PCNSA · topic practice

Decryption and Monitoring practice questions

Practise Palo Alto Networks Certified Network Security Administrator PCNSA Decryption and Monitoring practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Decryption and Monitoring

What the exam tests

What to know about Decryption and Monitoring

Decryption and Monitoring questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Decryption and Monitoring exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Decryption and Monitoring questions

20 questions · select your answer, then reveal the explanation

A security engineer notices that HTTPS traffic to a critical business application is being decrypted and re-encrypted, causing performance issues. The application uses a certificate from a public CA. The engineer wants to minimize decryption overhead while still inspecting for threats. Which decryption policy configuration best achieves this?

A company implements SSL Forward Proxy decryption. Users report that some internal applications fail to load after deployment. The firewall is configured with a CA-signed certificate for decryption. What is the most likely cause of the application failures?

A network administrator wants to monitor traffic that is not decrypted due to a 'No Decrypt' policy rule. Which log type would show that decryption was bypassed?

A company has a decryption policy that decrypts all outbound SSL traffic. Recently, users accessing a partner website receive a certificate warning. The partner uses a self-signed certificate. The firewall is configured with a CA-signed certificate for decryption. Which action should the firewall take?

Which monitoring tool in Palo Alto Networks firewall provides real-time visibility into decryption statistics, such as the number of sessions decrypted and certificate errors?

An organization deploys SSL Forward Proxy decryption. They want to ensure that traffic to financial websites is not decrypted due to compliance requirements. Which decryption policy configuration should be used?

During a security audit, it is discovered that some internal hosts are using TLS 1.0, which is deprecated. The firewall is configured to decrypt SSL traffic. How can the administrator use the firewall to detect and report these connections without breaking them?

A company uses SSL Forward Proxy decryption. The firewall's decryption certificate expires. What immediate impact does this have on traffic?

Which TWO of the following are best practices for configuring SSL Forward Proxy decryption? (Choose two.)

Which THREE of the following are valid actions for a decryption policy rule? (Choose three.)

Which TWO of the following are types of decryption supported by Palo Alto Networks firewalls? (Choose two.)

Refer to the exhibit. An administrator notices a large number of decryption sessions. What is a valid conclusion based on the output?

Exhibit

Refer to the exhibit.

# show system info | match decrypt
Decryption status: enabled
Decryption sessions: 523 (current), 1024 (peak)
Certificate errors: 12 (since last hour)

# show decryption statistics
Policy hits: Decrypt: 1500, No Decrypt: 300
TLS version failures: 5 (TLS 1.0: 3, TLS 1.1: 2)

Refer to the exhibit. A user in the trust zone accesses a banking site (category: financial-services). What action will the firewall take on this HTTPS session?

Exhibit

Refer to the exhibit.

{
  "decryption_rules": [
    {
      "name": "rule1",
      "source_zone": ["trust"],
      "destination_zone": ["untrust"],
      "source_address": ["any"],
      "destination_address": ["any"],
      "category": ["financial-services"],
      "action": "no-decrypt",
      "description": "Skip decryption for finance sites"
    },
    {
      "name": "rule2",
      "source_zone": ["trust"],
      "destination_zone": ["untrust"],
      "source_address": ["any"],
      "destination_address": ["any"],
      "category": ["any"],
      "action": "decrypt",
      "description": "Decrypt all other traffic"
    }
  ]
}
Question 14hardmultiple choice
Review the full subnetting walkthrough →

A mid-sized enterprise has deployed a Palo Alto Networks firewall with SSL Forward Proxy decryption for outbound traffic. The firewall uses a CA-signed certificate from a public CA, and the certificate is installed on all corporate-managed endpoints. Recently, the security team noticed that a few users are unable to access a specific external SaaS application (app.example.com) over HTTPS. Other users can access it without issues. The firewall logs show that for these users, the session is being decrypted and no threat is detected. The application uses a valid certificate from a public CA. The affected users are in the same IP subnet and use the same browser version. Which is the most likely cause?

A university uses a Palo Alto Networks firewall to protect its network. They have implemented SSL Forward Proxy decryption for all student traffic. Recently, the IT helpdesk has received complaints from students that some websites (e.g., online banking, healthcare portals) are not loading properly. The firewall logs show that these sites are being decrypted, and no threats are detected. The university's legal team has advised that decryption of financial and healthcare sites may violate regulations. The network team wants to quickly resolve the issue while ensuring compliance. What is the best course of action?

A security administrator needs to inspect traffic to a critical web server that uses HTTPS. The firewall is configured as a forward proxy for outbound traffic. Which decryption type should be used to decrypt the traffic inbound to the web server?

A company wants to decrypt all SSL/TLS traffic from internal users except traffic to financial sites. The firewall is placed as a forward proxy. Which policy configuration ensures that traffic to financial sites is not decrypted?

During troubleshooting, a firewall shows a large number of SSL decryption failures with error 'certificate_unknown'. The firewall is configured for forward proxy decryption. What is the most likely cause?

A firewall is configured for inbound inspection decryption. Which certificate must be installed on the firewall for this to work?

A network administrator wants to monitor HTTPS traffic without decrypting it, but still wants to identify the applications being used. Which feature can be used to identify HTTPS applications without decryption?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Decryption and Monitoring sessions

Start a Decryption and Monitoring only practice session

Every question in these sessions is drawn from the Decryption and Monitoring domain — nothing else.

Related practice questions

Related PCNSA topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PCNSA exam test about Decryption and Monitoring?
Decryption and Monitoring questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Decryption and Monitoring questions in a focused session?
Yes — the session launcher on this page draws every question from the Decryption and Monitoring domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PCNSA topics?
Use the topic links above to move to related areas, or go back to the PCNSA question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PCNSA exam covers. They are not copied from any real exam or dump site.