Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Decryption and SSL Inspection practice sets

PCNSE Decryption and SSL Inspection • Complete Question Bank

PCNSE Decryption and SSL Inspection — All Questions With Answers

Complete PCNSE Decryption and SSL Inspection question bank — all 0 questions with answers and detailed explanations.

29
Questions
Free
No signup
Certifications/PCNSE/Practice Test/Decryption and SSL Inspection/All Questions
Question 1mediummultiple choice
Read the full Decryption and SSL Inspection explanation →

An engineer is configuring SSL Forward Proxy decryption for internal users. The firewall must decrypt traffic to all external HTTPS sites except specific financial services domains that require end-to-end encryption. Which best practice should the engineer implement to achieve this?

Question 2hardmulti select
Read the full Decryption and SSL Inspection explanation →

Which THREE statements are true regarding SSL Forward Proxy decryption on Palo Alto Networks firewalls?

Question 3hardmultiple choice
Read the full MPLS explanation →

You are a network security engineer at a multinational corporation. The company has a main data center and three branch offices connected via MPLS. The firewall at the data center is a PA-5250 running PAN-OS 10.2. The firewall is configured for SSL Forward Proxy decryption of all outbound HTTPS traffic from internal users to the internet. Recently, users in Branch Office A report that they cannot access several external HTTPS websites, while users at other branches and the data center have no issues. The decryption policy for Branch Office A is identical to the others. You check the decryption statistics and see that for Branch Office A, the number of 'SSL handshake failures' is high. You also notice that the firewall's system log shows errors like 'peer certificate chain validation failure' for sessions from Branch Office A. The firewall has a forward trust certificate issued by an internal CA, and the internal CA certificate is installed on all clients. What is the most likely cause of this issue?

Question 4mediummultiple choice
Read the full Decryption and SSL Inspection explanation →

A company is deploying SSL Forward Proxy decryption for outbound HTTPS traffic. They want to ensure that traffic to financial sites (e.g., *.bank.com) is not decrypted due to compliance requirements. Which method should be used to exclude this traffic from decryption?

Question 5hardmulti select
Read the full Decryption and SSL Inspection explanation →

Which TWO of the following are valid considerations when designing an SSL Forward Proxy decryption deployment in a Palo Alto Networks firewall?

Question 6mediumdrag order
Review the full routing breakdown →

Order the steps to configure a static route on a Palo Alto Networks firewall.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 7mediummatching
Read the full Decryption and SSL Inspection explanation →

Match each high availability (HA) term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

One firewall handles traffic; the other stands by

Both firewalls handle traffic simultaneously

Keepalive messages exchanged between HA peers

Original active firewall reclaims role after recovery

Firewall that initially processed a session

Question 8easymultiple choice
Read the full Decryption and SSL Inspection explanation →

A security administrator wants to minimize the performance impact of SSL decryption on the firewall. Which best practice should be applied?

Question 9mediummultiple choice
Read the full Decryption and SSL Inspection explanation →

After enabling SSL Forward Proxy decryption, users report that they cannot access HTTPS websites and receive certificate errors. The firewall's decryption certificate is properly installed on client machines. What is the most likely cause?

Question 10hardmultiple choice
Read the full Decryption and SSL Inspection explanation →

An organization is deploying SSL inbound proxy decryption (SSLi) to protect servers in a DMZ. Which consideration is critical for the firewall to properly decrypt inbound traffic destined to these servers?

Question 11easymultiple choice
Read the full Decryption and SSL Inspection explanation →

What is the primary purpose of SSL decryption in a Palo Alto Networks firewall?

Question 12mediummultiple choice
Read the full Decryption and SSL Inspection explanation →

A company wants to decrypt traffic to productivity and collaboration sites but avoid decrypting traffic to financial and healthcare sites due to compliance. How should the SSL decryption policy be configured?

Question 13hardmultiple choice
Read the full Decryption and SSL Inspection explanation →

During SSL decryption, the firewall logs show 'ssl_decrypt_unsupported_cipher' errors for several connections. What is the likely cause and solution?

Question 14easymultiple choice
Read the full Decryption and SSL Inspection explanation →

A user reports that after SSL decryption was enabled, certain web applications fail to load completely. What is the most likely reason?

Question 15mediummultiple choice
Read the full Decryption and SSL Inspection explanation →

Which best practice should be followed for certificate management when deploying SSL Forward Proxy decryption in a large enterprise?

Question 16hardmultiple choice
Read the full Decryption and SSL Inspection explanation →

A Palo Alto Networks firewall is configured for SSL Forward Proxy decryption. The security team wants to ensure that decrypted traffic is also inspected by an external DLP appliance. How should this be achieved?

Question 17mediummulti select
Read the full Decryption and SSL Inspection explanation →

Which TWO conditions typically cause the firewall to bypass SSL decryption for a session? (Choose two.)

Question 18hardmulti select
Read the full Decryption and SSL Inspection explanation →

Which THREE steps should be taken to troubleshoot an SSL decryption issue where users are unable to access specific HTTPS websites? (Choose three.)

Question 19easymulti select
Read the full Decryption and SSL Inspection explanation →

Which TWO types of traffic should typically be excluded from SSL decryption for compliance or operational reasons? (Choose two.)

Question 20mediummultiple choice
Read the full Decryption and SSL Inspection explanation →

Based on the exhibit, what is the most likely cause for the majority of bypassed sessions?

Exhibit

Refer to the exhibit.
```
> show ssl-decrypt statistics

SSL Decryption Statistics
Total sessions decrypted: 45032
Total sessions bypassed: 2341
Bypass reasons:
  unsupported cipher: 1200
  certificate validation failure: 800
  handshake failure: 341
Currently active sessions: 105
```
Question 21hardmultiple choice
Review the full subnetting walkthrough →

A user from subnet 10.0.1.0/24 accesses a website categorized as 'Finance'. Based on the exhibit, what will be the result?

Exhibit

Refer to the exhibit.
```
Decryption Policy Rule 1:
  Name: Decrypt_HR_Traffic
  Source: 10.0.1.0/24
  Destination: any
  Service: any
  URL Category: Human-Resources
  Action: decrypt

Decryption Policy Rule 2:
  Name: Decrypt_All
  Source: any
  Destination: any
  Service: any
  URL Category: any
  Action: decrypt

Decryption Policy Rule 3:
  Name: No_Decrypt_Finance
  Source: any
  Destination: any
  Service: any
  URL Category: Finance
  Action: no-decrypt

Ordering: Rule 1, Rule 2, Rule 3
```
Question 22easymultiple choice
Read the full Decryption and SSL Inspection explanation →

Based on the exhibit, what is the most likely action for the firewall to take on this session?

Exhibit

Refer to the exhibit.
```
2019-03-21 10:15:33.456 ssl_decrypt: session 12345, error: ssl_decrypt_cert_verify_failed, reason: certificate has expired
```
Question 23mediummultiple choice
Read the full Decryption and SSL Inspection explanation →

A company uses SSL Forward Proxy decryption for user traffic. Recently, some users cannot access a specific HTTPS website that uses a self-signed certificate. The firewall's decryption policy is set to 'decrypt' and the action is 'forward proxy'. The firewall does not have the self-signed CA certificate installed. What is the most likely cause of the issue?

Question 24hardmulti select
Read the full Decryption and SSL Inspection explanation →

Which TWO statements are true about TLS version 1.3 support in Palo Alto Networks decryption?

Question 25easymultiple choice
Read the full Decryption and SSL Inspection explanation →

A network administrator is troubleshooting decryption failures for HTTPS traffic to a financial website. The firewall is configured with SSL Forward Proxy decryption policy that applies to the 'financial-services' URL category. The firewall uses an internal CA certificate to sign generated certificates. Users report a certificate error in their browsers when accessing 'https://www.bankofalice.com'. The error says the certificate is not trusted, even though the internal CA certificate is installed on all client devices. The administrator checks the firewall logs and sees no decryption errors; the session is being decrypted successfully. The administrator also confirms that the decryption policy is active and the firewall is not bypassing decryption. What is the most likely cause of the certificate error?

Question 26mediummultiple choice
Read the full Decryption and SSL Inspection explanation →

A company has deployed SSL Inbound Inspection to inspect HTTPS traffic to their internal web server hosting a custom application that requires mutual TLS authentication. The firewall is configured with a decryption policy that includes the server's certificate and the action 'decrypt'. The web server is configured to request client certificates. After implementation, users report that the application fails to authenticate them. The firewall logs show that SSL handshake with the client completes successfully, but the server never receives the client certificate during the handshake. The administrator has verified that the decryption policy is active and the server certificate is correctly imported. What is the most likely cause of this issue?

Question 27easymulti select
Read the full Decryption and SSL Inspection explanation →

Which TWO of the following are supported decryption scenarios on a Palo Alto Networks firewall?

Question 28mediummultiple choice
Read the full Decryption and SSL Inspection explanation →

A network administrator observes that some SSL connections are failing to be decrypted. Based on the exhibit, what is the most likely reason for the majority of the failures?

Exhibit

Refer to the exhibit.

admin@PA-5000> show decryption statistics

Total Decrypted Packets: 12345
Total SSL Handshake Attempts: 1000
Successful Handshakes: 950
Failed Handshakes: 50
  - Decryption policy not matched: 20
  - Certificate validation failure: 15
  - Unsupported cipher: 10
  - Other: 5
Question 29hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses Palo Alto Networks firewalls at its headquarters and five branch offices. SSL Forward Proxy decryption is enabled for all outbound HTTPS traffic. Recently, users in the finance department have reported that several banking and financial websites fail to load, displaying a certificate error in the browser. The errors occur only for these specific sites, while other HTTPS sites work fine. The firewall administrator has already added decryption exclusion rules for the affected domains, but the problem persists. The decryption policy is configured with a single rule that decrypts all ssl service traffic, and the exclusion rules are placed below this global decrypt rule. Which of the following is the best course of action to resolve the issue?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCNSE Practice Test 1 — 10 Questions→PCNSE Practice Test 2 — 10 Questions→PCNSE Practice Test 3 — 10 Questions→PCNSE Practice Test 4 — 10 Questions→PCNSE Practice Test 5 — 10 Questions→PCNSE Practice Exam 1 — 20 Questions→PCNSE Practice Exam 2 — 20 Questions→PCNSE Practice Exam 3 — 20 Questions→PCNSE Practice Exam 4 — 20 Questions→Free PCNSE Practice Test 1 — 30 Questions→Free PCNSE Practice Test 2 — 30 Questions→Free PCNSE Practice Test 3 — 30 Questions→PCNSE Practice Questions 1 — 50 Questions→PCNSE Practice Questions 2 — 50 Questions→PCNSE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Manage, Monitor and OperateSecuring Traffic and App-IDSecuring Users and Applications with AuthenticationDecryption and SSL InspectionManaging Troubleshooting and High AvailabilityDeploy and Configure FirewallsCore Concepts and ArchitectureSecure Access and VPNTroubleshoot

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Decryption and SSL Inspection setsAll Decryption and SSL Inspection questionsPCNSE Practice Hub