the most likely cause?

Question 61mediummulti select
Read the full Core Concepts and Architecture explanation →

Which TWO of the following are true regarding Panorama's templates and device groups?

Question 62hardmulti select
Read the full Core Concepts and Architecture explanation →

Which THREE of the following are key differences between the Palo Alto Networks Next-Generation Firewall and Cloud-Delivered Security Services (CDSS)?

Question 63easymulti select
Read the full Core Concepts and Architecture explanation →

Which TWO of the following are valid methods to collect logs from a Palo Alto Networks firewall for reporting and forensics?

Question 64easymultiple choice
Open the full VLAN trunking answer →

A company is deploying a Palo Alto Networks firewall in an existing Layer 2 switched environment. They need to inspect traffic between VLAN 10 and VLAN 20 without changing the IP addresses of hosts and without performing any routing. Which firewall mode should be used?

Question 65mediummultiple choice
Read the full Core Concepts and Architecture explanation →

An organization runs a pair of Palo Alto Networks firewalls in an active/passive HA configuration. During a maintenance window, the active firewall experiences a link down event on one of its data interfaces. The passive firewall does not assume the active role. What is the most likely reason?

Question 66hardmultiple choice
Read the full Core Concepts and Architecture explanation →

A company configures its Palo Alto Networks firewall to decrypt outbound SSL traffic using a forward proxy. After applying the decryption policy, users report that their browsers display certificate errors when accessing HTTPS websites. The firewall's decryption certificate is self-signed. What is the most likely cause?

Question 67mediummultiple choice
Read the full Core Concepts and Architecture explanation →

A security administrator configures a new network template in Panorama and assigns it to a template stack. The template stack is associated with a device group containing several firewalls. After committing the Panorama configuration and pushing to devices, some firewalls in the device group do not have the new template settings. What is the most likely cause?

Question 68mediummulti select
Read the full Core Concepts and Architecture explanation →

Which TWO of the following are minimum required configurations to enable User-ID on a Palo Alto Networks firewall? (Choose exactly two.)

Question 69mediummulti select
Read the full Core Concepts and Architecture explanation →

Which TWO of the following are mandatory requirements for forming an active/passive HA pair between two Palo Alto Networks firewalls? (Choose exactly two.)

Question 70easymulti select
Read the full Core Concepts and Architecture explanation →

Which THREE of the following are core components of the GlobalProtect solution? (Choose exactly three.)

Question 71hardmultiple choice
Read the full NAT/PAT explanation →

A network engineer configures a Source NAT policy on a Palo Alto Networks firewall to translate internal private IP addresses to the public IP of the external interface. The NAT rule is configured with source zone 'internal', destination zone 'external', and uses 'interface address' as the translated address. The associated security rule allows traffic from 'internal' to 'external' with the translated IP as the source. After committing, users cannot access the internet. Traceroute from an internal host to 8.8.8.8 shows: Hop 1: 192.168.1.1 (firewall internal IP), Hop 2: * * * (no response). The firewall's external interface has a public IP and is in the 'external' zone. What is the most likely cause of the issue?

Question 72hardmultiple choice
Read the full Core Concepts and Architecture explanation →

A company uses a Palo Alto Networks firewall to decrypt all outbound SSL traffic. Recently, users have reported slow internet performance. The network administrator notices that the firewall's CPU utilization is consistently above 90%. The traffic logs show that a large portion of decrypted traffic is from software update services (e.g., Windows Update, Adobe, etc.) that do not require inspection. The firewall is a mid-range model with hardware decryption acceleration. What is the most effective action to reduce CPU usage while maintaining security?

Question 73easymultiple choice
Read the full VPN explanation →

An organization uses GlobalProtect to provide VPN access to remote users. After connecting, users can access internal resources, but the firewall's User-ID does not show the usernames in the logs or policy matches. The GlobalProtect gateway is configured to use the authentication server for user mapping. The authentication server (LDAP) is reachable from the firewall. The firewall's User-ID settings have the 'GlobalProtect' mapping method enabled. What is the most likely reason that users are not being identified?

Question 74hardmultiple choice
Read the full Core Concepts and Architecture explanation →

A company has a security policy rule that allows application 'ssl' from the internal zone to the external zone. Users report that they cannot access certain HTTPS websites. Logs show that the traffic is being matched by a later rule that denies application 'web-browsing'. The administrator verifies that the target websites are using standard HTTPS (port 443). The firewall's application identification has correctly identified the traffic as 'web-browsing' instead of 'ssl'. What is the most likely reason?

Question 75hardmultiple choice
Read the full Core Concepts and Architecture explanation →

Two Palo Alto Networks firewalls are configured in an active/passive HA pair. During a scheduled maintenance, the network team reboots both firewalls simultaneously. After reboot, both firewalls appear as 'active' in the HA state. What is the most likely cause and the correct troubleshooting step?

Question 76easymultiple choice
Read the full MPLS explanation →

A company uses Policy-Based Forwarding (PBF) to route specific traffic from internal users to a partner network through an MPLS connection. The PBF rule is configured to match source addresses 10.1.1.0/24 and forward to a next-hop of 10.2.1.1. The administrator verifies that the MPLS router is reachable from the firewall. Traffic from the 10.1.1.0/24 network does not go through the MPLS link; instead, it takes the default route out the internet connection. Logs show that the traffic hits the PBF rule. What is the most likely issue?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCNSE Practice Test 1 — 10 Questions→PCNSE Practice Test 2 — 10 Questions→PCNSE Practice Test 3 — 10 Questions→PCNSE Practice Test 4 — 10 Questions→PCNSE Practice Test 5 — 10 Questions→PCNSE Practice Exam 1 — 20 Questions→PCNSE Practice Exam 2 — 20 Questions→PCNSE Practice Exam 3 — 20 Questions→PCNSE Practice Exam 4 — 20 Questions→Free PCNSE Practice Test 1 — 30 Questions→Free PCNSE Practice Test 2 — 30 Questions→Free PCNSE Practice Test 3 — 30 Questions→PCNSE Practice Questions 1 — 50 Questions→PCNSE Practice Questions 2 — 50 Questions→PCNSE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Manage, Monitor and OperateSecuring Traffic and App-IDSecuring Users and Applications with AuthenticationDecryption and SSL InspectionManaging Troubleshooting and High AvailabilityDeploy and Configure FirewallsCore Concepts and ArchitectureSecure Access and VPNTroubleshoot

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Core Concepts and Architecture setsAll Core Concepts and Architecture questionsPCNSE Practice Hub