Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Deploy and Configure Firewalls practice sets

PCNSE Deploy and Configure Firewalls • Complete Question Bank

PCNSE Deploy and Configure Firewalls — All Questions With Answers

Complete PCNSE Deploy and Configure Firewalls question bank — all 0 questions with answers and detailed explanations.

52
Questions
Free
No signup
Certifications/PCNSE/Practice Test/Deploy and Configure Firewalls/All Questions
Question 1mediummultiple choice
Read the full Deploy and Configure Firewalls explanation →

A company is deploying a new firewall in active/passive high availability. The two firewalls are connected directly via the HA1 and HA2 interfaces. After configuration, the passive firewall shows 'HA state: passive' but the active firewall shows 'HA state: non-functional'. What is the most likely cause?

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A network engineer is configuring a new firewall to replace an existing one. The existing firewall has a policy that allows traffic from the 10.0.0.0/8 subnet to the internet. The new firewall must use the same policy but also log the traffic. The engineer creates a security rule with source zone 'Trust', destination zone 'Untrust', source address 10.0.0.0/8, and action 'allow'. Logging is set at rule end. However, traffic from 10.1.0.0/16 is not being logged. What is the reason?

Question 3easymultiple choice
Read the full NAT/PAT explanation →

A security engineer needs to allow inbound HTTPS traffic from the internet to a web server in the DMZ. The source zone is 'Untrust', destination zone is 'DMZ', and the destination address is the web server's IP. Which security policy action should be used?

Question 4mediummultiple choice
Review the full routing breakdown →

An administrator configures a firewall with two virtual routers: VR1 and VR2. VR1 connects to the corporate network and VR2 to an ISP. The administrator creates a static route in VR1 to reach the internet via a next hop of 10.0.0.1, but traffic from VR1 to the internet fails. What is the most likely cause?

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

An engineer is troubleshooting an inter-zone rule that should allow traffic from zone 'Trust' to zone 'Untrust'. The rule has a source address of 10.0.0.0/8 and destination address of any. The traffic is being denied. The engineer checks the log and sees the rule is not matched. What is the most likely reason?

Question 6mediummulti select
Read the full Deploy and Configure Firewalls explanation →

Which TWO of the following are required when configuring a new virtual wire (vwire) on a Palo Alto Networks firewall?

Question 7hardmulti select
Read the full Deploy and Configure Firewalls explanation →

Which THREE of the following are valid methods to enable traffic logging when configuring a security rule?

Question 8hardmultiple choice
Read the full VPN explanation →

You are deploying a pair of PA-5250 firewalls in active/passive HA mode for a large enterprise. The firewalls are configured with multiple virtual routers (VRs) to segment traffic: VR-A for internal corporate network, VR-B for DMZ, and VR-C for Internet edge. Each VR is associated with a separate Vsys. The HA pair uses IPsec tunnel monitoring to determine failover. The customer reports that after a recent configuration change, failover does not occur when the primary firewall's Internet-facing interface (ethernet1/1) goes down. You verify that the primary firewall detects the interface failure, but the secondary does not take over. The HA configuration shows: 'monitor failure only' set to 'link-status', 'monitor hold time' 1000ms, 'promotion hold time' 2000ms, and 'monitor failure condition' is 'any'. The IPsec tunnel monitoring is configured for tunnel to a remote site. The path monitoring includes the Internet-facing interface under VR-C. What is the most likely reason for the failover failure?

Question 9mediummultiple choice
Read the full Deploy and Configure Firewalls explanation →

A company has deployed two PA-5250 firewalls in an active/passive high-availability pair. The passive firewall shows the status 'non-functional' after a reboot. The active firewall is still passing traffic. The administrator checks the HA configuration and sees that the preemptive setting is enabled on both firewalls. What is the most likely cause of the passive firewall showing 'non-functional'?

Question 10hardmulti select
Read the full DNS explanation →

A security engineer is deploying a Palo Alto Networks firewall in a branch office. The firewall must enforce the following security policies: (1) Allow outbound HTTPS traffic from internal users to the internet. (2) Block all inbound traffic from the internet to the internal network except for SMTP traffic to a specific mail server. (3) Allow outbound DNS traffic from internal DNS servers to external DNS servers. Which TWO security rules should the engineer create to satisfy these requirements? (Choose two.)

Question 11mediummultiple choice
Review the full routing breakdown →

Refer to the exhibit. An administrator is troubleshooting traffic from a host at 10.2.2.10 to a server at 10.3.3.10. The firewall has a security rule allowing the traffic. However, traffic is failing. Based on the routing table, what is the most likely cause?

Exhibit

Refer to the exhibit.

admin@PA-5250> show routing route

IPv4 Route Table for virtual-router default

destination  nexthop      metric   flags  interface  age
0.0.0.0/0    10.1.1.1     10       A S    ethernet1/1  5m
10.1.1.0/24  10.1.1.100   0        A C    ethernet1/1  5m
10.2.2.0/24  10.1.1.200   1        A S    ethernet1/1  5m
10.3.3.0/24  10.1.1.200   1        A S    ethernet1/1  5m
Question 12mediumdrag order
Read the full VPN explanation →

Order the steps to configure an IPsec VPN tunnel between two Palo Alto firewalls.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 13mediummatching
Review the full routing breakdown →

Match each type of route to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manually configured by administrator

Learned via link-state routing protocol

Learned via path-vector routing protocol

Directly attached network

Used when no specific route matches destination

Question 14easymultiple choice
Read the full Deploy and Configure Firewalls explanation →

What is the most likely reason the traffic from 192.168.1.100 to 203.0.113.50 is being denied?

Exhibit

Refer to the exhibit.
Time,Source,Destination,Application,Action,Rule
2024-05-01 10:00:00,192.168.1.100,203.0.113.50,ssl,deny,default-deny
Question 15mediummultiple choice
Open the full VLAN trunking answer →

The administrator intended to create a sub-interface for VLAN 10 with IP 192.168.10.1/24. However, traffic from VLAN 10 is not being routed through this interface. Based on the exhibit, what is the cause?

Exhibit

Refer to the exhibit.
admin@PA-500> show interface ethernet1/2.10
Interface ethernet1/2.10
  VLAN: 20
  Virtual router: default
  IP netmask: 192.168.10.1/24
  Zone: VLAN10
  State: up
Question 16hardmultiple choice
Read the full NAT/PAT explanation →

The source NAT rule 'SNAT-Outside' is configured to translate traffic from 10.0.0.0/8 to the interface address of ethernet1/1. However, traffic from 10.1.1.1 to the internet is not being translated. What is the most likely reason?

Exhibit

Refer to the exhibit.
admin@PA-500# show running config | match nat
...
nat {
    source-nat {
        rule "SNAT-Outside" {
            source [ 10.0.0.0/8 ];
            destination [ any ];
            service [ any ];
            to-interface ethernet1/1;
            source-translation {
                interface-address;
            }
        }
    }
}
Question 17easymultiple choice
Read the full NAT/PAT explanation →

A company needs to provide internet access to 500 internal users using a single public IP address. Which NAT method should be configured?

Question 18easymultiple choice
Read the full Deploy and Configure Firewalls explanation →

A security administrator notices that traffic to a specific website is being denied. The traffic log shows that the application is 'ssl' and the action is 'deny' with the rule being 'Allow-SSL'. What is the most likely cause?

Question 19easymultiple choice
Read the full Deploy and Configure Firewalls explanation →

By default, what is the action on traffic between two different zones without any security rule?

Question 20mediummultiple choice
Read the full Deploy and Configure Firewalls explanation →

An administrator adds a new security rule to allow outbound 'web-browsing' and 'ssl' traffic. After committing, users report that some HTTPS sites are still blocked. Traffic logs show that the traffic matches the new rule but is denied. What is the most likely cause?

Question 21mediummultiple choice
Read the full Deploy and Configure Firewalls explanation →

Which of the following is NOT a valid method to identify users for User-ID on a Palo Alto Networks firewall?

Question 22mediummultiple choice
Read the full Deploy and Configure Firewalls explanation →

In an Active/Passive HA pair, which statement is true regarding configuration synchronization?

Question 23hardmultiple choice
Read the full Deploy and Configure Firewalls explanation →

A company uses a custom application definition for a proprietary application that runs on UDP port 12345. The security rule allowing the application is configured, but traffic logs show the application as 'unknown' instead of matching the custom app. What is the most likely cause?

Question 24hardmultiple choice
Read the full Deploy and Configure Firewalls explanation →

An administrator wants to ensure that all traffic from the 'Trust' zone to the 'Untrust' zone is inspected by WildFire. Which configuration is required?

Question 25hardmultiple choice
Read the full Deploy and Configure Firewalls explanation →

In a Panorama-managed deployment, the device group has a rule called 'Allow-Web' that allows 'web-browsing'. The local firewall also has a rule with the same name and content. After Panorama pushes the device group configuration, what happens to the local rule?

Question 26easymulti select
Read the full Deploy and Configure Firewalls explanation →

Which TWO of the following are prerequisites for configuring User-ID on an interface?

Question 27mediummulti select
Read the full Deploy and Configure Firewalls explanation →

Which TWO of the following are required for stateful failover in an Active/Passive HA pair?

Question 28hardmulti select
Read the full Deploy and Configure Firewalls explanation →

Which THREE of the following are mandatory components for GlobalProtect client connectivity?

Question 29easymultiple choice
Review the full subnetting walkthrough →

A company has a firewall with multiple virtual routers. They need to ensure that traffic from a specific subnet (10.1.1.0/24) can reach the internet but not other internal subnets. What is the best way to achieve this?

Question 30easymultiple choice
Read the full Deploy and Configure Firewalls explanation →

An administrator notices that URL filtering is not blocking a specific category as configured. What is the first troubleshooting step?

Question 31easymultiple choice
Read the full Deploy and Configure Firewalls explanation →

A firewall's management interface becomes unresponsive. The administrator can still ping the management IP. What is the most likely cause?

Question 32mediummultiple choice
Read the full Deploy and Configure Firewalls explanation →

A company uses User-ID to map users to IPs. Some users report that their traffic is being blocked even though they are in the correct user group for access. The security policy uses user-based conditions. What is a likely cause?

Question 33mediummultiple choice
Read the full NAT/PAT explanation →

An administrator wants to ensure that all traffic from the internal network to the internet uses a specific public IP address for source NAT. There are multiple public IP addresses available. What is the best way to achieve this?

Question 34mediummultiple choice
Read the full Deploy and Configure Firewalls explanation →

A firewall is configured with two ISPs for load balancing. Traffic from certain sources should always egress via ISP-1. What is the correct configuration?

Question 35hardmultiple choice
Read the full Deploy and Configure Firewalls explanation →

A firewall receives traffic with IP options enabled. How does the firewall handle this traffic by default?

Question 36hardmultiple choice
Read the full Deploy and Configure Firewalls explanation →

An organization has a firewall in HA active-passive mode. After a failover, the new active firewall does not have the latest session table. What should be configured to ensure session synchronization?

Question 37hardmultiple choice
Read the full NAT/PAT explanation →

A firewall is configured with multiple virtual wire interfaces. Traffic passes through but the firewall cannot enforce security policies based on source/destination IP addresses. What is the reason?

Question 38easymulti select
Read the full Deploy and Configure Firewalls explanation →

Which TWO statements are true about Palo Alto Networks firewall management access?

Question 39mediummulti select
Read the full Deploy and Configure Firewalls explanation →

Which TWO factors can cause a firewall to not show any User-ID mapping for a user who is actively logged in?

Question 40hardmulti select
Read the full Deploy and Configure Firewalls explanation →

Which THREE are valid methods to provide redundancy for outbound internet traffic in a Palo Alto Networks firewall?

Question 41mediummultiple choice
Read the full Deploy and Configure Firewalls explanation →

Refer to the exhibit. A user in the trust zone attempts to access HTTPS to an external server. Which rule will match?

Exhibit

admin@PA-500> show running security-policy
1.  rule1  (src: trust; dst: untrust; app: web-browsing; action: allow)
2.  rule2  (src: trust; dst: untrust; user: anyone; app: ssl; action: allow)
3.  rule3  (src: trust; dst: untrust; user: user1; app: any; action: deny)
4.  rule4  (src: trust; dst: untrust; user: anyone; app: any; action: deny)
Question 42hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. An administrator has configured this decryption policy but users in the 10.1.1.0/24 subnet receive certificate warnings when accessing HTTPS sites. What is the most likely cause?

Exhibit

set shared decryption rule MyRule from trust to untrust source 10.1.1.0/24 destination any application ssl decryption forward-proxy
Question 43easymultiple choice
Review the full subnetting walkthrough →

A company has a pair of Palo Alto Networks firewalls in active/passive HA. The active firewall manages all traffic. Recently, the network team reconfigured the virtual router by adding a new static route to a remote subnet via a next-hop IP on the same interface. After committing, they noticed that the passive firewall's management IP became unreachable. The active firewall continues to pass traffic normally. What is the most likely cause?

Question 44mediummultiple choice
Read the full Deploy and Configure Firewalls explanation →

A company has two Palo Alto Networks firewalls configured in an active/passive HA pair. After a recent maintenance window, the passive firewall fails to synchronize its configuration from the active. The active firewall shows the HA1 link as down. Which two configuration settings must be verified to resolve this issue?

Question 45hardmultiple choice
Open the full VLAN trunking answer →

A network engineer is deploying a new firewall to inspect traffic between two VLANs. The requirement is to block all traffic except HTTP and HTTPS from the internal network to a specific web server in the DMZ. The engineer applies a security policy with the following configuration: source zone Internal, destination zone DMZ, source address internal_subnet, destination address web_server, application set to 'web-browsing' and 'ssl', and action set to 'allow'. However, users report that they cannot access the web server. Which change must be made to the policy to resolve the issue?

Question 46easymulti select
Read the full Deploy and Configure Firewalls explanation →

Which TWO actions should be taken when deploying a Palo Alto Networks firewall in a branch office to ensure secure and efficient operation? (Choose two.)

Question 47easymultiple choice
Read the full DNS explanation →

A medium-sized enterprise recently deployed a PA-5250 firewall in a data center as the primary internet gateway. The network team configured the security policies to allow all outbound web traffic (HTTP/HTTPS) from the internal trust zone to the untrust zone, with URL filtering and threat prevention enabled. After the deployment, users complain that some legitimate websites, such as banking and healthcare portals, are being blocked. The team checks the URL filtering logs and sees that these sites are categorized as 'web-hosting' or 'dynamic-dns', which are in the block list. The company's compliance requires that all web traffic be inspected. What should the network engineer do to resolve the issue without reducing security?

Question 48mediummultiple choice
Review the full routing breakdown →

A global company uses a pair of PAN-220 firewalls in an active/passive HA configuration at its headquarters. The firewalls have multiple virtual routers and dozens of zones. Recently, a network upgrade changed the physical topology: a new switch was placed between the firewalls and the ISP routers. After the upgrade, the passive firewall continuously shows 'suspended' state. The HA control link (HA1) and data link (HA2) are on separate dedicated interfaces. The Active firewall logs show: 'HA monitor peer unreachable' every few seconds. The engineer has verified IP connectivity between the HA interfaces using ping from the active to the passive HA1 IP. What is the most likely cause of the HA state issue?

Question 49hardmultiple choice
Review the full OSPF breakdown →

A security engineer is deploying a new PA-5220 firewall to replace an existing legacy firewall. The environment has complex routing with OSPF and BGP. The engineer configures the firewall with multiple virtual routers: one for the internal network, one for the DMZ, and one for the external connection to two ISPs. The firewall is placed in Layer 3 mode. After the cutover, users report that they can access the internet but internal traffic between two different subnets that are both in the internal virtual router fails to route properly. The engineer checks the routing table on the internal virtual router and sees correct OSPF learned routes. The security policies allow all traffic between those subnets. What is the most likely cause of the routing failure?

Question 50easymulti select
Read the full Deploy and Configure Firewalls explanation →

Which TWO of the following are required to configure a Palo Alto Networks firewall for centralized management by Panorama?

Question 51mediummultiple choice
Read the full Deploy and Configure Firewalls explanation →

Refer to the exhibit. A user in the 10.0.0.0/8 network is unable to access a web server at 172.16.1.10 which is in the DMZ zone. The firewall's security policy is shown. What is the most likely reason for the failure?

Exhibit

admin@PA-5050> show running security-policy
rulebase security rules {
  "Permit-Web" {
    from "trust"
    to "untrust"
    source "10.0.0.0/8"
    destination "any"
    application "web-browsing"
    action "allow"
  }
}
Question 52hardmultiple choice
Open the full BGP breakdown →

A company has deployed a Palo Alto Networks firewall in an active/passive high-availability (HA) pair. The firewall uses BGP for dynamic routing with two upstream ISPs to provide load-balanced internet connectivity. After an HA failover event, the network team notices that outbound traffic from internal hosts is now using only one of the two ISPs, even though BGP sessions are established on both firewalls and the passive firewall has learned the same routes as the active one. The security policy permits all outbound traffic. No changes were made to the BGP configuration. Which of the following is the most likely cause of this behavior, and what is the appropriate solution?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCNSE Practice Test 1 — 10 Questions→PCNSE Practice Test 2 — 10 Questions→PCNSE Practice Test 3 — 10 Questions→PCNSE Practice Test 4 — 10 Questions→PCNSE Practice Test 5 — 10 Questions→PCNSE Practice Exam 1 — 20 Questions→PCNSE Practice Exam 2 — 20 Questions→PCNSE Practice Exam 3 — 20 Questions→PCNSE Practice Exam 4 — 20 Questions→Free PCNSE Practice Test 1 — 30 Questions→Free PCNSE Practice Test 2 — 30 Questions→Free PCNSE Practice Test 3 — 30 Questions→PCNSE Practice Questions 1 — 50 Questions→PCNSE Practice Questions 2 — 50 Questions→PCNSE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Manage, Monitor and OperateSecuring Traffic and App-IDSecuring Users and Applications with AuthenticationDecryption and SSL InspectionManaging Troubleshooting and High AvailabilityDeploy and Configure FirewallsCore Concepts and ArchitectureSecure Access and VPNTroubleshoot

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Deploy and Configure Firewalls setsAll Deploy and Configure Firewalls questionsPCNSE Practice Hub