Practice PCNSA Device Management and Services questions with full explanations on every answer.
Start practicing
Device Management and Services — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security administrator notices that a user's traffic is being blocked unexpectedly. The user's IP is 10.1.1.100, and the traffic is destined to a web server at 192.168.2.10. The administrator has already verified that there are no security rules explicitly denying the traffic. Which Log Viewer query should the administrator use to quickly identify the cause?
2A company wants to deploy a new firewall with a management interface on a separate VLAN to ensure management traffic is isolated from production traffic. Which interface type should be used for management access?
3During a firewall upgrade from PAN-OS 9.1 to 10.0, the administrator receives an error that the upgrade cannot proceed because there is a pending commit. The administrator checks the commit status and sees that a commit was initiated but has not completed. What is the best course of action?
4An administrator needs to generate a report showing all applications used by a specific user group over the past week. Which method is most efficient?
5A network engineer wants to configure a new VLAN interface on a Palo Alto Networks firewall. After creating the VLAN object and assigning it to an Ethernet interface, the VLAN interface remains down. What is the most likely cause?
6An organization is deploying a firewall in a high-availability (HA) pair. The administrator wants to ensure that session state is synchronized between the firewalls so that active sessions are not dropped during failover. Which configuration is required?
7A security analyst notices that a legitimate application is being incorrectly identified as a different application by the firewall. What is the best first step to resolve this issue?
8An administrator needs to back up the firewall configuration before making changes. Which method creates a complete backup that can be restored to the same or a different firewall?
9Which TWO of the following are valid methods to upgrade the PAN-OS version on a Palo Alto Networks firewall?
10Which THREE of the following are valid steps when configuring a new virtual wire (vwire) on a Palo Alto Networks firewall?
11Which TWO of the following are valid methods to collect a technical support file from a Palo Alto Networks firewall?
12Refer to the exhibit. The firewall is experiencing performance issues and dropping sessions. Based on the exhibit, what is the most likely cause?
13Refer to the exhibit. A user at 10.1.1.50 is unable to connect to 192.168.1.100 on TCP port 443. The traffic log shows no entries for that source IP. Which security rule is expected to match this traffic?
14A company has two Palo Alto Networks firewalls in an active/passive HA pair (PA-5250) running PAN-OS 10.1. The HA configuration uses dedicated HA1 (control link) and HA2 (data link) interfaces. The network team recently replaced a failed switch that connected the HA1 interfaces. After the switch replacement, the HA pair is not forming. The administrator logs into the active firewall and runs 'show high-availability state' which shows the local state as 'active' and the peer state as 'unknown'. The HA1 interface status shows 'link down'. The administrator checks the physical connections and confirms the cables are connected and the switch ports are up. What is the most likely cause and the best course of action?
15A network administrator notices that a specific user behind a PA-820 firewall is unable to reach a critical SaaS application, while other users can access it without issues. The administrator checks the traffic logs and sees the session is being denied. Which step should the administrator take next to identify the root cause?
16A security engineer needs to ensure that all traffic from the internal network to the internet is inspected by the firewall. The firewall is deployed in layer 3 mode with virtual wire subinterfaces. Which configuration is required to achieve this?
17A company has a PA-5250 firewall in an active/passive HA pair. During a maintenance window, the administrator upgrades the passive firewall from PAN-OS 10.0 to 10.1. After the upgrade, the passive firewall fails to synchronize with the active firewall. The active firewall remains at 10.0. What is the most likely cause?
18A network administrator wants to allow FTP traffic from the internal network to a specific external server. The administrator creates a security policy rule with source zone 'internal', destination zone 'external', destination IP of the server, and application 'ftp'. However, the traffic is still blocked. What is the most likely reason?
19A security administrator notices that a security policy rule is not matching traffic that should be allowed. The rule specifies source address as 10.0.1.0/24, destination address as 192.168.2.0/24, and application 'web-browsing'. The traffic originates from 10.0.1.5 to 192.168.2.10 using HTTPS. The traffic log shows that another rule with higher priority is matching and denying the traffic. What should the administrator check first?
20Which TWO of the following are required when configuring a new virtual router on a Palo Alto Networks firewall?
21A company is deploying a PA-220 firewall in a branch office. The firewall will be managed by Panorama. Which THREE of the following are required to establish a successful connection between the firewall and Panorama?
22Refer to the exhibit. A firewall has the configuration shown. A security policy allows traffic from the internal zone to the external zone. However, users on the internal network (192.168.1.0/24) cannot reach the internet. What is the most likely cause?
23A security administrator manages a Palo Alto Networks firewall with multiple virtual systems (vsys). The firewall is configured to use Panorama for centralized management. The administrator notices that after committing a configuration change on Panorama, the firewall's vsys2 is not receiving the updated configuration. The firewall can reach Panorama, and other vsys are updated correctly. The administrator verifies that Panorama's device group hierarchy includes the firewall and that the vsys2 template stack is correctly assigned. What is the most likely cause of this issue?
24Drag and drop the steps to configure a security policy on a Palo Alto Networks firewall into the correct order.
25Drag and drop the steps to configure a GlobalProtect portal and gateway on a Palo Alto Networks firewall into the correct order.
26Drag and drop the steps to perform a factory reset on a Palo Alto Networks firewall into the correct order.
27Match each Palo Alto Networks feature to its primary function.
28Match each protocol to its default port used by Palo Alto Networks.
29Match each Palo Alto Networks feature to its category.
30A network admin needs to push a security policy change to firewall-01 and firewall-02. Both firewalls have different interface configurations but should share the same security rules. What is the best way to achieve this using Panorama?
31A company has two PA-220 firewalls in active/passive HA. They want to ensure that if the active firewall loses internet connectivity but its management interface remains up, a failover occurs. Which monitoring method should be configured?
32An organization needs to send threat logs to two different syslog servers: one for real-time alerts and one for long-term storage. They also need to send traffic logs to the long-term storage syslog only. They have configured two syslog server profiles. What is the correct approach?
33A security admin wants to allow network engineers to log in to the firewall using their existing Active Directory credentials while maintaining a local admin account for emergency access. What should be configured?
34After a new zero-day exploit is discovered, a firewall must receive the latest threat prevention signature immediately. What is the most effective method to ensure the firewall gets the update as soon as it is released?
35An administrator makes several changes to the firewall configuration and commits. However, after the commit, users report connectivity issues. The administrator wants to revert to the previous configuration quickly without losing the changes that were made earlier in the day but not yet committed. What should the administrator do?
36A firewall uses an external SMTP server for email alerts. The SMTP server is reachable via a specific virtual router and interface. What must be configured to ensure the firewall uses the correct path to reach the SMTP server?
37An enterprise wants to receive SNMP traps from their firewalls for critical events such as HA state changes and high CPU usage. They have an SNMP trap receiver at 10.1.1.100. What configuration steps are required?
38A distributed enterprise has multiple firewalls at different sites. They want to map user IP addresses to usernames using the User-ID agent. The agent must be deployed in a way that minimizes unnecessary traffic and provides redundant coverage. What is the recommended deployment?
39An administrator wants to configure SNMP traps to send critical events from a firewall to a receiver at 192.168.1.100. Which TWO configuration objects must be created? (Choose two.)
40An administrator is configuring active/passive HA for two PA-3020 firewalls. Which TWO conditions would trigger a failover? (Choose two.)
41An administrator wants to schedule regular configuration backups to an external server. Which THREE methods are valid ways to achieve this? (Choose three.)
42Refer to the exhibit. An administrator runs 'show system resources' on a PA-500 firewall experiencing performance issues. Based on the output, what is the most likely cause?
43Refer to the exhibit. A firewall administrator is reviewing a Panorama template configuration. What is the purpose of the 'profile' statement under the interface?
44Refer to the exhibit. A security analyst reviews a traffic log entry in JSON format. Which firewall feature is responsible for including the 'user' field in the log?
45A network administrator needs to restrict which source IP addresses can access the firewall's web management interface. Which feature should be configured?
46An administrator wants to synchronize the firewall's clock with a central NTP server. Where is this configured?
47A syslog server is only reachable through a specific interface on the firewall. To ensure syslog logs are sent via that interface, which configuration is required?
48After making configuration changes, an administrator clicks 'Commit' but the changes are not applied. What is the most likely cause?
49For a firewall to communicate with Panorama for centralized management, which requirement must be met?
50A company requires automatic daily backups of the firewall configuration. Which method should be used?
51An administrator wants to allow ping (ICMP) and SSH access on a data interface (e.g., ethernet1/1) for troubleshooting. Which configuration is required?
52During troubleshooting, an administrator needs to review firewall system events such as user logins, configuration changes, and commit failures. Which log type should be examined?
53What is the purpose of the 'Telemetry' feature in PAN-OS?
54Refer to the exhibit. What is the PAN-OS version running on the firewall?
55Refer to the exhibit. What is the default gateway of the firewall?
56Refer to the exhibit. What is the status of the commit job?
57Which two authentication methods can be used for administrative access to the firewall's web interface? (Choose two.)
58Which three of the following are valid commit options in the PAN-OS GUI? (Choose three.)
59Which three of the following services are commonly permitted on the management interface? (Choose three.)
60A company uses Panorama to manage multiple firewalls. The administrator wants changes made in Panorama to be automatically pushed to managed firewalls without manual intervention. Which setting should be enabled?
61An administrator needs to access the firewall's CLI via SSH, but the default SSH port (22) is blocked by the corporate firewall. Which configuration allows SSH on a non-standard port?
62A firewall's management interface is configured with a public IP for remote management. After a firmware upgrade, HTTP access returns a 403 Forbidden error, but HTTPS works. What is the most likely cause?
63An administrator notices repeated login failures from external IP 10.0.0.1 in the system logs. The admin wants to permanently block all traffic from that IP. Which approach is best practice?
64A company uses Panorama to manage multiple firewalls. After pushing a template change, one firewall fails to commit with error 'invalid certificate path'. What is the most likely cause?
65An administrator wants to configure the firewall to automatically synchronize its clock with an external NTP server. Which device management section is used?
66An administrator configured SNMP community and trap destination under Device > Setup > Services, but no traps are received. What additional configuration is needed?
67A firewall is configured with multiple Virtual Systems (vsys). An admin wants to assign a custom admin role that can manage only specific vsys. Which role type supports this?
68Which license is required for the firewall to use URL filtering?
69Which TWO conditions must be true for intra-zone traffic to be allowed between two interfaces in the same zone?
70Which THREE log types can be forwarded to a syslog server?
71Which TWO management methods allow CLI access to a Palo Alto Networks firewall?
72An administrator configured NTP servers as shown. After committing, the firewall's time is not synchronized. Which additional configuration is required?
73An administrator notices that the firewall's time is incorrect. Based on the exhibit, what is the most likely cause?
74An administrator sees this log repeatedly. Which configuration change will allow 10.0.0.1 to access the management interface?
75An administrator modifies a security policy but the change does not take effect. What must the administrator do?
76A Panorama-managed firewall currently allows SSH access from any IP. The security policy requires that administrative access to the firewall be possible only from Panorama. What should be configured?
77A company is deploying a Palo Alto firewall in a high-availability (HA) pair. They want to ensure that when a failover occurs, session information is preserved to maintain active connections. Which feature must be enabled?
78Which of the following is NOT a valid method for upgrading PAN-OS software on a Palo Alto firewall?
79An administrator wants to ensure that a specific security policy rule is applied before all other rules. What should be configured?
80A company uses Panorama to manage multiple firewalls. They have configured a template to push NTP settings, DNS, and authentication profiles. However, one firewall is not receiving the template settings. Which of the following is the most likely cause?
81An administrator needs to check the system uptime of the firewall. Which CLI command should be used?
82A firewall administrator notices that after a power outage, the firewall boots up but fails to load the last committed configuration. What should the administrator do to recover the configuration?
83A company is deploying multiple Palo Alto firewalls and wants to manage them centrally. Which method should be used?
84A security administrator is configuring Panorama to manage multiple firewalls. Which two actions are required to ensure that a firewall receives its configuration from Panorama? (Choose two.)
85An organization is implementing a high availability pair of Palo Alto firewalls in active/passive mode. Which three actions are necessary for proper failover functionality? (Choose three.)
86A network administrator wants to collect and analyze traffic logs from a Palo Alto firewall. Which two methods can be used? (Choose two.)
87Refer to the exhibit. The administrator notices that traffic from 192.168.1.100 to 10.1.1.1 using HTTPS is being blocked. What is the most likely cause?
88Refer to the exhibit. What does this log indicate?
89Refer to the exhibit. What is the effect of this configuration?
90A company needs to receive email alerts for critical system events. What is the recommended method to configure email notifications on a Palo Alto Networks firewall?
91An administrator upgrades a firewall from PAN-OS 9.1 to 10.0, but a subsequent commit fails. Which log should the administrator examine first to find the cause of the failure?
92A company wants to centrally manage multiple firewalls using Panorama. They need to reduce management IP usage on the firewalls. Which Panorama deployment model best achieves this?
93An administrator needs to quickly back up the device configuration to facilitate restoration after a hardware failure. Which method ensures the most reliable restoration?
94A company deploys a pair of firewalls in Active/Passive HA. To ensure that active sessions are preserved during failover, which interface must be configured for state synchronization?
95After enabling password complexity on a Palo Alto firewall, an administrator is unable to access the management web interface remotely. The administrator can still access the console locally. What is the most likely cause?
96An administrator needs to perform a scheduled reboot of the firewall for maintenance. Which method provides the most control over the reboot timing?
97An administrator configures SNMP monitoring on a firewall but receives no data from the SNMP manager. Which check should be performed first?
98A company uses Panorama to manage multiple device groups. They want to push a set of global security policies to all firewalls. Where should the administrator configure these policies in Panorama?
99Which TWO methods are valid for managing a Palo Alto Networks firewall? (Select two)
100Which THREE are required for Panorama to manage a firewall? (Select three)
101Which TWO are best practices for securing management access to a Palo Alto firewall? (Select two)
102Refer to the exhibit. An administrator attempts to ping the firewall's management IP (192.168.1.1) from a host on the same subnet (192.168.1.0/24) but receives no response. What is the most likely cause?
103A company has deployed a pair of PA-5250 firewalls in an Active/Passive HA configuration. The management network uses a separate subnet with addresses 10.0.0.0/24. The active firewall's management IP is 10.0.0.1, passive is 10.0.0.2. They have a virtual router configured with static routes. The HA configuration uses HA1 (backplane) for heartbeat and HA2 for session sync. After a power failure, both firewalls reboot. The active firewall comes up first and becomes active. The passive firewall later joins, but fails to become passive; it remains in 'non-functional' state. The administrator observes the following: - HA1 link is up on both firewalls. - HA2 link shows 'waiting for HA2 link' on the active. - The passive firewall's management IP is reachable. - The active firewall shows 'peer unreachable' in HA status. What is the most likely cause?
104An administrator is tasked with centralizing the management of 50 Palo Alto firewalls spread across four geographical regions. The company has a Panorama VM deployed in the data center. Each firewall must receive a common set of security policies and URL filtering profiles, but regional administrators need the ability to add locally required policies. The administrator configures Panorama with device groups: 'Shared' device group for global policies, and four regional device groups (Americas, EMEA, APAC, Oceania). They create a template for basic network settings and use template stacks. After pushing the Device Group and Template configuration, some regional firewalls report that they are not receiving the shared policies. What is the most likely cause?
105A company has two Palo Alto Networks firewalls in active/passive HA. The passive firewall failed and was replaced with a new unit. The network administrator initiates a configuration sync from the active to the new passive. After the sync, the passive unit shows as 'Active' instead of 'Passive'. What is the most likely cause?
106A network administrator needs to configure certificate-based authentication for administrative access to the firewall's web interface. Which two actions are required?
107A security analyst wants to send firewall logs to an external syslog server for long-term storage. Which three configuration steps are necessary?
108A company runs a pair of PA-5250 firewalls in active/passive HA controlling the production data center (10 Gbps traffic). The security team needs to upgrade from PAN-OS 10.0 to 10.2 to fix several critical CVEs. The team has a maintenance window of four hours. The lead engineer suggests performing the upgrade in the following order: 1. Download and install the upgrade on the passive firewall, 2. Commit after install, 3. Perform a non-disruptive failover to make the passive active, 4. Upgrade the new passive (former active), 5. Fail back to the original active. A junior engineer points out that the passive firewall takes 30 minutes to boot and join the HA pair after upgrade. The maintenance window is only four hours. What should the team do to ensure the upgrade completes within the window?
109An administrator configures log forwarding to send traffic logs to a syslog server. After applying the log forwarding profile to the security policy, logs are not appearing at the syslog server. The administrator verifies that the syslog server is reachable from the firewall's management IP by using ping, and that the syslog service is running on the server. What is the most likely cause?
110A network administrator recently changed the admin password on a Palo Alto Networks firewall and logged out. The next day, the administrator attempts to log in via SSH but receives 'access denied' after three attempts. The administrator typically uses SSH from a management workstation. The firewall's management interface is still reachable via ping. The administrator suspects the account may be locked due to failed attempts. Since the administrator is not currently logged in, there is no way to unlock the account remotely. The administrator has physical access to the data center and can connect a laptop to the console port. What is the most efficient way to regain administrative access to the firewall?
111A security analyst uses Panorama to generate a custom report on all traffic using the application 'facebook-base' across the enterprise. The analyst creates a new report template in Panorama with the filter '(app eq facebook-base)' and runs the report for the past 30 days. The report returns zero results. However, when the analyst logs into a specific firewall and queries the traffic logs using the same filter, results appear. The analyst confirms that the firewall is configured to forward logs to Panorama and that Panorama receives logs from all firewalls. What is the most likely reason the Panorama report fails to return data?
112A company purchases a new PA-410 firewall and installs it in a branch office. After configuring basic network settings, the administrator attempts to install the threat prevention license. The firewall is connected to the internet via a NAT device. The administrator registers the firewall with the Palo Alto Networks support portal using the serial number. The license is successfully added to the account. However, when checking the firewall's license status via the web interface, it shows 'Authentication Failed' for the license. The administrator can ping a well-known DNS server from the firewall's management IP. What is the most likely cause?
113An administrator notices that the firewall's web interface is accessible via HTTPS but shows an expired certificate warning. The firewall's management certificate was issued by an internal CA and has a validity of two years. The administrator checks the certificate and sees it expired yesterday. The administrator generates a new self-signed certificate through the firewall's GUI. After generating, the administrator assigns the new certificate to the HTTPS management interface. Despite this, the firewall still presents the old expired certificate when accessed. What is the most likely cause?
114A network administrator needs to ensure that firewall-generated traffic (e.g., NTP queries, DNS lookups, Panorama communications) uses a specific source IP address from a loopback interface. Which two configuration steps are required? (Choose two.)
115After a firewall upgrade, the system clock shows a time that is five minutes behind the actual time, even though NTP is synchronized. What is the most likely cause?
116A company has a pair of PA-5220 firewalls configured in an active/passive high-availability (HA) cluster. The devices are managed via Panorama, which also manages other firewalls. The security team reports that after a recent commit on Panorama, the passive firewall in the HA pair stops responding to management pings. The active firewall continues to pass traffic and is manageable. Upon investigation, the passive firewall shows the following on its console: 'Management plane is down.' The administrator suspects the passive firewall might have received a configuration that disables the management interface. What should the administrator do to restore management access to the passive firewall without affecting production traffic?
The Device Management and Services domain covers the key concepts tested in this area of the PCNSA exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSA domains — no account required.
The Courseiva PCNSA question bank contains 116 questions in the Device Management and Services domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Device Management and Services domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included