PCNSE · topic practice

Deploy and Configure Firewalls practice questions

Practise Palo Alto Networks Certified Network Security Engineer PCNSE Deploy and Configure Firewalls practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Deploy and Configure Firewalls

What the exam tests

What to know about Deploy and Configure Firewalls

Deploy and Configure Firewalls questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Deploy and Configure Firewalls exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Deploy and Configure Firewalls questions

20 questions · select your answer, then reveal the explanation

A company is deploying a new firewall in active/passive high availability. The two firewalls are connected directly via the HA1 and HA2 interfaces. After configuration, the passive firewall shows 'HA state: passive' but the active firewall shows 'HA state: non-functional'. What is the most likely cause?

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A network engineer is configuring a new firewall to replace an existing one. The existing firewall has a policy that allows traffic from the 10.0.0.0/8 subnet to the internet. The new firewall must use the same policy but also log the traffic. The engineer creates a security rule with source zone 'Trust', destination zone 'Untrust', source address 10.0.0.0/8, and action 'allow'. Logging is set at rule end. However, traffic from 10.1.0.0/16 is not being logged. What is the reason?

Question 3easymultiple choice
Read the full NAT/PAT explanation →

A security engineer needs to allow inbound HTTPS traffic from the internet to a web server in the DMZ. The source zone is 'Untrust', destination zone is 'DMZ', and the destination address is the web server's IP. Which security policy action should be used?

Question 4mediummultiple choice
Review the full routing breakdown →

An administrator configures a firewall with two virtual routers: VR1 and VR2. VR1 connects to the corporate network and VR2 to an ISP. The administrator creates a static route in VR1 to reach the internet via a next hop of 10.0.0.1, but traffic from VR1 to the internet fails. What is the most likely cause?

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

An engineer is troubleshooting an inter-zone rule that should allow traffic from zone 'Trust' to zone 'Untrust'. The rule has a source address of 10.0.0.0/8 and destination address of any. The traffic is being denied. The engineer checks the log and sees the rule is not matched. What is the most likely reason?

Which TWO of the following are required when configuring a new virtual wire (vwire) on a Palo Alto Networks firewall?

Which THREE of the following are valid methods to enable traffic logging when configuring a security rule?

Question 8hardmultiple choice
Read the full VPN explanation →

You are deploying a pair of PA-5250 firewalls in active/passive HA mode for a large enterprise. The firewalls are configured with multiple virtual routers (VRs) to segment traffic: VR-A for internal corporate network, VR-B for DMZ, and VR-C for Internet edge. Each VR is associated with a separate Vsys. The HA pair uses IPsec tunnel monitoring to determine failover. The customer reports that after a recent configuration change, failover does not occur when the primary firewall's Internet-facing interface (ethernet1/1) goes down. You verify that the primary firewall detects the interface failure, but the secondary does not take over. The HA configuration shows: 'monitor failure only' set to 'link-status', 'monitor hold time' 1000ms, 'promotion hold time' 2000ms, and 'monitor failure condition' is 'any'. The IPsec tunnel monitoring is configured for tunnel to a remote site. The path monitoring includes the Internet-facing interface under VR-C. What is the most likely reason for the failover failure?

A company has deployed two PA-5250 firewalls in an active/passive high-availability pair. The passive firewall shows the status 'non-functional' after a reboot. The active firewall is still passing traffic. The administrator checks the HA configuration and sees that the preemptive setting is enabled on both firewalls. What is the most likely cause of the passive firewall showing 'non-functional'?

Question 10hardmulti select
Read the full DNS explanation →

A security engineer is deploying a Palo Alto Networks firewall in a branch office. The firewall must enforce the following security policies: (1) Allow outbound HTTPS traffic from internal users to the internet. (2) Block all inbound traffic from the internet to the internal network except for SMTP traffic to a specific mail server. (3) Allow outbound DNS traffic from internal DNS servers to external DNS servers. Which TWO security rules should the engineer create to satisfy these requirements? (Choose two.)

Question 11mediummultiple choice
Review the full routing breakdown →

Refer to the exhibit. An administrator is troubleshooting traffic from a host at 10.2.2.10 to a server at 10.3.3.10. The firewall has a security rule allowing the traffic. However, traffic is failing. Based on the routing table, what is the most likely cause?

Exhibit

Refer to the exhibit.

admin@PA-5250> show routing route

IPv4 Route Table for virtual-router default

destination  nexthop      metric   flags  interface  age
0.0.0.0/0    10.1.1.1     10       A S    ethernet1/1  5m
10.1.1.0/24  10.1.1.100   0        A C    ethernet1/1  5m
10.2.2.0/24  10.1.1.200   1        A S    ethernet1/1  5m
10.3.3.0/24  10.1.1.200   1        A S    ethernet1/1  5m
Question 12mediumdrag order
Read the full VPN explanation →

Order the steps to configure an IPsec VPN tunnel between two Palo Alto firewalls.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 13mediummatching
Review the full routing breakdown →

Match each type of route to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manually configured by administrator

Learned via link-state routing protocol

Learned via path-vector routing protocol

Directly attached network

Used when no specific route matches destination

What is the most likely reason the traffic from 192.168.1.100 to 203.0.113.50 is being denied?

Exhibit

Refer to the exhibit.
Time,Source,Destination,Application,Action,Rule
2024-05-01 10:00:00,192.168.1.100,203.0.113.50,ssl,deny,default-deny
Question 15mediummultiple choice
Open the full VLAN trunking answer →

The administrator intended to create a sub-interface for VLAN 10 with IP 192.168.10.1/24. However, traffic from VLAN 10 is not being routed through this interface. Based on the exhibit, what is the cause?

Exhibit

Refer to the exhibit.
admin@PA-500> show interface ethernet1/2.10
Interface ethernet1/2.10
  VLAN: 20
  Virtual router: default
  IP netmask: 192.168.10.1/24
  Zone: VLAN10
  State: up
Question 16hardmultiple choice
Read the full NAT/PAT explanation →

The source NAT rule 'SNAT-Outside' is configured to translate traffic from 10.0.0.0/8 to the interface address of ethernet1/1. However, traffic from 10.1.1.1 to the internet is not being translated. What is the most likely reason?

Exhibit

Refer to the exhibit.
admin@PA-500# show running config | match nat
...
nat {
    source-nat {
        rule "SNAT-Outside" {
            source [ 10.0.0.0/8 ];
            destination [ any ];
            service [ any ];
            to-interface ethernet1/1;
            source-translation {
                interface-address;
            }
        }
    }
}
Question 17easymultiple choice
Read the full NAT/PAT explanation →

A company needs to provide internet access to 500 internal users using a single public IP address. Which NAT method should be configured?

A security administrator notices that traffic to a specific website is being denied. The traffic log shows that the application is 'ssl' and the action is 'deny' with the rule being 'Allow-SSL'. What is the most likely cause?

By default, what is the action on traffic between two different zones without any security rule?

An administrator adds a new security rule to allow outbound 'web-browsing' and 'ssl' traffic. After committing, users report that some HTTPS sites are still blocked. Traffic logs show that the traffic matches the new rule but is denied. What is the most likely cause?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Deploy and Configure Firewalls sessions

Start a Deploy and Configure Firewalls only practice session

Every question in these sessions is drawn from the Deploy and Configure Firewalls domain — nothing else.

Related practice questions

Related PCNSE topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PCNSE exam test about Deploy and Configure Firewalls?
Deploy and Configure Firewalls questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Deploy and Configure Firewalls questions in a focused session?
Yes — the session launcher on this page draws every question from the Deploy and Configure Firewalls domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PCNSE topics?
Use the topic links above to move to related areas, or go back to the PCNSE question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PCNSE exam covers. They are not copied from any real exam or dump site.