Text preview & study summary

Palo Alto PCNSE - Network Security Engineer - Advanced PAN-OS HA Panorama Decryption Routing Troubleshooting

A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.

Want to test your knowledge? Launch the Interactive Exam Simulator

Question 1

A Palo Alto Networks engineer is designing a High Availability (HA) deployment for a pair of PA-5220 firewalls. The design requires that during a failover, the secondary firewall takes over without TCP sessions being dropped. Which HA configuration is required, and what are the prerequisites?

Answer choices

  • A. Active/Passive HA with Session Synchronization enabled; requires dedicated HA1 (control) and HA2 (data) links (Correct)

  • B. Active/Active HA with VSYS load sharing; requires identical hardware and synchronization links

  • C. Active/Passive HA without session synchronization; requires only HA1 control link

  • D. Cluster HA with three nodes for session redundancy

Explanation

For stateful failover where TCP sessions survive the transition, Active/Passive HA with Session Synchronization is required. Configuration requirements: (1) HA1 link — control plane synchronization (heartbeat, HA state, routing, configuration sync), (2) HA2 link — data plane session synchronization (forwards active session table, connection tracking to standby firewall), (3) Both firewalls must be the same model and run the same PAN-OS version. With session sync enabled, the standby firewall maintains a copy of the session table and takes over seamlessly during failover. Without session sync (Option C), failover works but active sessions are dropped. Active/Active HA (Option B) provides load sharing but is more complex and doesn't provide the same seamless session continuity as Active/Passive for most deployments.

Question 2

A security architect is designing a deployment where PAN-OS must inspect DNS traffic flowing through the firewall. An attacker is using DNS tunneling to exfiltrate data. Which PAN-OS features, when combined, provide comprehensive DNS threat detection and prevention?

Answer choices

  • A. URL Filtering with a custom block list of DNS server IP addresses

  • B. Anti-Spyware Profile with DNS Security enabled (detects DNS tunneling, C2 via DNS, DGA domains) combined with DNS Sinkholing configuration (Correct)

  • C. Application Override to force DNS traffic classification

  • D. File Blocking Profile to block DNS zone transfer files

Explanation

Comprehensive DNS threat protection in PAN-OS uses: (1) Anti-Spyware Profile > DNS Security — inspects DNS queries against Palo Alto's DNS Security intelligence, detecting: DNS tunneling (unusually long or encoded DNS queries), C2 communications via DNS (known malware C2 domains), DGA (Domain Generation Algorithm) domains, and malicious domains. (2) DNS Sinkholing — when a malicious domain DNS query is detected, instead of blocking the query (which the attacker might notice), the firewall returns a sinkhole IP address. When the infected host attempts to connect to the sinkhole IP, the firewall can identify and alert on the compromised host's outbound connection, providing visibility into infected endpoints. This combination provides both prevention and detection/remediation capabilities.

Question 3

An engineer is implementing QoS (Quality of Service) on a Palo Alto firewall to prioritize VoIP traffic over general web browsing. What are the two components required for QoS configuration?

Answer choices

  • A. QoS Profile and QoS Policy (matching criteria and profile assignment) (Correct)

  • B. DoS Protection Profile and Security Profile Group with QoS settings

  • C. Traffic Shaping profile in the Network interface settings and a separate bandwidth limit

  • D. Only a QoS Profile is needed; it automatically applies based on application identification

Explanation

PAN-OS QoS requires two components: (1) QoS Profile (Network > QoS > QoS Profiles) — defines traffic classes (priority queues) with guaranteed bandwidth, burst, and maximum bandwidth settings. For example, Class 1 could have highest priority for VoIP, Class 4 for general web traffic. (2) QoS Policy (Policies > QoS) — match criteria rules (source zone/IP, destination zone/IP, application, service) that classify traffic into QoS classes defined in the QoS Profile. VoIP applications would be matched and assigned to the highest-priority class. Additionally, QoS must be enabled on the specific network interface where you want to enforce it. Without both components, QoS doesn't function. DoS Protection and Security Profiles are separate features.

Question 4

A Palo Alto PCNSE engineer is troubleshooting an SSL Forward Proxy decryption issue. HTTPS connections to a specific banking website are failing with certificate errors even though SSL decryption is configured. SSL decryption is working for all other HTTPS sites. What is the most likely cause?

Answer choices

  • A. The banking site uses certificate pinning or HSTS preloading, and the SSL decryption profile has "Certificate Error" handling set to block

  • B. The firewall CA certificate has expired

  • C. The banking site uses TLS 1.3 which is not supported by PAN-OS

  • D. The URL category for banking is in the SSL Decryption Exclusion list (Correct)

Explanation

Many organizations and PAN-OS default configurations include financial and banking sites in the SSL Decryption Exclusion list to avoid interfering with certificate pinning, mutual TLS, or regulatory requirements. If the URL category "financial-services" (or the specific domain) is in the Decryption Exclusion list, the firewall bypasses SSL inspection for those sites — traffic passes without decryption. If the site IS being decrypted but failing, Option A (certificate pinning/HSTS) is the cause — some banking applications validate the certificate chain and reject the firewall's re-signed certificate. The correct remediation depends on the cause: if in exclusion list and correctly excluded, it's working as designed. If pinning causes issues, add to exclusion list. Expired CA (B) would break ALL sites, not just one.

Question 5

A PCNSE candidate is asked to explain how PAN-OS handles traffic when both Security Policy rules AND NAT policy rules exist. A packet arrives from 10.0.0.100 destined for 203.0.113.50, which NATs to 172.16.0.10. The Security Policy must allow this traffic. How should the Security Policy rule's destination be specified?

Answer choices

  • A. Destination: 172.16.0.10 (the post-NAT/translated IP address)

  • B. Destination: 203.0.113.50 (the pre-NAT/original destination IP address) (Correct)

  • C. Destination: any (to avoid NAT/policy interaction issues)

  • D. Two rules are needed: one for pre-NAT and one for post-NAT processing

Explanation

This is a critical PAN-OS exam concept: Security Policies are evaluated using PRE-NAT addresses. When a packet arrives destined for 203.0.113.50, the Security Policy sees destination 203.0.113.50 (before NAT translation occurs). The NAT rule translates the destination to 172.16.0.10 AFTER the Security Policy check. Therefore: the Security Policy rule must reference the original destination IP (203.0.113.50), the NAT rule translates to 172.16.0.10, and traffic flows to the internal server. If you write the Security Policy with destination 172.16.0.10 (post-NAT), the rule will never match — the firewall never sees 172.16.0.10 as the destination during security evaluation. This applies to both DNAT scenarios and SNAT doesn't change the destination evaluation.