Sample questions
Palo Alto Networks Certified Network Security Engineer PCNSE practice questions
Order the steps to configure a static route on a Palo Alto Networks firewall.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Arrange the steps to enable and configure GlobalProtect on a Palo Alto Networks firewall.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Order the steps to configure an IPsec VPN tunnel between two Palo Alto firewalls.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Arrange the steps to perform a factory reset on a Palo Alto Networks firewall.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Arrange the steps to configure a new administrator account with role-based access.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Order the steps to upgrade the PAN-OS software on a standalone firewall.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
An administrator notices that traffic from zone A to zone B is being dropped silently. Security rules are in place. Troubleshooting shows that the session does not appear in the session table. What is the most likely cause?
Trap 1: The traffic is being decrypted by an SSL Forward Proxy rule.
Decryption does not cause drops; it may affect identification but not silent drops.
Trap 2: The traffic is matched by a rule with action 'deny' and logging is…
Even with logging disabled, a denied session appears briefly in the session table.
Trap 3: The interzone default rule is set to deny.
Default deny rules log drops, so they would not be silent.
- A
The traffic is being decrypted by an SSL Forward Proxy rule.
Why wrong: Decryption does not cause drops; it may affect identification but not silent drops.
- B
The traffic is taking an asymmetric path and the firewall sees only one direction.
Asymmetric routing prevents session setup, causing silent drops.
- C
The traffic is matched by a rule with action 'deny' and logging is disabled.
Why wrong: Even with logging disabled, a denied session appears briefly in the session table.
- D
The interzone default rule is set to deny.
Why wrong: Default deny rules log drops, so they would not be silent.
Which component of the PAN-OS architecture is responsible for processing security policies and performing packet inspection?
Trap 1: Panorama plane
Panorama is a central management system, not a component of a single firewall.
Trap 2: Management plane
Management plane handles admin access and system management, not packet processing.
Trap 3: Control plane
Control plane manages routing protocols and high availability, not packet inspection.
- A
Panorama plane
Why wrong: Panorama is a central management system, not a component of a single firewall.
- B
Management plane
Why wrong: Management plane handles admin access and system management, not packet processing.
- C
Data plane
Data plane processes all packets and enforces security policies.
- D
Control plane
Why wrong: Control plane manages routing protocols and high availability, not packet inspection.
A company has configured a security policy that allows HTTP traffic from the internal network 10.0.0.0/8 to the internet. However, users from subnet 10.2.0.0/24 are unable to access external websites. The firewall logs show that traffic from 10.2.0.100 to 203.0.113.1 on port 80 is being denied. Which action should the administrator take to resolve the issue?
Trap 1: Modify the existing allow rule to include the entire 10.2.0.0/24…
Modifying the existing rule might not work if there is a deny rule above it still matching.
Trap 2: Change the destination zone of the allow rule to 'any'.
Changing the destination zone is not relevant; the issue is rule order.
Trap 3: Delete the deny rule that is blocking the traffic.
Deleting the deny rule could expose other traffic that should be blocked.
- A
Modify the existing allow rule to include the entire 10.2.0.0/24 subnet in the source.
Why wrong: Modifying the existing rule might not work if there is a deny rule above it still matching.
- B
Change the destination zone of the allow rule to 'any'.
Why wrong: Changing the destination zone is not relevant; the issue is rule order.
- C
Add a new security rule allowing traffic from 10.2.0.0/24 and place it above the existing deny rule.
A rule placed higher in the order matches first. Adding an allow rule above the deny rule will permit the traffic.
- D
Delete the deny rule that is blocking the traffic.
Why wrong: Deleting the deny rule could expose other traffic that should be blocked.
An organization wants to map user identity from Active Directory for traffic coming from internal LAN users without installing any agent on domain controllers. Which User-ID mapping method should be used?
Trap 1: XML API
XML API is not a User-ID method; it is used for programmatic access to the firewall.
Trap 2: Terminal Services Agent
Terminal Services Agent is for mapping users on terminal servers, not domain controllers.
Trap 3: Captive Portal
Captive Portal requires users to authenticate via a web page, not agentless AD polling.
- A
Active Directory polling
Active Directory polling retrieves user-IP mappings from domain controller logs.
- B
XML API
Why wrong: XML API is not a User-ID method; it is used for programmatic access to the firewall.
- C
Terminal Services Agent
Why wrong: Terminal Services Agent is for mapping users on terminal servers, not domain controllers.
- D
Captive Portal
Why wrong: Captive Portal requires users to authenticate via a web page, not agentless AD polling.
A firewall is configured with multiple virtual systems (vsys). The administrator notices that one vsys is consuming excessive dataplane resources, affecting others. Which feature should be used to guarantee each vsys a minimum share of CPU and session capacity?
Trap 1: Packet filtering rules
Packet filtering does not allocate resources.
Trap 2: Session limit rules
Session limits only restrict the number of sessions, not CPU usage.
Trap 3: QoS profiles
QoS controls traffic bandwidth, not CPU or session resources.
- A
Packet filtering rules
Why wrong: Packet filtering does not allocate resources.
- B
Session limit rules
Why wrong: Session limits only restrict the number of sessions, not CPU usage.
- C
QoS profiles
Why wrong: QoS controls traffic bandwidth, not CPU or session resources.
- D
Resource profiles
Resource profiles allocate CPU, session, and memory resources per vsys.
A security engineer is troubleshooting a connectivity issue where traffic from a specific internal host is allowed by security policy but fails to establish a connection to an external server. The firewall logs show the session was created, but no response packets are seen. What is the most likely cause?
Trap 1: The destination NAT is configured incorrectly.
Destination NAT would not affect outbound sessions; it changes the destination on inbound.
Trap 2: The security policy is missing the return traffic rule.
Security policy is stateful, so return traffic is allowed automatically if the outbound session is allowed.
Trap 3: The firewall is in FIPS mode.
FIPS mode affects encryption, not basic connectivity.
- A
The destination NAT is configured incorrectly.
Why wrong: Destination NAT would not affect outbound sessions; it changes the destination on inbound.
- B
The security policy is missing the return traffic rule.
Why wrong: Security policy is stateful, so return traffic is allowed automatically if the outbound session is allowed.
- C
The firewall is in FIPS mode.
Why wrong: FIPS mode affects encryption, not basic connectivity.
- D
The source NAT is not configured.
Without source NAT, the packet's source IP remains private, and the server replies to that private IP, which may not return to the firewall.
Refer to the exhibit. A user attempts to access a banking site (category: finance) over HTTPS. What will happen?
Exhibit
set decryption rule decrypt-ssl from zone untrust to zone trust source any destination any application ssl action decrypt ssl-forward-proxy set decryption rule no-decrypt from zone untrust to zone trust source any destination any application ssl category finance,healthcare action no-decrypt
Trap 1: The traffic is decrypted because the first rule matches.
The first rule would match, but the second rule is more specific and overrides for finance category.
Trap 2: The traffic is dropped because no rule matches.
Both rules match, but the no-decrypt action applies.
Trap 3: The traffic is decrypted only if the SSL certificate is installed.
Certificate installation is required for decryption, but the rule set to no-decrypt prevents it.
- A
The traffic is decrypted because the first rule matches.
Why wrong: The first rule would match, but the second rule is more specific and overrides for finance category.
- B
The traffic is dropped because no rule matches.
Why wrong: Both rules match, but the no-decrypt action applies.
- C
The traffic is decrypted only if the SSL certificate is installed.
Why wrong: Certificate installation is required for decryption, but the rule set to no-decrypt prevents it.
- D
The traffic is not decrypted because the second rule matches and overrides the first.
The no-decrypt rule for category finance matches, so decryption is bypassed.
A firewall is using App-ID to identify applications running on non-standard ports. The administrator has configured a custom application with a default port of 8080, but traffic on port 8080 is still not being identified correctly. The application uses multiple connections on different ports. What is the most likely cause?
Trap 1: The application's timeout value is too short.
Timeout values affect session keepalive, not identification.
Trap 2: Content-ID is disabled on the security policy.
Content-ID handles data filtering, not application identification.
Trap 3: The application requires URL categorization to be enabled.
URL categorization is separate from App-ID.
- A
The application's timeout value is too short.
Why wrong: Timeout values affect session keepalive, not identification.
- B
The application is defined with the wrong protocol (TCP vs UDP).
If the custom application uses TCP but is defined as UDP, App-ID will not match.
- C
Content-ID is disabled on the security policy.
Why wrong: Content-ID handles data filtering, not application identification.
- D
The application requires URL categorization to be enabled.
Why wrong: URL categorization is separate from App-ID.
A security administrator wants to block traffic from IP address 192.168.1.100 to the internet. The firewall has a security policy that allows all outbound traffic. Which action should be taken to most efficiently block this specific host?
Trap 1: Configure a Zone Protection profile to block the IP.
Zone Protection profiles deal with DoS attacks, not access control.
Trap 2: Apply a QoS policy to limit the bandwidth from that IP to zero.
QoS limits bandwidth but does not block traffic cleanly.
Trap 3: Add the IP to an External Dynamic List and reference it in a…
This is valid but more complex than necessary for a single IP.
- A
Configure a Zone Protection profile to block the IP.
Why wrong: Zone Protection profiles deal with DoS attacks, not access control.
- B
Create a new security rule with source IP 192.168.1.100 and action 'deny', placed before the allow rule.
A simple deny rule is the most efficient method.
- C
Apply a QoS policy to limit the bandwidth from that IP to zero.
Why wrong: QoS limits bandwidth but does not block traffic cleanly.
- D
Add the IP to an External Dynamic List and reference it in a security rule.
Why wrong: This is valid but more complex than necessary for a single IP.
An administrator configures the management interface with IP 192.168.1.1/24 and can ping it from a host on the same subnet, but cannot access the web interface. What is the likely cause?
Trap 1: The web server is not running.
The web server is integral to the firewall; it's always running if management is enabled.
Trap 2: The host is not in the allowed IP list.
By default, all IPs are allowed; if restricted, ping would also likely fail.
Trap 3: The firewall is in FIPS mode.
FIPS mode does not block web interface; it enforces more stringent encryption.
- A
The web server is not running.
Why wrong: The web server is integral to the firewall; it's always running if management is enabled.
- B
The host is not in the allowed IP list.
Why wrong: By default, all IPs are allowed; if restricted, ping would also likely fail.
- C
The firewall is in FIPS mode.
Why wrong: FIPS mode does not block web interface; it enforces more stringent encryption.
- D
HTTP/HTTPS is not enabled in the interface management profile.
The management profile must explicitly allow HTTP/HTTPS.
Which TWO of the following are mandatory requirements for forming an active/passive HA pair between two Palo Alto Networks firewalls? (Choose exactly two.)
Trap 1: Both firewalls must have the same number of active VLANs.
VLAN count does not affect HA formation.
Trap 2: Both firewalls must use the same management interface IP address.
Management IPs must be unique, and will be different.
Trap 3: Both firewalls must have identical license subscriptions.
Licenses can differ; HA synchronization works regardless, but features may not be available if not licensed.
- A
Both firewalls must be the same hardware model.
Different models are not compatible for HA.
- B
Both firewalls must have the same number of active VLANs.
Why wrong: VLAN count does not affect HA formation.
- C
Both firewalls must run the same PAN-OS version.
Version mismatch is not allowed for HA.
- D
Both firewalls must use the same management interface IP address.
Why wrong: Management IPs must be unique, and will be different.
- E
Both firewalls must have identical license subscriptions.
Why wrong: Licenses can differ; HA synchronization works regardless, but features may not be available if not licensed.
Which TWO of the following are true regarding Panorama's templates and device groups?
Trap 1: Device groups can only contain firewalls of the same model.
Device groups can contain different models.
Trap 2: Templates override device group settings when both are applied.
Templates and device groups are independent; templates handle network, device groups handle policies.
Trap 3: Panorama cannot manage firewalls in different geographic locations.
Panorama can manage firewalls globally.
- A
Device groups can only contain firewalls of the same model.
Why wrong: Device groups can contain different models.
- B
Templates are used to push network configurations such as interfaces, virtual routers, and zones.
Templates are for network settings.
- C
Templates override device group settings when both are applied.
Why wrong: Templates and device groups are independent; templates handle network, device groups handle policies.
- D
Panorama cannot manage firewalls in different geographic locations.
Why wrong: Panorama can manage firewalls globally.
- E
Shared policies are defined in the 'Shared' device group and are inherited by all other device groups.
Shared device group provides base policies.
Which THREE of the following are key differences between the Palo Alto Networks Next-Generation Firewall and Cloud-Delivered Security Services (CDSS)?
Trap 1: CDSS performs full application-level packet inspection.
Packet inspection is done by the firewall, not CDSS.
Trap 2: CDSS is a replacement for the firewall's local threat prevention…
CDSS complements, not replaces, local capabilities.
- A
CDSS performs full application-level packet inspection.
Why wrong: Packet inspection is done by the firewall, not CDSS.
- B
CDSS offers services like DNS Security and WildFire that require an internet connection to the cloud.
These services rely on cloud connectivity.
- C
CDSS provides cloud-based threat analysis and signature updates, while the firewall is the enforcement point.
CDSS offloads analysis to the cloud.
- D
CDSS is a replacement for the firewall's local threat prevention functionality.
Why wrong: CDSS complements, not replaces, local capabilities.
- E
CDSS can automatically share threat intelligence across all subscribed firewalls.
Threat intelligence is shared via cloud.
A company is deploying a Palo Alto Networks firewall in an existing Layer 2 switched environment. They need to inspect traffic between VLAN 10 and VLAN 20 without changing the IP addresses of hosts and without performing any routing. Which firewall mode should be used?
Trap 1: Virtual Wire
Virtual Wire mode is used for transparent inline inspection on the same subnet; it cannot handle multiple VLANs without additional configuration like subinterfaces, but it does not perform routing between VLANs.
Trap 2: Tap mode
Tap mode is passive monitoring only; traffic flows through the firewall but no inspection or control is applied.
Trap 3: Layer 3
Layer 3 mode requires IP addresses on interfaces and performs routing, which changes the network topology.
- A
Virtual Wire
Why wrong: Virtual Wire mode is used for transparent inline inspection on the same subnet; it cannot handle multiple VLANs without additional configuration like subinterfaces, but it does not perform routing between VLANs.
- B
Tap mode
Why wrong: Tap mode is passive monitoring only; traffic flows through the firewall but no inspection or control is applied.
- C
Transparent (Layer 2)
Correct. Transparent mode bridges VLANs at Layer 2, enabling inspection without IP changes.
- D
Layer 3
Why wrong: Layer 3 mode requires IP addresses on interfaces and performs routing, which changes the network topology.
A security administrator configures a new network template in Panorama and assigns it to a template stack. The template stack is associated with a device group containing several firewalls. After committing the Panorama configuration and pushing to devices, some firewalls in the device group do not have the new template settings. What is the most likely cause?
Trap 1: The device group has not been committed.
Committing the device group is necessary for policy changes, but template changes are separate and pushed via template stack.
Trap 2: The firewalls are not licensed for Panorama management.
Firewalls need to be registered, but licensing allows management; missing template is not a licensing issue.
Trap 3: The template is in 'preview' mode.
There is no 'preview' mode for templates; templates are either committed or not.
- A
The firewalls that are not receiving the template are not included in the same template stack.
Correct. A template stack groups firewalls that share the same template configurations.
- B
The device group has not been committed.
Why wrong: Committing the device group is necessary for policy changes, but template changes are separate and pushed via template stack.
- C
The firewalls are not licensed for Panorama management.
Why wrong: Firewalls need to be registered, but licensing allows management; missing template is not a licensing issue.
- D
The template is in 'preview' mode.
Why wrong: There is no 'preview' mode for templates; templates are either committed or not.
Which TWO types of traffic should typically be excluded from SSL decryption for compliance or operational reasons? (Choose two.)
Trap 1: Traffic to social media websites.
Typically not a compliance concern.
Trap 2: Traffic between internal data center servers.
Internal traffic is often decrypted to detect lateral movement.
Trap 3: Traffic to external email services (e.g., Gmail).
Often decrypted for security.
- A
Traffic to social media websites.
Why wrong: Typically not a compliance concern.
- B
Traffic between internal data center servers.
Why wrong: Internal traffic is often decrypted to detect lateral movement.
- C
Traffic to healthcare portals and electronic medical records.
HIPAA and other regulations may restrict decryption.
- D
Traffic to financial services websites (e.g., banking, investment).
Regulatory compliance may prohibit decryption of financial data.
- E
Traffic to external email services (e.g., Gmail).
Why wrong: Often decrypted for security.
Based on the exhibit, what is the most likely cause for the majority of bypassed sessions?
Exhibit
Refer to the exhibit. ``` > show ssl-decrypt statistics SSL Decryption Statistics Total sessions decrypted: 45032 Total sessions bypassed: 2341 Bypass reasons: unsupported cipher: 1200 certificate validation failure: 800 handshake failure: 341 Currently active sessions: 105 ```
Trap 1: The firewall is overloaded and cannot handle more decryption…
Active sessions are low, so not overloaded.
Trap 2: The decryption certificate is not trusted by clients.
That would cause certificate validation failures, which are fewer.
Trap 3: There is a network connectivity issue between firewall and servers.
Connectivity issues would cause handshake failures, which are minimal.
- A
The firewall's SSL/TLS service profile does not include the cipher suites used by the clients or servers.
Most bypasses are due to unsupported ciphers.
- B
The firewall is overloaded and cannot handle more decryption sessions.
Why wrong: Active sessions are low, so not overloaded.
- C
The decryption certificate is not trusted by clients.
Why wrong: That would cause certificate validation failures, which are fewer.
- D
There is a network connectivity issue between firewall and servers.
Why wrong: Connectivity issues would cause handshake failures, which are minimal.
A company wants to decrypt traffic to productivity and collaboration sites but avoid decrypting traffic to financial and healthcare sites due to compliance. How should the SSL decryption policy be configured?
Trap 1: Add all financial and healthcare sites to a custom URL list and…
Impractical to list all sites; categories are dynamic.
Trap 2: Create a decrypt-all rule and then add exceptions for financial and…
Not efficient; exceptions could miss other compliance issues.
Trap 3: Use time-based rules to apply decryption only during business hours.
Time-based rules are not applicable for category-based exclusions.
- A
Add all financial and healthcare sites to a custom URL list and exclude them.
Why wrong: Impractical to list all sites; categories are dynamic.
- B
Create a decrypt-all rule and then add exceptions for financial and healthcare categories.
Why wrong: Not efficient; exceptions could miss other compliance issues.
- C
Create a rule to decrypt based on URL categories except financial and healthcare.
Allows targeted decryption based on categories.
- D
Use time-based rules to apply decryption only during business hours.
Why wrong: Time-based rules are not applicable for category-based exclusions.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.