Back to Palo Alto Networks Certified Network Security Engineer PCNSE questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Palo Alto Networks Certified Network Security Engineer PCNSE practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
PCNSE
exam code
Palo Alto Networks
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related PCNSE topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Full question →

Refer to the exhibit. A user attempts to access a banking site (category: finance) over HTTPS. What will happen?

Exhibit

set decryption rule decrypt-ssl from zone untrust to zone trust source any destination any application ssl action decrypt ssl-forward-proxy
set decryption rule no-decrypt from zone untrust to zone trust source any destination any application ssl category finance,healthcare action no-decrypt
Question 2mediummultiple choice
Full question →

Based on the exhibit, what is the most likely cause for the majority of bypassed sessions?

Exhibit

Refer to the exhibit.
```
> show ssl-decrypt statistics

SSL Decryption Statistics
Total sessions decrypted: 45032
Total sessions bypassed: 2341
Bypass reasons:
  unsupported cipher: 1200
  certificate validation failure: 800
  handshake failure: 341
Currently active sessions: 105
```
Question 3easymultiple choice
Full question →

Refer to the exhibit. What is the primary cause of the 'non-functional' state?

Exhibit

Refer to the exhibit.

admin@PA-220> show high-availability state

High-Availability State: non-functional
  State: non-functional
  Reason: configuration mismatch
  Local: functional, sync-pending
  Peer: running, sync-pending
  Active: 10.1.1.1
  Passive: 10.1.1.2
  Last failure reason: configuration mismatch
Question 4mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An engineer configures HA with link monitoring and path monitoring. However, failover does not occur when ethernet1/2 goes down. What is the likely reason?

Exhibit

Refer to the exhibit.

config shared {
    high-availability {
        mode active-passive;
        group-id 10;
        state-synchronization enable;
        link-monitoring {
            interfaces [ ethernet1/1 ethernet1/2 ];
            failure-condition any;
        }
        path-monitoring {
            enable yes;
            groups {
                group1 {
                    source-ip 10.0.0.1;
                    destination-ip [ 10.0.0.254 ];
                    interval 5;
                    threshold 10;
                }
            }
        }
    }
}
Question 5hardmultiple choice
Full question →

Refer to the exhibit. Based on the log, what triggered the failover?

Exhibit

Refer to the exhibit.

2019-03-15 10:30:15.123 high-availability: HA state change from active to passive (reason: path-monitor-group-down)
2019-03-15 10:30:15.124 high-availability: Path monitoring group 'ISP1' failed: 0 out of 1 destinations reachable
Question 6mediummultiple choice
Full question →

Based on the exhibit, what is the impact of the current HA state on the network?

Exhibit

Refer to the exhibit.

admin@PA-5020> show high-availability state
  Group: 1
  State: passive
  Active State: active
  Passive State: passive
  Last operational state change: 2025-02-10 10:15:23
  HA1 link: up
  HA2 link: down
  HA3 link: up
  Session sync: not synchronized
  Configuration sync: synchronized
  Priority: 100
  Preemptive: no
Question 7hardmultiple choice
Full question →

Based on the exhibit, what is the most likely cause of the warnings?

Exhibit

Refer to the exhibit.

Configuration snippet:

HA configuration:
  mode: active-passive
  ha2 link: ethernet1/3
  ha2 keepalive timer: 1000
  ha3 link: ethernet1/4
  ha3 keepalive timer: 1000
  ha2 backup link: ethernet1/5
  ha3 backup link: none
  session synchronization: enabled
  configuration synchronization: enabled

Log entry:
2025/02/15 14:23:45 WARNING: HA2 keepalive missing from peer
2025/02/15 14:24:15 WARNING: HA2 backup link keepalive missing
Question 8hardmultiple choice
Read the full VPN explanation →

Refer to the exhibit. A firewall log shows these messages for an IPSec tunnel. Which configuration mismatch is the likely cause?

Exhibit

2019-04-10 14:23:45, ERROR: ike: IKE negotiation failed: No proposal chosen (1.2.3.4 -> 5.6.7.8)
2019-04-10 14:23:45, WARN: ike: Phase 2 negotiation failed for vpn-tunnel1: no acceptable set of proposals
2019-04-10 14:23:46, INFO: ike: IPSec SA deleted (1.2.3.4 -> 5.6.7.8 spi 0x12345678)
Question 9easymultiple choice
Full question →

Refer to the exhibit. A network engineer sees multiple IKE SAs for the same peer. What does this indicate?

Exhibit

admin@PA-5020> show vpn ike-sa
Gateway    Peer     Interface  Role      Life     LifeKB  State
GW1        10.1.1.1 ethernet1/2 Responder 86400   0       ACTIVE
GW1        10.1.1.1 ethernet1/2 Initiator 86400   0       ACTIVE
GW1        10.1.1.1 ethernet1/2 Responder 86400   0       ACTIVE
Question 10mediummultiple choice
Read the full VPN explanation →

Refer to the exhibit. A firewall administrator configures an IPSec tunnel. After committing, the tunnel never becomes active. What is the most likely reason?

Exhibit

set network tunnel ipsec ipsec-tunnel VPN-Tunnel
 set tunnel-interface tunnel.1
 set proxy-id local 192.168.1.0/24
 set proxy-id remote 10.0.0.0/8
 set proxy-id protocol any
 set ike-gateway GW1
 set ipsec-crypto-profile AES256-SHA256
commit
Question 11hardmultiple choice
Full question →

Refer to the exhibit. An administrator notices that HTTPS traffic to a specific website is being denied. What is the most likely cause?

Exhibit

user@fw> show running security-policy
rule 1: name "Allow-Web" from trust to untrust source any destination any application web-browsing service application-default action allow
rule 2: name "Allow-SSL" from trust to untrust source any destination any application ssl service application-default action allow
rule 3: name "Block-Other" from trust to untrust source any destination any application any service any action deny log-start
rule 4: name "Allow-All" from trust to trust source any destination any application any service any action allow
Question 12mediummultiple choice
Review the full routing breakdown →

Refer to the exhibit. An administrator is troubleshooting traffic from a host at 10.2.2.10 to a server at 10.3.3.10. The firewall has a security rule allowing the traffic. However, traffic is failing. Based on the routing table, what is the most likely cause?

Exhibit

Refer to the exhibit.

admin@PA-5250> show routing route

IPv4 Route Table for virtual-router default

destination  nexthop      metric   flags  interface  age
0.0.0.0/0    10.1.1.1     10       A S    ethernet1/1  5m
10.1.1.0/24  10.1.1.100   0        A C    ethernet1/1  5m
10.2.2.0/24  10.1.1.200   1        A S    ethernet1/1  5m
10.3.3.0/24  10.1.1.200   1        A S    ethernet1/1  5m
Question 13hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A firewall administrator is investigating why traffic from a source IP 10.1.1.100 to destination 192.168.1.50 is not establishing sessions. The firewall has been up for 45 days. Based on the counters shown, what is the most likely cause?

Exhibit

Refer to the exhibit.

admin@PA-5050> show system info | match uptime
Uptime: 45 days 3 hours 22 mins

admin@PA-5050> show session all filter source 10.1.1.100 destination 192.168.1.50
Session filter returned 0 sessions

admin@PA-5050> show counter global | match flow_tcp_non_syn
flow_tcp_non_syn: 15

admin@PA-5050> show counter global | match flow_tcp_handshake_fail
flow_tcp_handshake_fail: 8
Question 14mediummultiple choice
Full question →

Refer to the exhibit. The administrator committed this configuration but users cannot authenticate via SAML. What is the problem?

Exhibit

set authentication profile "SAML-Profile" method saml
set authentication profile "SAML-Profile" saml-identity-provider "AzureAD"
set authentication profile "SAML-Profile" saml-logout-url "https://login.microsoftonline.com/logout"
set authentication profile "SAML-Profile" method ldap
Question 15hardmultiple choice
Full question →

Refer to the exhibit. A user at IP 10.10.1.11 is unable to access internal resources that require authentication. The firewall logs show 'no user mapping' for traffic from this IP. Which step should the administrator take first?

Exhibit

admin@PA-5000> show user user-id dump
User-ID Dump
IP: 10.10.1.10     User: jdoe@company.com     Source: Pre-Login mapping
IP: 10.10.1.11     User: (unknown)
IP: 10.10.1.20     User: jsmith@company.com     Source: Kerberos

These PCNSE practice questions are part of Courseiva's free Palo Alto Networks certification practice question bank. Courseiva provides original exam-style PCNSE questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.