Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCNSADomainsDevice Management and Services
PCNSAFree — No Signup

Device Management and Services

Practice PCNSA Device Management and Services questions with full explanations on every answer.

116questions

Start practicing

Device Management and Services — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

PCNSA Domains

Managing ObjectsPolicy Evaluation and ManagementSecuring TrafficCore ConceptsPalo Alto Networks Platforms and ArchitectureDevice Management and ServicesApp-ID and Content-IDDecryption and Monitoring

Practice Device Management and Services questions

10Q20Q30Q50Q

All PCNSA Device Management and Services questions (116)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security administrator notices that a user's traffic is being blocked unexpectedly. The user's IP is 10.1.1.100, and the traffic is destined to a web server at 192.168.2.10. The administrator has already verified that there are no security rules explicitly denying the traffic. Which Log Viewer query should the administrator use to quickly identify the cause?

2

A company wants to deploy a new firewall with a management interface on a separate VLAN to ensure management traffic is isolated from production traffic. Which interface type should be used for management access?

3

During a firewall upgrade from PAN-OS 9.1 to 10.0, the administrator receives an error that the upgrade cannot proceed because there is a pending commit. The administrator checks the commit status and sees that a commit was initiated but has not completed. What is the best course of action?

4

An administrator needs to generate a report showing all applications used by a specific user group over the past week. Which method is most efficient?

5

A network engineer wants to configure a new VLAN interface on a Palo Alto Networks firewall. After creating the VLAN object and assigning it to an Ethernet interface, the VLAN interface remains down. What is the most likely cause?

6

An organization is deploying a firewall in a high-availability (HA) pair. The administrator wants to ensure that session state is synchronized between the firewalls so that active sessions are not dropped during failover. Which configuration is required?

7

A security analyst notices that a legitimate application is being incorrectly identified as a different application by the firewall. What is the best first step to resolve this issue?

8

An administrator needs to back up the firewall configuration before making changes. Which method creates a complete backup that can be restored to the same or a different firewall?

9

Which TWO of the following are valid methods to upgrade the PAN-OS version on a Palo Alto Networks firewall?

10

Which THREE of the following are valid steps when configuring a new virtual wire (vwire) on a Palo Alto Networks firewall?

11

Which TWO of the following are valid methods to collect a technical support file from a Palo Alto Networks firewall?

12

Refer to the exhibit. The firewall is experiencing performance issues and dropping sessions. Based on the exhibit, what is the most likely cause?

13

Refer to the exhibit. A user at 10.1.1.50 is unable to connect to 192.168.1.100 on TCP port 443. The traffic log shows no entries for that source IP. Which security rule is expected to match this traffic?

14

A company has two Palo Alto Networks firewalls in an active/passive HA pair (PA-5250) running PAN-OS 10.1. The HA configuration uses dedicated HA1 (control link) and HA2 (data link) interfaces. The network team recently replaced a failed switch that connected the HA1 interfaces. After the switch replacement, the HA pair is not forming. The administrator logs into the active firewall and runs 'show high-availability state' which shows the local state as 'active' and the peer state as 'unknown'. The HA1 interface status shows 'link down'. The administrator checks the physical connections and confirms the cables are connected and the switch ports are up. What is the most likely cause and the best course of action?

15

A network administrator notices that a specific user behind a PA-820 firewall is unable to reach a critical SaaS application, while other users can access it without issues. The administrator checks the traffic logs and sees the session is being denied. Which step should the administrator take next to identify the root cause?

16

A security engineer needs to ensure that all traffic from the internal network to the internet is inspected by the firewall. The firewall is deployed in layer 3 mode with virtual wire subinterfaces. Which configuration is required to achieve this?

17

A company has a PA-5250 firewall in an active/passive HA pair. During a maintenance window, the administrator upgrades the passive firewall from PAN-OS 10.0 to 10.1. After the upgrade, the passive firewall fails to synchronize with the active firewall. The active firewall remains at 10.0. What is the most likely cause?

18

A network administrator wants to allow FTP traffic from the internal network to a specific external server. The administrator creates a security policy rule with source zone 'internal', destination zone 'external', destination IP of the server, and application 'ftp'. However, the traffic is still blocked. What is the most likely reason?

19

A security administrator notices that a security policy rule is not matching traffic that should be allowed. The rule specifies source address as 10.0.1.0/24, destination address as 192.168.2.0/24, and application 'web-browsing'. The traffic originates from 10.0.1.5 to 192.168.2.10 using HTTPS. The traffic log shows that another rule with higher priority is matching and denying the traffic. What should the administrator check first?

20

Which TWO of the following are required when configuring a new virtual router on a Palo Alto Networks firewall?

21

A company is deploying a PA-220 firewall in a branch office. The firewall will be managed by Panorama. Which THREE of the following are required to establish a successful connection between the firewall and Panorama?

22

Refer to the exhibit. A firewall has the configuration shown. A security policy allows traffic from the internal zone to the external zone. However, users on the internal network (192.168.1.0/24) cannot reach the internet. What is the most likely cause?

23

A security administrator manages a Palo Alto Networks firewall with multiple virtual systems (vsys). The firewall is configured to use Panorama for centralized management. The administrator notices that after committing a configuration change on Panorama, the firewall's vsys2 is not receiving the updated configuration. The firewall can reach Panorama, and other vsys are updated correctly. The administrator verifies that Panorama's device group hierarchy includes the firewall and that the vsys2 template stack is correctly assigned. What is the most likely cause of this issue?

24

Drag and drop the steps to configure a security policy on a Palo Alto Networks firewall into the correct order.

25

Drag and drop the steps to configure a GlobalProtect portal and gateway on a Palo Alto Networks firewall into the correct order.

26

Drag and drop the steps to perform a factory reset on a Palo Alto Networks firewall into the correct order.

27

Match each Palo Alto Networks feature to its primary function.

28

Match each protocol to its default port used by Palo Alto Networks.

29

Match each Palo Alto Networks feature to its category.

30

A network admin needs to push a security policy change to firewall-01 and firewall-02. Both firewalls have different interface configurations but should share the same security rules. What is the best way to achieve this using Panorama?

31

A company has two PA-220 firewalls in active/passive HA. They want to ensure that if the active firewall loses internet connectivity but its management interface remains up, a failover occurs. Which monitoring method should be configured?

32

An organization needs to send threat logs to two different syslog servers: one for real-time alerts and one for long-term storage. They also need to send traffic logs to the long-term storage syslog only. They have configured two syslog server profiles. What is the correct approach?

33

A security admin wants to allow network engineers to log in to the firewall using their existing Active Directory credentials while maintaining a local admin account for emergency access. What should be configured?

34

After a new zero-day exploit is discovered, a firewall must receive the latest threat prevention signature immediately. What is the most effective method to ensure the firewall gets the update as soon as it is released?

35

An administrator makes several changes to the firewall configuration and commits. However, after the commit, users report connectivity issues. The administrator wants to revert to the previous configuration quickly without losing the changes that were made earlier in the day but not yet committed. What should the administrator do?

36

A firewall uses an external SMTP server for email alerts. The SMTP server is reachable via a specific virtual router and interface. What must be configured to ensure the firewall uses the correct path to reach the SMTP server?

37

An enterprise wants to receive SNMP traps from their firewalls for critical events such as HA state changes and high CPU usage. They have an SNMP trap receiver at 10.1.1.100. What configuration steps are required?

38

A distributed enterprise has multiple firewalls at different sites. They want to map user IP addresses to usernames using the User-ID agent. The agent must be deployed in a way that minimizes unnecessary traffic and provides redundant coverage. What is the recommended deployment?

39

An administrator wants to configure SNMP traps to send critical events from a firewall to a receiver at 192.168.1.100. Which TWO configuration objects must be created? (Choose two.)

40

An administrator is configuring active/passive HA for two PA-3020 firewalls. Which TWO conditions would trigger a failover? (Choose two.)

41

An administrator wants to schedule regular configuration backups to an external server. Which THREE methods are valid ways to achieve this? (Choose three.)

42

Refer to the exhibit. An administrator runs 'show system resources' on a PA-500 firewall experiencing performance issues. Based on the output, what is the most likely cause?

43

Refer to the exhibit. A firewall administrator is reviewing a Panorama template configuration. What is the purpose of the 'profile' statement under the interface?

44

Refer to the exhibit. A security analyst reviews a traffic log entry in JSON format. Which firewall feature is responsible for including the 'user' field in the log?

45

A network administrator needs to restrict which source IP addresses can access the firewall's web management interface. Which feature should be configured?

46

An administrator wants to synchronize the firewall's clock with a central NTP server. Where is this configured?

47

A syslog server is only reachable through a specific interface on the firewall. To ensure syslog logs are sent via that interface, which configuration is required?

48

After making configuration changes, an administrator clicks 'Commit' but the changes are not applied. What is the most likely cause?

49

For a firewall to communicate with Panorama for centralized management, which requirement must be met?

50

A company requires automatic daily backups of the firewall configuration. Which method should be used?

51

An administrator wants to allow ping (ICMP) and SSH access on a data interface (e.g., ethernet1/1) for troubleshooting. Which configuration is required?

52

During troubleshooting, an administrator needs to review firewall system events such as user logins, configuration changes, and commit failures. Which log type should be examined?

53

What is the purpose of the 'Telemetry' feature in PAN-OS?

54

Refer to the exhibit. What is the PAN-OS version running on the firewall?

55

Refer to the exhibit. What is the default gateway of the firewall?

56

Refer to the exhibit. What is the status of the commit job?

57

Which two authentication methods can be used for administrative access to the firewall's web interface? (Choose two.)

58

Which three of the following are valid commit options in the PAN-OS GUI? (Choose three.)

59

Which three of the following services are commonly permitted on the management interface? (Choose three.)

60

A company uses Panorama to manage multiple firewalls. The administrator wants changes made in Panorama to be automatically pushed to managed firewalls without manual intervention. Which setting should be enabled?

61

An administrator needs to access the firewall's CLI via SSH, but the default SSH port (22) is blocked by the corporate firewall. Which configuration allows SSH on a non-standard port?

62

A firewall's management interface is configured with a public IP for remote management. After a firmware upgrade, HTTP access returns a 403 Forbidden error, but HTTPS works. What is the most likely cause?

63

An administrator notices repeated login failures from external IP 10.0.0.1 in the system logs. The admin wants to permanently block all traffic from that IP. Which approach is best practice?

64

A company uses Panorama to manage multiple firewalls. After pushing a template change, one firewall fails to commit with error 'invalid certificate path'. What is the most likely cause?

65

An administrator wants to configure the firewall to automatically synchronize its clock with an external NTP server. Which device management section is used?

66

An administrator configured SNMP community and trap destination under Device > Setup > Services, but no traps are received. What additional configuration is needed?

67

A firewall is configured with multiple Virtual Systems (vsys). An admin wants to assign a custom admin role that can manage only specific vsys. Which role type supports this?

68

Which license is required for the firewall to use URL filtering?

69

Which TWO conditions must be true for intra-zone traffic to be allowed between two interfaces in the same zone?

70

Which THREE log types can be forwarded to a syslog server?

71

Which TWO management methods allow CLI access to a Palo Alto Networks firewall?

72

An administrator configured NTP servers as shown. After committing, the firewall's time is not synchronized. Which additional configuration is required?

73

An administrator notices that the firewall's time is incorrect. Based on the exhibit, what is the most likely cause?

74

An administrator sees this log repeatedly. Which configuration change will allow 10.0.0.1 to access the management interface?

75

An administrator modifies a security policy but the change does not take effect. What must the administrator do?

76

A Panorama-managed firewall currently allows SSH access from any IP. The security policy requires that administrative access to the firewall be possible only from Panorama. What should be configured?

77

A company is deploying a Palo Alto firewall in a high-availability (HA) pair. They want to ensure that when a failover occurs, session information is preserved to maintain active connections. Which feature must be enabled?

78

Which of the following is NOT a valid method for upgrading PAN-OS software on a Palo Alto firewall?

79

An administrator wants to ensure that a specific security policy rule is applied before all other rules. What should be configured?

80

A company uses Panorama to manage multiple firewalls. They have configured a template to push NTP settings, DNS, and authentication profiles. However, one firewall is not receiving the template settings. Which of the following is the most likely cause?

81

An administrator needs to check the system uptime of the firewall. Which CLI command should be used?

82

A firewall administrator notices that after a power outage, the firewall boots up but fails to load the last committed configuration. What should the administrator do to recover the configuration?

83

A company is deploying multiple Palo Alto firewalls and wants to manage them centrally. Which method should be used?

84

A security administrator is configuring Panorama to manage multiple firewalls. Which two actions are required to ensure that a firewall receives its configuration from Panorama? (Choose two.)

85

An organization is implementing a high availability pair of Palo Alto firewalls in active/passive mode. Which three actions are necessary for proper failover functionality? (Choose three.)

86

A network administrator wants to collect and analyze traffic logs from a Palo Alto firewall. Which two methods can be used? (Choose two.)

87

Refer to the exhibit. The administrator notices that traffic from 192.168.1.100 to 10.1.1.1 using HTTPS is being blocked. What is the most likely cause?

88

Refer to the exhibit. What does this log indicate?

89

Refer to the exhibit. What is the effect of this configuration?

90

A company needs to receive email alerts for critical system events. What is the recommended method to configure email notifications on a Palo Alto Networks firewall?

91

An administrator upgrades a firewall from PAN-OS 9.1 to 10.0, but a subsequent commit fails. Which log should the administrator examine first to find the cause of the failure?

92

A company wants to centrally manage multiple firewalls using Panorama. They need to reduce management IP usage on the firewalls. Which Panorama deployment model best achieves this?

93

An administrator needs to quickly back up the device configuration to facilitate restoration after a hardware failure. Which method ensures the most reliable restoration?

94

A company deploys a pair of firewalls in Active/Passive HA. To ensure that active sessions are preserved during failover, which interface must be configured for state synchronization?

95

After enabling password complexity on a Palo Alto firewall, an administrator is unable to access the management web interface remotely. The administrator can still access the console locally. What is the most likely cause?

96

An administrator needs to perform a scheduled reboot of the firewall for maintenance. Which method provides the most control over the reboot timing?

97

An administrator configures SNMP monitoring on a firewall but receives no data from the SNMP manager. Which check should be performed first?

98

A company uses Panorama to manage multiple device groups. They want to push a set of global security policies to all firewalls. Where should the administrator configure these policies in Panorama?

99

Which TWO methods are valid for managing a Palo Alto Networks firewall? (Select two)

100

Which THREE are required for Panorama to manage a firewall? (Select three)

101

Which TWO are best practices for securing management access to a Palo Alto firewall? (Select two)

102

Refer to the exhibit. An administrator attempts to ping the firewall's management IP (192.168.1.1) from a host on the same subnet (192.168.1.0/24) but receives no response. What is the most likely cause?

103

A company has deployed a pair of PA-5250 firewalls in an Active/Passive HA configuration. The management network uses a separate subnet with addresses 10.0.0.0/24. The active firewall's management IP is 10.0.0.1, passive is 10.0.0.2. They have a virtual router configured with static routes. The HA configuration uses HA1 (backplane) for heartbeat and HA2 for session sync. After a power failure, both firewalls reboot. The active firewall comes up first and becomes active. The passive firewall later joins, but fails to become passive; it remains in 'non-functional' state. The administrator observes the following: - HA1 link is up on both firewalls. - HA2 link shows 'waiting for HA2 link' on the active. - The passive firewall's management IP is reachable. - The active firewall shows 'peer unreachable' in HA status. What is the most likely cause?

104

An administrator is tasked with centralizing the management of 50 Palo Alto firewalls spread across four geographical regions. The company has a Panorama VM deployed in the data center. Each firewall must receive a common set of security policies and URL filtering profiles, but regional administrators need the ability to add locally required policies. The administrator configures Panorama with device groups: 'Shared' device group for global policies, and four regional device groups (Americas, EMEA, APAC, Oceania). They create a template for basic network settings and use template stacks. After pushing the Device Group and Template configuration, some regional firewalls report that they are not receiving the shared policies. What is the most likely cause?

105

A company has two Palo Alto Networks firewalls in active/passive HA. The passive firewall failed and was replaced with a new unit. The network administrator initiates a configuration sync from the active to the new passive. After the sync, the passive unit shows as 'Active' instead of 'Passive'. What is the most likely cause?

106

A network administrator needs to configure certificate-based authentication for administrative access to the firewall's web interface. Which two actions are required?

107

A security analyst wants to send firewall logs to an external syslog server for long-term storage. Which three configuration steps are necessary?

108

A company runs a pair of PA-5250 firewalls in active/passive HA controlling the production data center (10 Gbps traffic). The security team needs to upgrade from PAN-OS 10.0 to 10.2 to fix several critical CVEs. The team has a maintenance window of four hours. The lead engineer suggests performing the upgrade in the following order: 1. Download and install the upgrade on the passive firewall, 2. Commit after install, 3. Perform a non-disruptive failover to make the passive active, 4. Upgrade the new passive (former active), 5. Fail back to the original active. A junior engineer points out that the passive firewall takes 30 minutes to boot and join the HA pair after upgrade. The maintenance window is only four hours. What should the team do to ensure the upgrade completes within the window?

109

An administrator configures log forwarding to send traffic logs to a syslog server. After applying the log forwarding profile to the security policy, logs are not appearing at the syslog server. The administrator verifies that the syslog server is reachable from the firewall's management IP by using ping, and that the syslog service is running on the server. What is the most likely cause?

110

A network administrator recently changed the admin password on a Palo Alto Networks firewall and logged out. The next day, the administrator attempts to log in via SSH but receives 'access denied' after three attempts. The administrator typically uses SSH from a management workstation. The firewall's management interface is still reachable via ping. The administrator suspects the account may be locked due to failed attempts. Since the administrator is not currently logged in, there is no way to unlock the account remotely. The administrator has physical access to the data center and can connect a laptop to the console port. What is the most efficient way to regain administrative access to the firewall?

111

A security analyst uses Panorama to generate a custom report on all traffic using the application 'facebook-base' across the enterprise. The analyst creates a new report template in Panorama with the filter '(app eq facebook-base)' and runs the report for the past 30 days. The report returns zero results. However, when the analyst logs into a specific firewall and queries the traffic logs using the same filter, results appear. The analyst confirms that the firewall is configured to forward logs to Panorama and that Panorama receives logs from all firewalls. What is the most likely reason the Panorama report fails to return data?

112

A company purchases a new PA-410 firewall and installs it in a branch office. After configuring basic network settings, the administrator attempts to install the threat prevention license. The firewall is connected to the internet via a NAT device. The administrator registers the firewall with the Palo Alto Networks support portal using the serial number. The license is successfully added to the account. However, when checking the firewall's license status via the web interface, it shows 'Authentication Failed' for the license. The administrator can ping a well-known DNS server from the firewall's management IP. What is the most likely cause?

113

An administrator notices that the firewall's web interface is accessible via HTTPS but shows an expired certificate warning. The firewall's management certificate was issued by an internal CA and has a validity of two years. The administrator checks the certificate and sees it expired yesterday. The administrator generates a new self-signed certificate through the firewall's GUI. After generating, the administrator assigns the new certificate to the HTTPS management interface. Despite this, the firewall still presents the old expired certificate when accessed. What is the most likely cause?

114

A network administrator needs to ensure that firewall-generated traffic (e.g., NTP queries, DNS lookups, Panorama communications) uses a specific source IP address from a loopback interface. Which two configuration steps are required? (Choose two.)

115

After a firewall upgrade, the system clock shows a time that is five minutes behind the actual time, even though NTP is synchronized. What is the most likely cause?

116

A company has a pair of PA-5220 firewalls configured in an active/passive high-availability (HA) cluster. The devices are managed via Panorama, which also manages other firewalls. The security team reports that after a recent commit on Panorama, the passive firewall in the HA pair stops responding to management pings. The active firewall continues to pass traffic and is manageable. Upon investigation, the passive firewall shows the following on its console: 'Management plane is down.' The administrator suspects the passive firewall might have received a configuration that disables the management interface. What should the administrator do to restore management access to the passive firewall without affecting production traffic?

Practice all 116 Device Management and Services questions

Other PCNSA exam domains

Managing ObjectsPolicy Evaluation and ManagementSecuring TrafficCore ConceptsPalo Alto Networks Platforms and ArchitectureApp-ID and Content-IDDecryption and Monitoring

Frequently asked questions

What does the Device Management and Services domain cover on the PCNSA exam?

The Device Management and Services domain covers the key concepts tested in this area of the PCNSA exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSA domains — no account required.

How many Device Management and Services questions are in the PCNSA question bank?

The Courseiva PCNSA question bank contains 116 questions in the Device Management and Services domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Device Management and Services for PCNSA?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Device Management and Services questions for PCNSA?

Yes — the session launcher on this page draws questions exclusively from the Device Management and Services domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your PCNSA domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide