PCNSE · topic practice

Manage, Monitor and Operate practice questions

Practise Palo Alto Networks Certified Network Security Engineer PCNSE Manage, Monitor and Operate practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Manage, Monitor and Operate

What the exam tests

What to know about Manage, Monitor and Operate

Manage, Monitor and Operate questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Manage, Monitor and Operate exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Manage, Monitor and Operate questions

20 questions · select your answer, then reveal the explanation

A security administrator notices that a specific user is generating excessive logs due to repeated authentication failures. The administrator wants to see only failed authentication events for that user in the monitor tab. Which filter string should be used in the log viewer?

An administrator wants to generate a report that shows the top applications by bandwidth usage over the last week. Which report type should be used to accomplish this?

Question 3easymultiple choice
Review the full subnetting walkthrough →

A firewall administrator needs to troubleshoot a connectivity issue where users in the 10.0.1.0/24 subnet cannot reach the internet. The administrator suspects a missing policy. Which tool within the firewall's web interface can be used to test which security policy will be matched for a given traffic flow?

A company has a firewall with multiple virtual systems (vsys). The administrator wants to delegate management of one vsys to a junior administrator, allowing them to configure security policies but not access system settings or other vsys. Which administrative role should be assigned?

An administrator is troubleshooting high CPU usage on a PA-5250 firewall. The CPU usage spikes every 5 minutes. Which CLI command should be used to identify the process causing the spike?

A firewall is configured with two ISPs for redundancy. The administrator wants to ensure that traffic from internal users is load-balanced across both links based on source IP. Which configuration method should be used?

An administrator receives an alert that a firewall's disk usage is at 85%. The administrator wants to reduce disk usage by automatically deleting older log files. Which action should be taken?

A firewall is deployed in an Active/Passive HA pair. The administrator notices that the passive firewall is not synchronizing configuration changes. The 'show high-availability state' command shows the passive firewall in a 'non-functional' state. What is the most likely cause?

A security team needs to capture traffic for forensic analysis of a specific application that uses non-standard ports. The administrator wants to capture packets on the firewall for that application only, without affecting performance. Which method should be used?

Which TWO of the following are valid methods to upgrade the PAN-OS software on a firewall? (Choose two.)

Which THREE of the following are valid actions that can be taken on a dynamic block list entry? (Choose three.)

Which TWO of the following are valid considerations when configuring Log Forwarding for Panorama? (Choose two.)

Refer to the exhibit. The firewall's disk usage is at 85% overall, and the /opt/panlogs partition is at 92%. The administrator wants to free up space without losing important log data. Which action should be taken first?

Exhibit

Refer to the exhibit.

admin@PA-5000> show system resources
CPU: 15% used
Memory: 45% used
Disk: /dev/sda1 85% used

admin@PA-5000> show logging-status
Disk space usage:
  /opt/pancfg: 70% used
  /opt/panlogs: 92% used

Refer to the exhibit. The firewall is experiencing high dataplane CPU usage (85%) with 45,000 active sessions out of a maximum of 100,000. Which of the following is the most likely cause of the high CPU?

Exhibit

Refer to the exhibit.

admin@PA-3020> show session info
Total active sessions: 45000
TCP sessions: 40000
UDP sessions: 5000

admin@PA-3020> show session stats
Max sessions: 100000
Current sessions: 45000

admin@PA-3020> show running resource-monitor
Dataplane CPU: 85%

Refer to the exhibit. The firewall is active in an HA pair, but the peer is non-functional. The HA2 link is down. What is the most likely cause of the peer being non-functional?

Exhibit

Refer to the exhibit.

admin@PA-5250> show high-availability state

HA State: active
HA Link Status:
  HA1: up
  HA2: down
  HA3: down

Peer State: non-functional
Question 16hardmultiple choice
Review the full routing breakdown →

A medium-sized enterprise has a PA-3220 firewall deployed in a data center with two ISPs (ISP-A and ISP-B) for redundancy. The firewall is configured with two virtual routers: VR-Trust for internal networks and VR-Untrust for external connections. Each ISP is connected to a separate physical interface (ethernet1/1 for ISP-A, ethernet1/2 for ISP-B) and both are placed in VR-Untrust with static default routes. The internal network uses 10.0.0.0/16. The firewall has a security policy that allows all outbound traffic from internal to external. Recently, users have reported that internet access is slow during peak hours. The administrator checks the dataplane CPU and sees it averaging 80-90%. The session count is 200,000 out of a maximum of 500,000. The administrator also notices that the firewall is using only ISP-A for all outbound traffic, even though both ISPs have equal bandwidth. The administrator wants to reduce CPU usage and utilize both ISP links. Which action should the administrator take?

Question 17hardmultiple choice
Read the full NAT/PAT explanation →

A large organization has a PA-5250 firewall pair in active/passive HA mode. The firewalls are managed by Panorama. The security team recently created a new security policy rule to block a specific application (app-block-rule) and pushed the configuration from Panorama. After the push, the active firewall shows the new rule in the security policy list, but traffic matching the rule is not being blocked. The administrator checks the traffic logs and sees that the traffic is being allowed by a different rule with a higher priority. The administrator also notices that the 'app-block-rule' has an 'any' source and destination zone, but the allowed rule has specific zones. The administrator runs 'show session info' and sees that the sessions are being created before the policy push. The administrator wants to ensure that existing sessions are subject to the new policy. Which action should the administrator take?

Arrange the steps to configure a new zone on a Palo Alto Networks firewall in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Arrange the steps to configure a new administrator account with role-based access.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each Palo Alto Networks feature to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Application identification and control

User and group mapping for policies

Threat prevention including IPS and antivirus

Cloud-based malware analysis

Remote access VPN and mobile security

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Manage, Monitor and Operate sessions

Start a Manage, Monitor and Operate only practice session

Every question in these sessions is drawn from the Manage, Monitor and Operate domain — nothing else.

Related practice questions

Related PCNSE topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PCNSE exam test about Manage, Monitor and Operate?
Manage, Monitor and Operate questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Manage, Monitor and Operate questions in a focused session?
Yes — the session launcher on this page draws every question from the Manage, Monitor and Operate domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PCNSE topics?
Use the topic links above to move to related areas, or go back to the PCNSE question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PCNSE exam covers. They are not copied from any real exam or dump site.