Practice PCNSA Managing Objects questions with full explanations on every answer.
Start practicing
Managing Objects — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An administrator needs to block traffic from a specific internal IP address to the internet. Which object type should be used in the security policy source field?
2A company has multiple branch offices that use overlapping private IP ranges (192.168.0.0/16). To avoid conflicts when these branches connect to the data center via IPsec, the administrator needs to translate branch source IPs to unique addresses. Which object type is best suited for this task?
3During a security audit, an administrator notices that a security policy rule uses an address group that includes an FQDN object. The FQDN resolves to multiple IP addresses that change frequently. What is the best practice for ensuring the firewall uses the current resolved IPs without manual intervention?
4An administrator wants to allow only specific applications (e.g., web-browsing, ssl) from the internal network to the internet. Which object type should be used in the security policy application field?
5Which TWO statements about External Dynamic Lists (EDLs) are true?
6An organization has a data center with servers in the 10.10.0.0/16 subnet and remote users who connect via GlobalProtect. The security team wants to ensure that only approved applications (web-browsing, ssl, dns) are allowed from the remote user subnet (172.16.0.0/24) to the data center. They create a security rule with source zone 'GP' (GlobalProtect), destination zone 'DC', source address '172.16.0.0/24', destination address '10.10.0.0/16', application 'web-browsing', 'ssl', 'dns', action 'allow'. After deployment, users complain that they cannot access a custom web application on port 8080, which uses HTTP but the application is identified as 'web-browsing'. The administrator checks the traffic logs and sees that the traffic is being denied by an implicit deny rule. What is the most likely cause?
7Refer to the exhibit. An administrator configured a dynamic address group named 'WebServers-Group' with filter 'WebServer-*'. However, the group does not include the address objects 'WebServer-1' and 'WebServer-2'. What is the most likely reason?
8Which TWO of the following are valid methods to add an IP address to a pre-existing address group in PAN-OS? (Select two.)
9A security administrator manages a Palo Alto Networks firewall in a large enterprise. The company has multiple remote sites connected via IPSec VPNs. Each site has its own subnet (e.g., Site A: 10.10.1.0/24, Site B: 10.10.2.0/24). The administrator needs to create a security policy that allows all inter-site traffic but blocks all traffic to and from the internet except for specific services. The administrator wants to use address groups to simplify management. Currently, there are address groups for each site (e.g., 'Site-A-Networks', 'Site-B-Networks') containing the respective subnets. The administrator also has an address group 'Internet-Allow' for allowed external IPs. The policy should have a rule that permits traffic from any site to any other site, and a rule that permits traffic from internal networks to the 'Internet-Allow' group for destination ports 80 and 443. Which of the following approaches best achieves this with minimal administrative overhead?
10Drag and drop the steps to configure a site-to-site IPsec VPN on a Palo Alto Networks firewall into the correct order.
11Drag and drop the steps to configure a VLAN interface on a Palo Alto Networks firewall into the correct order.
12Match each firewall deployment mode to its description.
13Match each PAN-OS CLI command to its function.
14A network administrator needs to block traffic to a specific external website. Which object type should be used in the security policy to define the destination?
15An administrator has created an address group that includes an FQDN address object. When the FQDN's IP address changes, how does the firewall update the group?
16An organization uses multiple firewalls and wants to share dynamic address groups across them. Which feature should be used?
17A security policy rule references a service object "HTTP" which is pre-defined. What is the default port for the HTTP service object?
18An administrator needs to allow traffic from multiple subnets to a specific internal server. The subnets are all part of the same address group. Which object would simplify the security policy rule?
19A company uses dynamic address groups based on tags. A virtual machine receives the tag "WebServer". After the VM is decommissioned, the tag is removed. What happens to the dynamic address group?
20Which object type is used to group multiple service objects together for use in a security policy?
21An administrator creates a custom service object for TCP port 3389. What is the standard name for this service?
22A firewall administrator needs to allow traffic based on the application, not just port. Which type of object should be used in the security policy?
23Which TWO types of address objects can be used in a security policy? (Choose two.)
24Which THREE are valid object types in Palo Alto Networks NGFW? (Choose three.)
25A security policy rule has an action of "allow". Which TWO objects are mandatory for the rule to be valid? (Choose two.)
26How many address objects are members of the 'web-servers' address group?
27Based on the log excerpt, which object is used for the destination address?
28A security policy rule uses 'MyService' and 'ServerGroup'. What is the destination port of the allowed traffic?
29A security administrator needs to create an address object for a single host with IP address 192.168.1.100. Which address type should the administrator choose?
30An administrator wants to group multiple servers with different IP addresses that all use the same port 443. What is the most efficient way to create a security policy rule for this traffic?
31A company needs to block a list of known malicious domains that is updated daily by a threat intelligence vendor. Which Palo Alto Networks object should be used?
32An administrator creates a dynamic address group named 'prod-servers' configured to match any tag with the value 'production'. After tagging address objects with 'Production' (capital P), the group does not include them. What is the most likely cause?
33An administrator wants to create a service object for TCP port 8080 and call it 'web-proxy'. Which properties must be specified?
34A large enterprise uses dynamic address groups based on tags to manage firewall policies. The administrator notices that a specific address object is being incorrectly included in a dynamic address group that should only contain servers from a different region. What could be the reason?
35An administrator is troubleshooting a security policy that uses a service group containing both TCP and UDP service objects. The policy is intended to allow DNS traffic (UDP 53 and TCP 53). The rule is not allowing TCP DNS. What is the most likely issue?
36An organization uses an External Dynamic List (EDL) to block IP addresses. The EDL is updated every 5 minutes on the server, but the firewall still uses the old list even after the refresh interval. What is the most likely cause?
37An admin creates an application group named 'web-apps' that includes 'web-browsing' and 'ssl'. They apply it to a security rule. However, traffic from a client accessing Facebook is being blocked. What is a likely reason?
38An administrator needs to create a service group for a custom application that uses TCP ports 1000 and 2000. Which two methods will successfully create a service group that can be used in a single security rule? (Choose two.)
39Which three of the following are valid types of address objects in Palo Alto Networks? (Choose three.)
40Which three of the following are true about tag-based dynamic address groups? (Choose three.)
41Refer to the exhibit. An admin adds a new address object 'web-04' with IP 10.0.0.4 and applies it to a security policy that references the address group 'web-servers'. However, traffic to 10.0.0.4 is not allowed. What is the most likely cause?
42Refer to the exhibit. An admin adds a new address object 'db-03' with IP 10.0.0.3 and tags it with 'database'. However, 'db-03' does not appear in the group. What could be the reason?
43Refer to the exhibit. An admin reviews the traffic log and sees that traffic from 192.168.1.100 to 10.0.0.50 is allowed by rule 'rule1'. The rule uses a service group 'web-services' which includes 'service-http' and 'service-https'. However, the admin intended to block HTTPS traffic. What is the misconfiguration?
44A security administrator is configuring an address object for a web server accessible from the internet. The server has a public IP of 203.0.113.10/32 and a private IP of 10.0.1.10/32. The administrator needs to create a security policy that allows inbound HTTPS traffic to the server. Which address object type should be used for the destination?
45An organization has deployed Palo Alto Networks firewalls in a multi-tenant environment. Each tenant has its own set of address objects and address groups. The firewall administrator wants to ensure that address objects from one tenant cannot be used in security policies of another tenant. What is the best practice to achieve this?
46Which TWO of the following are valid types of address objects in Palo Alto Networks? (Choose two.)
47A company uses a Palo Alto Networks firewall to control outbound access. They have created custom application filters to block social media and streaming. However, they need to allow a specific corporate YouTube channel for training videos. The administrator creates an application group "Corporate-YouTube" containing the "youtube-base" application, and adds a security rule to allow traffic from internal users to the application group. Despite this, users still cannot access the corporate YouTube channel. What is the most likely reason?
48A network administrator manages a Palo Alto Networks firewall in a datacenter. They have configured dynamic address groups (DAGs) to automatically include servers based on tags. The tags are assigned via User-ID from Active Directory. The administrator notices that some servers that should be in the DAG are not appearing, while others are correctly added. The firewall is configured to receive User-ID information from a domain controller via the PAN-OS Agent. The tags are correctly assigned in Active Directory. What should the administrator verify first?
49A small business uses a Palo Alto Networks PA-220 firewall. The administrator needs to create a security policy to allow inbound VPN connections from remote employees using IPsec. The remote employees connect using dynamic IP addresses. The administrator creates an address object "Remote-VPN-Users" of type "IP Range" but that doesn't work because the IPs are not known. What address object type should be used instead?
50A healthcare organization uses Palo Alto Networks firewalls to secure patient data. They have strict compliance requirements to log all access to medical records servers. The servers are grouped in an address group "Medical-Servers". The administrator wants to ensure that any security policy that uses this address group as destination also logs the session end. They also want to reduce administrative overhead. What is the best way to enforce logging for all policies referencing this group?
51A security administrator needs to create address objects for a group of servers that share the same subnet 192.168.10.0/24. Which TWO methods can be used to efficiently manage these objects in Palo Alto Networks firewall configuration?
52Refer to the exhibit. A newly deployed web server has an address object with tags 'Production' and 'Web'. However, the 'Allow SSL to Internet' security rule using the dynamic address group 'MyServers' as source is not matching traffic destined to the internet. What is the most likely cause?
53A company with a Palo Alto Networks firewall operating in Layer 2 transparent mode wants to control access to an internal ERP system. The ERP system uses a non-standard TCP port 4444. The security administrator creates a custom application object named 'ERP' with protocol set to 'tcp' and port range 4444-4444. Then, a security policy is configured allowing application 'ERP' from the internal zone to the ERP server zone. Users report they cannot connect to the ERP system. Firewall logs show no traffic matching the application 'ERP'. What should the administrator do to resolve the issue?
The Managing Objects domain covers the key concepts tested in this area of the PCNSA exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSA domains — no account required.
The Courseiva PCNSA question bank contains 53 questions in the Managing Objects domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Managing Objects domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included