Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Securing Traffic and App-ID practice sets

PCNSE Securing Traffic and App-ID • Complete Question Bank

PCNSE Securing Traffic and App-ID — All Questions With Answers

Complete PCNSE Securing Traffic and App-ID question bank — all 0 questions with answers and detailed explanations.

63
Questions
Free
No signup
Certifications/PCNSE/Practice Test/Securing Traffic and App-ID/All Questions
Question 1mediummultiple choice
Read the full Securing Traffic and App-ID explanation →

A security engineer notices that traffic from a trusted internal application is being blocked by the firewall. The application communicates using a proprietary protocol over TCP port 8443. The engineer has already created a custom App-ID for this application but the traffic is still being blocked. What is the most likely reason?

Question 2hardmultiple choice
Read the full Securing Traffic and App-ID explanation →

During a security audit, it is discovered that some HTTP traffic is being incorrectly identified as 'web-browsing' instead of 'ssl' even though the traffic uses HTTPS. The firewall is positioned as a transparent bridge and no SSL decryption is configured. What is the most likely cause?

Question 3easymultiple choice
Read the full Securing Traffic and App-ID explanation →

A network administrator wants to allow only specific applications such as 'facebook-base' and 'youtube' while blocking all other applications. Which type of security rule should be used to achieve this?

Question 4hardmultiple choice
Read the full Securing Traffic and App-ID explanation →

A company deploys a Palo Alto Networks firewall in a data center. They have a critical application that uses a proprietary protocol over UDP port 12345. The firewall is not correctly identifying the traffic as the custom App-ID they created. They have verified that the custom App-ID is correctly configured and committed. What is the most likely cause?

Question 5mediummultiple choice
Read the full Securing Traffic and App-ID explanation →

An administrator notices that traffic for a known application 'ms-update' is being blocked. The security policy has a rule allowing 'ms-update' from the internal network to the internet. However, the traffic is being denied. What should the administrator check first?

Question 6mediummulti select
Read the full Securing Traffic and App-ID explanation →

Which TWO of the following are valid methods to create a custom App-ID on a Palo Alto Networks firewall?

Question 7hardmulti select
Read the full Securing Traffic and App-ID explanation →

Which THREE of the following can cause App-ID to incorrectly identify traffic?

Question 8mediummultiple choice
Read the full Securing Traffic and App-ID explanation →

Refer to the exhibit. A firewall administrator is troubleshooting why some applications are not being correctly identified. The firewall is running App-ID version 8000-7120. What does the 'appid packet buffer: 1024 KB' indicate?

Exhibit

Refer to the exhibit.

admin@PA-220> show system info | match appid
appid version: 8000-7120
appid last update: 2024/10/01 03:00:00
appid packet buffer: 1024 KB
appid max sessions: 500000
Question 9mediummultiple choice
Read the full Securing Traffic and App-ID explanation →

Refer to the exhibit. A network engineer wants to allow only 'ms-update' and 'facebook-base' traffic. After committing the above security policy, they find that 'ssl' traffic is also being allowed. What is the most likely reason?

Exhibit

Refer to the exhibit.

admin@PA-220> show running security-policy | match app
rule id 1: application any -> allow
rule id 2: application ms-update, facebook-base -> allow
rule id 3: application ssl, web-browsing -> allow
rule id 4: application any -> deny
Question 10mediummulti select
Read the full Securing Traffic and App-ID explanation →

A security engineer is troubleshooting a Palo Alto Networks firewall where HTTP traffic is being incorrectly identified by App-ID. The engineer has verified that the application is correctly configured in the application override policy. Which two factors could cause App-ID to fail to recognize the application?

Question 11hardmultiple choice
Read the full Securing Traffic and App-ID explanation →

Refer to the exhibit. A network engineer notices high CPU utilization on the firewall. The output shows that 4500 sessions are pending App-ID identification. What is the most likely cause of the high number of pending sessions?

Exhibit

Refer to the exhibit.

show system state | match appid
total appid sessions: 12000
appid pending sessions: 4500
appid complete sessions: 7500
appid error sessions: 0
Question 12mediummultiple choice
Read the full Securing Traffic and App-ID explanation →

A company uses App-ID to identify traffic on their Palo Alto Networks firewall. They notice that a particular application, custom-db-sync, is not being identified correctly. The traffic uses a proprietary protocol over TCP port 4444. The firewall currently has a security rule allowing any application on that port. Which step should the engineer take to enable App-ID to correctly identify custom-db-sync?

Question 13hardmulti select
Read the full NAT/PAT explanation →

A network engineer is troubleshooting an issue where a web application is being incorrectly identified as 'web-browsing' instead of 'webmail-gmail' by the Palo Alto Networks firewall. The firewall has App-ID enabled and all signatures are up to date. Which TWO actions should the engineer take to resolve this misidentification?

Question 14mediumdrag order
Read the full Securing Traffic and App-ID explanation →

Order the steps to configure a security policy allowing HTTP traffic from the inside to the outside zone.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 15mediumdrag order
Read the full Securing Traffic and App-ID explanation →

Order the steps to upgrade the PAN-OS software on a standalone firewall.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 16mediummatching
Read the full Securing Traffic and App-ID explanation →

Match each PAN-OS component to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Handles configuration, logging, and reporting

Processes traffic and enforces security policies

Manages routing and session setup

Collects and stores logs for analysis

Centralized management for multiple firewalls

Question 17mediummatching
Read the full Securing Traffic and App-ID explanation →

Match each decryption type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Decrypts outbound traffic to inspect it

Decrypts inbound traffic to servers

Decrypts SSH traffic for policy enforcement

Traffic bypasses decryption

Sends decrypted traffic to a monitoring tool

Question 18easymultiple choice
Read the full Securing Traffic and App-ID explanation →

An administrator needs to create a custom application for a proprietary database protocol that uses TCP port 7890. What is the first step in defining this application in App-ID?

Question 19easymultiple choice
Read the full Securing Traffic and App-ID explanation →

An engineer wants to block all peer-to-peer file sharing traffic using App-ID. What security policy action should be used?

Question 20easymultiple choice
Read the full NAT/PAT explanation →

A network engineer notices that traffic from an internal user to a web application is being incorrectly identified as 'web-browsing' instead of the custom application 'my-app'. The engineer has already created a custom application 'my-app' with the correct signature. What is the most likely reason for the misidentification?

Question 21mediummultiple choice
Read the full Securing Traffic and App-ID explanation →

A security team is deploying SSL Decryption for inbound traffic to protect against threats hidden in encrypted traffic. However, they want to exclude financial transactions that use client certificates for authentication. What is the best approach?

Question 22mediummultiple choice
Read the full Securing Traffic and App-ID explanation →

An engineer wants to block the use of file-sharing application BitTorrent, but allow file transfers over SFTP which also uses port 22. What is the most effective way to achieve this using App-ID?

Question 23mediummultiple choice
Read the full NAT/PAT explanation →

During an audit, it is discovered that some traffic from a legacy application is being incorrectly identified as 'ssl' because the application uses a custom encryption scheme over TCP port 443. The engineer has created a custom application signature that matches the legacy application's handshake. What additional configuration is needed to ensure the legacy application is correctly identified?

Question 24hardmultiple choice
Read the full NAT/PAT explanation →

A company has a Palo Alto Networks firewall in a high-availability active/passive setup. After a failover event, the new active firewall is not correctly identifying some custom applications. The custom application objects and signatures are synchronized via Panorama. What is the most likely cause?

Question 25hardmultiple choice
Read the full Securing Traffic and App-ID explanation →

An administrator is configuring SSL Forward Proxy decryption and wants to ensure that traffic to internal servers with self-signed certificates is decrypted, but traffic to external banking sites is excluded from decryption. They have created a decryption policy with two rules: first rule with 'No Decrypt' for the external banking URLs, second rule with 'Decrypt' for all other traffic. However, the banking traffic is still being decrypted. What is the most likely issue?

Question 26hardmultiple choice
Read the full Securing Traffic and App-ID explanation →

A network security engineer is troubleshooting an issue where certain VoIP traffic is being dropped by the firewall. The traffic logs show that the application is identified as 'voip' and the security rule allows 'voip'. However, the traffic is still being dropped. What should the engineer check next?

Question 27easymulti select
Read the full Securing Traffic and App-ID explanation →

A security administrator needs to block an application that uses multiple ports, including dynamic ports. Which of the following methods can be used to block this application using App-ID? (Choose two.)

Question 28mediummulti select
Read the full Securing Traffic and App-ID explanation →

An engineer is configuring App-ID for a network that uses both standard and custom applications. Which of the following are best practices for using App-ID effectively? (Choose three.)

Question 29hardmulti select
Read the full Securing Traffic and App-ID explanation →

During a security incident, an analyst notices that certain malware traffic is using port 443 but is being identified as 'ssl'. The malware uses a unique handshake that differs from standard SSL. Which two actions should the analyst take to correctly identify and block this malware? (Choose two.)

Question 30easymultiple choice
Read the full Securing Traffic and App-ID explanation →

Given the security policy above, what will happen to an HTTP request from a user to a public website?

Exhibit

Refer to the exhibit.
show running security-policy
rule 1 name "Allow-Web"
  source any
  destination any
  application web-browsing
  action allow
  profile threat
rule 2 name "Block-All"
  source any
  destination any
  application any
  action deny
Question 31mediummultiple choice
Read the full Securing Traffic and App-ID explanation →

An engineer checks the application counter and sees that my-custom-app has zero packets, but they expected traffic from 10.0.0.0/24 to 10.1.0.0/24 to be identified as my-custom-app. What is the most likely reason?

Exhibit

Refer to the exhibit.
> show app-app-id counter
Application         Packets   Flags
web-browsing        1000
ssl                 500
my-custom-app       0
> show app-override rule
Name: Override-SSH
Source: 10.0.0.0/24
Destination: 10.1.0.0/24
Application: my-custom-app
Question 32hardmultiple choice
Read the full Securing Traffic and App-ID explanation →

A threat log entry shows a threat detected in SSL traffic to 10.0.0.5, which is a server in the internal network. However, the decryption policy has a rule to no-decrypt traffic to 10.0.0.0/8 from internal sources. What is the most likely reason the threat was detected?

Exhibit

Refer to the exhibit.
admin@PA-1> show system info | match model
model: PA-5250
admin@PA-1> show running decryption policy
rule 1 name "No-Decrypt-Internal"
  source 192.168.0.0/16
  destination 10.0.0.0/8
  service https
  action no-decrypt
rule 2 name "Decrypt-All"
  source any
  destination any
  service https
  action decrypt
  profile "default-forward-proxy"
admin@PA-1> show running security policy
rule 1 name "Allow-All"
  source any
  destination any
  application any
  service https
  action allow
  profile threat
admin@PA-1> show threat log | match 10.0.0.5
<log entry: threat detected in SSL traffic>
Question 33easymultiple choice
Read the full Securing Traffic and App-ID explanation →

A network administrator notices that web-browsing traffic is being classified as 'incomplete' in the App-ID table. What is the most likely cause?

Question 34mediummultiple choice
Read the full NAT/PAT explanation →

A company uses a custom application for internal VoIP traffic. The custom App-ID signature is configured with the correct protocol and port, but traffic is still not matching. The firewall shows the application as 'unknown-tcp'. What should the administrator check next?

Question 35hardmultiple choice
Read the full Securing Traffic and App-ID explanation →

An organization has two different applications (AppA and AppB) that both use TCP port 8080. The firewall must apply different security policies to each application. What is the recommended approach?

Question 36easymultiple choice
Read the full Securing Traffic and App-ID explanation →

A firewall shows session logs with application 'incomplete' for many SSL connections. Which action should be taken to improve App-ID accuracy?

Question 37mediummultiple choice
Read the full Securing Traffic and App-ID explanation →

A network engineer wants to reduce the number of applications in security policies by combining several applications that are always used together. What is the best practice?

Question 38hardmultiple choice
Read the full NAT/PAT explanation →

A firewall in a high-availability pair shows that App-ID signatures are not syncing between units. Sessions are failing over but application identification is incorrect on the passive unit. What should the administrator verify?

Question 39easymultiple choice
Read the full NAT/PAT explanation →

When configuring a custom application signature, which field is mandatory to define the application?

Question 40mediummultiple choice
Read the full Securing Traffic and App-ID explanation →

A security policy has an application list with 'facebook-chat' and 'facebook-base'. A user reports that Facebook messages are being blocked. The firewall logs show the application as 'facebook-base' but not as 'facebook-chat'. What is the most likely reason?

Question 41hardmultiple choice
Read the full NAT/PAT explanation →

During a security audit, it is discovered that a custom application signature matches too broadly, causing benign traffic to be classified as the custom app. What change should be made to narrow the signature?

Question 42mediummulti select
Read the full Securing Traffic and App-ID explanation →

Which TWO factors can cause traffic to be classified as 'incomplete' by App-ID? (Choose two.)

Question 43hardmulti select
Read the full NAT/PAT explanation →

Which THREE attributes can be used in a custom App-ID signature to identify an application? (Choose three.)

Question 44easymulti select
Read the full Securing Traffic and App-ID explanation →

Which TWO are best practices when configuring App-ID for a production environment? (Choose two.)

Question 45easymultiple choice
Read the full Securing Traffic and App-ID explanation →

A security administrator notices that HTTP traffic is correctly identified as web-browsing but HTTPS traffic is showing as ssl. The company uses a custom HTTPS-based application that needs to be identified by its own App-ID. What should the administrator do?

Question 46mediummultiple choice
Read the full NAT/PAT explanation →

A company has an application signature for an internal ERP system that uses a proprietary protocol over TCP port 4444. The ERP traffic is sometimes misidentified as unknown-tcp. Which App-ID mechanism should be used to improve identification without affecting the default App-ID engine?

Question 47hardmultiple choice
Read the full Securing Traffic and App-ID explanation →

During a security audit, an administrator finds that traffic on TCP port 443 is classified as web-browsing, but the firewall is configured to use SSL decryption. However, the traffic is not decrypted because it uses a self-signed certificate from an internal CA that is not trusted by the firewall. How should the administrator fix this to enable proper App-ID?

Question 48mediummultiple choice
Read the full Securing Traffic and App-ID explanation →

An administrator wants to apply different security policies for different applications that may use the same IP addresses and ports. Which firewall configuration feature should be used?

Question 49hardmultiple choice
Read the full Securing Traffic and App-ID explanation →

After upgrading PAN-OS from version 9.1 to 10.0, an administrator notices that traffic for an internal custom application is now classified as unknown-tcp instead of the expected custom application. The application was defined using a custom App-ID in the previous version. What is the most likely cause?

Question 50easymultiple choice
Read the full Securing Traffic and App-ID explanation →

A network administrator wants to ensure that all traffic traversing the firewall is correctly identified by App-ID before any security policies are evaluated. Which step is essential?

Question 51mediummultiple choice
Read the full Securing Traffic and App-ID explanation →

An organization uses a SaaS application that runs on a dynamic set of IP addresses. The application traffic is currently identified as ssl and not as the specific application. How can the administrator improve application identification for this SaaS application?

Question 52mediummulti select
Read the full Securing Traffic and App-ID explanation →

Which TWO actions can help App-ID correctly identify a custom application that communicates over TCP port 8443 using SSL/TLS with a known internal hostname?

Question 53hardmulti select
Read the full Securing Traffic and App-ID explanation →

An administrator is troubleshooting low throughput for a business-critical application that is identified as web-browsing instead of the custom app. The firewall is in inline mode. Which THREE potential causes should be investigated?

Question 54easymulti select
Read the full Securing Traffic and App-ID explanation →

Which TWO settings must be configured in a security policy rule to ensure the rule only matches when a specific application is detected on its standard port?

Question 55hardmultiple choice
Read the full Securing Traffic and App-ID explanation →

Refer to the exhibit. An administrator notices that HTTPS traffic to a specific website is being denied. What is the most likely cause?

Exhibit

user@fw> show running security-policy
rule 1: name "Allow-Web" from trust to untrust source any destination any application web-browsing service application-default action allow
rule 2: name "Allow-SSL" from trust to untrust source any destination any application ssl service application-default action allow
rule 3: name "Block-Other" from trust to untrust source any destination any application any service any action deny log-start
rule 4: name "Allow-All" from trust to trust source any destination any application any service any action allow
Question 56mediummultiple choice
Read the full Securing Traffic and App-ID explanation →

A large enterprise uses a custom application that communicates over TCP port 8080 using HTTP. The application traffic is correctly identified as 'custom-app' by App-ID. Recently, the development team changed the application to use HTTPS on the same port. The firewall administrator updated the security policy to allow the application, using the same application name, but now the traffic is being denied. The firewall logs show the application as 'ssl' and the action 'deny'. The security policy has a rule that allows 'custom-app' from inside to outside. What should the administrator do to resolve this issue?

Question 57hardmultiple choice
Read the full NAT/PAT explanation →

A managed security service provider (MSSP) manages firewalls for multiple customers. One customer reports that their ERP application traffic is being dropped intermittently. The firewall logs show that the traffic is sometimes identified as 'erp-app' and allowed, and other times identified as 'unknown-tcp' and denied. The ERP application uses a proprietary protocol over TCP port 5555. The firewall has a custom application definition for 'erp-app' that uses a data pattern. The administrator verifies that the data pattern is correct. What should the administrator do to ensure consistent identification?

Question 58easymultiple choice
Read the full Securing Traffic and App-ID explanation →

A school district wants to allow YouTube for Education (a subcategory of YouTube) but block general YouTube traffic. The firewall uses URL filtering and App-ID. Currently, all YouTube traffic is identified as 'youtube' application, and the URL filtering category is 'educational-videos' for the education version. The administrator creates a security rule that allows application 'youtube' and URL category 'educational-videos'. However, all YouTube traffic is being blocked. What is the most likely cause?

Question 59mediummultiple choice
Read the full Securing Traffic and App-ID explanation →

A financial trading firm has a low-latency network. The firewall administrator notices that some trading application traffic is being dropped sporadically. The security policy allows the application 'trading-app' over default port 5000. The logs show the application is identified correctly as 'trading-app', but the action is deny. The administrator checks the security policy and finds that there is a prior rule that denies all traffic with application 'unknown-tcp'. What could be causing the trading application traffic to match the deny rule?

Question 60mediummultiple choice
Read the full NAT/PAT explanation →

Dynamics Inc., a mid-sized company, uses Palo Alto Networks PA-5250 firewalls at their data center. They recently deployed a new web-based CRM application that uses HTTPS and WebSocket connections on TCP port 8443. The security team configured a custom application 'crm-app' with a signature that matches the 'Host' header in HTTP requests, and set the protocol decoder to 'tcp' and the port to 8443. The application is used in a security policy to allow traffic from internal users to the CRM server. However, after deployment, the traffic logs show the application is identified as 'ssl' instead of 'crm-app'. The firewall's App-ID and threat prevention subscriptions are active and up to date. The team has verified that the custom application signature is correctly configured, and the traffic clearly matches the defined host header. Which action should be taken to ensure the CRM traffic is correctly identified by App-ID?

Question 61hardmultiple choice
Read the full Securing Traffic and App-ID explanation →

Refer to the exhibit. A user at 10.1.1.100 reports that they cannot access a website at 10.2.2.200 over HTTPS. The firewall shows the session is allowed with application web-browsing, but the security policy rule "Allow-Web" has application set to ssl. What is the most likely cause?

Exhibit

show running security-policy
rule 10 {
    name "Allow-Web"
    source any
    destination any
    application ssl
    service application-default
    action allow
}
show session all filter source 10.1.1.100 destination 10.2.2.200
session id 1234, application web-browsing, ...
Question 62mediummulti select
Read the full Securing Traffic and App-ID explanation →

A security administrator is configuring App-ID to identify custom applications over TCP port 8080. The traffic is HTTP-based but the firewall is classifying it as 'web-browsing'. Which two steps should the administrator take to ensure the traffic is correctly identified as the custom application? (Choose two.)

Question 63easymultiple choice
Read the full NAT/PAT explanation →

A company uses a Palo Alto Networks firewall with App-ID enabled. They have a custom application that communicates over TCP port 5001. The administrator has created a custom App-ID signature and a security rule that allows this application from the internal zone (trust) to the external zone (untrust). Users report that the custom application traffic is being blocked. The administrator checks the traffic logs and sees that the sessions are being matched to a different security rule that denies any traffic from trust to untrust. The deny rule appears before the custom allow rule in the policy list. The custom App-ID signature is properly defined and tested. What should the administrator do to resolve this issue?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCNSE Practice Test 1 — 10 Questions→PCNSE Practice Test 2 — 10 Questions→PCNSE Practice Test 3 — 10 Questions→PCNSE Practice Test 4 — 10 Questions→PCNSE Practice Test 5 — 10 Questions→PCNSE Practice Exam 1 — 20 Questions→PCNSE Practice Exam 2 — 20 Questions→PCNSE Practice Exam 3 — 20 Questions→PCNSE Practice Exam 4 — 20 Questions→Free PCNSE Practice Test 1 — 30 Questions→Free PCNSE Practice Test 2 — 30 Questions→Free PCNSE Practice Test 3 — 30 Questions→PCNSE Practice Questions 1 — 50 Questions→PCNSE Practice Questions 2 — 50 Questions→PCNSE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Manage, Monitor and OperateSecuring Traffic and App-IDSecuring Users and Applications with AuthenticationDecryption and SSL InspectionManaging Troubleshooting and High AvailabilityDeploy and Configure FirewallsCore Concepts and ArchitectureSecure Access and VPNTroubleshoot

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Securing Traffic and App-ID setsAll Securing Traffic and App-ID questionsPCNSE Practice Hub