Back to Palo Alto Networks Certified Network Security Engineer PCNSE questions

Scenario-based practice

Hard Difficulty Questions

Practise Palo Alto Networks Certified Network Security Engineer PCNSE practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
PCNSE
exam code
Palo Alto Networks
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related PCNSE topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

A firewall is configured with multiple virtual systems (vsys). The administrator notices that one vsys is consuming excessive dataplane resources, affecting others. Which feature should be used to guarantee each vsys a minimum share of CPU and session capacity?

Question 2hardmultiple choice
Full question →

A security engineer is troubleshooting a connectivity issue where traffic from a specific internal host is allowed by security policy but fails to establish a connection to an external server. The firewall logs show the session was created, but no response packets are seen. What is the most likely cause?

Question 3hardmultiple choice
Full question →

A firewall is using App-ID to identify applications running on non-standard ports. The administrator has configured a custom application with a default port of 8080, but traffic on port 8080 is still not being identified correctly. The application uses multiple connections on different ports. What is the most likely cause?

Question 4hardmulti select
Full question →

Which THREE of the following are key differences between the Palo Alto Networks Next-Generation Firewall and Cloud-Delivered Security Services (CDSS)?

Question 5hardmulti select
Full question →

Which TWO statements are true about TLS version 1.3 support in Palo Alto Networks decryption?

Question 6hardmulti select
Full question →

Which THREE of the following are mandatory components for GlobalProtect client connectivity?

Question 7hardmultiple choice
Full question →

A firewall receives traffic with IP options enabled. How does the firewall handle this traffic by default?

Question 8hardmulti select
Full question →

Which THREE are valid methods to provide redundancy for outbound internet traffic in a Palo Alto Networks firewall?

Question 9hardmultiple choice
Full question →

Two firewalls in an active/passive HA configuration are not synchronizing sessions. The 'show high-availability state' command shows both peers as 'active' and 'passive' correctly, but session synchronization is not working. What is the most likely cause?

Question 10hardmultiple choice
Full question →

A firewall is experiencing slow performance. The administrator runs 'show counter global' and sees that the 'flow_aged_error_tcp_mss' counter is incrementing rapidly. What does this indicate?

Question 11hardmulti select
Full question →

Which TWO configurations are required for User-ID to work using the Windows User-ID Agent (WUA) in a distributed environment?

Question 12hardmultiple choice
Review the full subnetting walkthrough →

A company has a PA-3260 firewall configured with multiple virtual routers for segmentation. A new subnet 192.168.30.0/24 is added behind a layer3 interface that is part of virtual router 'VR-A'. The administrator adds a static route on the firewall to reach the subnet via next-hop 10.0.0.1. However, hosts in another virtual router 'VR-B' cannot reach the new subnet. The route is present in VR-A's routing table. What should the administrator do to resolve the issue?

Question 13hardmulti select
Full question →

Which THREE are common causes of high CPU utilization on a Palo Alto Networks firewall? (Choose three.)

Question 14hardmultiple choice
Full question →

A GlobalProtect gateway is configured as shown. Remote users report that they can connect to the gateway but cannot authenticate. The users are using the GlobalProtect client with certificate authentication. What is the most likely cause?

Exhibit

Refer to the exhibit.
set shared gateway "Corp-Gateway" authentication method "client-certificate"
set shared gateway "Corp-Gateway" client-config dns-server "8.8.8.8"
set shared gateway "Corp-Gateway" client-config ip-pool "10.250.0.1-10.250.0.254"
set shared gateway "Corp-Gateway" tunnel-config ipsec-crypto "AES256-SHA256-DH5"
Question 15hardmultiple choice
Review the full routing breakdown →

A firewall is configured with two virtual routers in an active/passive HA pair. The active firewall fails over, and after failover, traffic is not passing through the new active firewall. The interface IP addresses are configured as virtual IPs. What is the most likely cause?

Question 16hardmulti select
Full question →

A firewall is part of a Panorama-managed environment. The administrator needs to ensure that only specific administrators can commit changes to devices. Which TWO actions are required? (Choose two.)

Question 17hardmulti select
Full question →

Which TWO troubleshooting steps are most effective when an HA pair is not synchronizing sessions between peers? (Assume HA1 and HA2 are up.)

Question 18hardmultiple choice
Full question →

In an Active/Passive HA pair, the passive firewall reports 'non-functional' state. The 'show high-availability state' output on the passive shows 'state: non-functional' and 'reason: configuration mismatch'. The active firewall shows 'state: active' and 'reason: no reason'. Which action should be taken to resolve the issue without disrupting traffic?

Question 19hardmultiple choice
Review the full routing breakdown →

An HA pair is deployed with Active/Active mode. During a traffic spike, session table utilization reaches 90% on both firewalls. The engineer notices asymmetric routing and drops. What should be configured to optimize session distribution?

Question 20hardmultiple choice
Full question →

After a power failure, both firewalls in an HA pair come up and report 'active' state. The network team confirms that the two firewalls are connected via HA1 and HA2. What is the most likely cause of the split-brain condition?

These PCNSE practice questions are part of Courseiva's free Palo Alto Networks certification practice question bank. Courseiva provides original exam-style PCNSE questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.