PCNSE · topic practice

Core Concepts and Architecture practice questions

Practise Palo Alto Networks Certified Network Security Engineer PCNSE Core Concepts and Architecture practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Core Concepts and Architecture

What the exam tests

What to know about Core Concepts and Architecture

Core Concepts and Architecture questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Core Concepts and Architecture exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Core Concepts and Architecture questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Review the full routing breakdown →

A security engineer needs to deploy a Palo Alto Networks firewall in a high-availability (HA) pair with active/passive mode. The firewall will inspect traffic for multiple tenants, each requiring separate routing and policy configuration. Which feature should be used to isolate tenant configurations while using a single pair of firewalls?

Question 2hardmultiple choice
Review the full subnetting walkthrough →

A firewall administrator notices that traffic from a specific subnet is being unexpectedly dropped. The firewall log shows a 'flow_drop' reason of 'packet too long for interface MTU'. The interface MTU is set to 1500, and the packets are 1500 bytes. What is the most likely cause?

An organization wants to simplify firewall rule management by grouping related rules into logical units and applying them to specific sets of users or devices. Which Palo Alto Networks feature supports this requirement?

During a traffic spike, the firewall CPU utilization remains below 30% but the dataplane packet buffer usage is consistently above 90%. What is the most likely impact on firewall performance?

Question 5hardmultiple choice
Review the full routing breakdown →

A Palo Alto Networks firewall is configured with two virtual routers: VR-A (trust) and VR-B (untrust). An interface is placed in VR-A. A static route to 10.0.0.0/8 via next-hop 192.168.1.1 exists in VR-A. The firewall receives a packet from the trust zone destined to 10.1.1.1. The route lookup succeeds in VR-A. Which statement is true about the forwarding decision?

A network engineer is configuring App-ID for a custom application that uses a proprietary protocol over TCP port 12345. The application's traffic is not being identified as expected. Which configuration change should the engineer make to ensure the firewall correctly identifies this application?

Which Panorama deployment mode allows centralized management of firewalls while storing logs locally on each firewall instead of sending them to the Panorama log collector?

Question 8mediummultiple choice
Read the full NAT/PAT explanation →

A firewall has the routing table shown. A packet arrives on ethernet1/2 with source IP 10.0.0.50 and destination IP 10.0.0.100. Which route will be used for forwarding?

Exhibit

Refer to the exhibit.

```
admin@PA-5050> show routing route

IPv4 Virtual Router: default

destination nexthop interface metric flags
0.0.0.0/0 10.0.0.1 ethernet1/1 10 A S
10.0.0.0/8 10.0.0.1 ethernet1/1 10 A S
10.0.0.0/24 10.0.0.2 ethernet1/2 10 A S
10.0.1.0/24 10.0.0.3 ethernet1/3 10 A S
172.16.0.0/12 10.0.0.4 ethernet1/4 10 A S
192.168.0.0/16 10.0.0.5 ethernet1/5 10 A S
```

An administrator runs the commands and sees the output. The session shows an SSL application from trust to untrust. However, the traffic is actually a custom application over TCP 44321 that the firewall incorrectly identifies as SSL. Which configuration step will most accurately identify the custom application?

Exhibit

Refer to the exhibit.

```
admin@PA-3020> show session info

session id 12345, application: ssl, vsys vsys1, zone trust->untrust
source 10.1.1.10:443 -> destination 192.168.1.1:44321
state: active, type: dynamic
session age: 120 sec, timeout: 3600 sec

admin@PA-3020> show system info | match uptime
Uptime: 30 days, 4 hours, 12 minutes
```

Which TWO are valid dataplane components in a Palo Alto Networks firewall? (Choose two.)

Which THREE factors are considered when a Palo Alto Networks firewall performs application identification (App-ID) on a session? (Choose three.)

A company runs a mixed environment of physical and virtual Palo Alto Networks firewalls (PA-5250, VM-300) managed by a single Panorama. The company recently deployed a new application that uses the QUIC protocol (UDP 443) for performance. After the deployment, the security team notices that the firewall is not accurately identifying the QUIC traffic, and some QUIC sessions are being dropped unexpectedly. The firewall logs show 'application: incomplete' for these sessions. The security team wants to ensure QUIC traffic is properly identified and allowed. The team has configured a security policy rule to allow 'ssl' application (thinking QUIC is similar to SSL) but the problem persists. The firewall is running PAN-OS 10.1. Which of the following is the best course of action?

Question 13mediummulti select
Read the full NAT/PAT explanation →

A security engineer is troubleshooting a traffic drop issue on a Palo Alto Networks firewall. The traffic is allowed by the security policy, but the session is being terminated. Which two features could cause this behavior? (Choose two.)

A network administrator is configuring a new Palo Alto Networks firewall in a high-availability active/passive setup. The firewall will be placed in Layer 3 mode. Which THREE steps are required to ensure proper operation? (Choose three.)

Question 15hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A firewall administrator is investigating why traffic from a source IP 10.1.1.100 to destination 192.168.1.50 is not establishing sessions. The firewall has been up for 45 days. Based on the counters shown, what is the most likely cause?

Exhibit

Refer to the exhibit.

admin@PA-5050> show system info | match uptime
Uptime: 45 days 3 hours 22 mins

admin@PA-5050> show session all filter source 10.1.1.100 destination 192.168.1.50
Session filter returned 0 sessions

admin@PA-5050> show counter global | match flow_tcp_non_syn
flow_tcp_non_syn: 15

admin@PA-5050> show counter global | match flow_tcp_handshake_fail
flow_tcp_handshake_fail: 8
Question 16mediummultiple choice
Read the full MPLS explanation →

A company recently deployed a Palo Alto Networks PA-5250 firewall in a data center. The firewall is configured with multiple virtual routers and is connected to an MPLS WAN router and an internet router. The network team reports that users can access internet resources but cannot reach a critical application hosted in a remote branch office over the MPLS link. The application uses TCP port 443 and is accessed via a fully qualified domain name (FQDN). The security policy includes a rule that allows traffic from the internal zone to the MPLS zone with the application 'ssl' and the destination address set to the FQDN of the application server. The internal DNS server resolves the FQDN correctly to the private IP address 10.20.30.40. The firewall has DNS proxy enabled, but the DNS server is configured as the internal DNS server. The administrator runs a packet capture and sees that the firewall is sending DNS queries for the FQDN to the internal DNS server but the response is not being used to update the dynamic address group (DAG) that is referenced in the security policy. The DAG is configured with a 'FQDN' match criteria. What is the most likely cause?

Question 17mediummultiple choice
Read the full NAT/PAT explanation →

A security administrator is troubleshooting a traffic drop between two internal zones. The firewall shows that the session is being terminated with a 'tcp-fin' reason. The administrator verifies that the application is set to 'web-browsing' and the service is 'application-default'. What is the most likely cause of the session termination?

An organization is deploying a pair of PA-5250 firewalls in active/passive high availability. The network team notices that the passive firewall is not receiving synchronization updates. Both devices have the same software version and licenses. The HA1 control link is connected and shows 'up' in 'show high-availability state'. What is the most likely reason for the synchronization failure?

A network engineer is configuring a new PA-220 firewall. They need to allow HTTP traffic from the 'trust' zone to the 'untrust' zone. However, the traffic is being dropped. A packet capture shows that the SYN packet is received but no SYN-ACK is sent. What is the most likely cause?

Arrange the steps to perform a factory reset on a Palo Alto Networks firewall.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Core Concepts and Architecture sessions

Start a Core Concepts and Architecture only practice session

Every question in these sessions is drawn from the Core Concepts and Architecture domain — nothing else.

Related practice questions

Related PCNSE topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PCNSE exam test about Core Concepts and Architecture?
Core Concepts and Architecture questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Core Concepts and Architecture questions in a focused session?
Yes — the session launcher on this page draws every question from the Core Concepts and Architecture domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PCNSE topics?
Use the topic links above to move to related areas, or go back to the PCNSE question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PCNSE exam covers. They are not copied from any real exam or dump site.