Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCNSADomainsManaging Objects
PCNSAFree — No Signup

Managing Objects

Practice PCNSA Managing Objects questions with full explanations on every answer.

53questions

Start practicing

Managing Objects — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

PCNSA Domains

Managing ObjectsPolicy Evaluation and ManagementSecuring TrafficCore ConceptsPalo Alto Networks Platforms and ArchitectureDevice Management and ServicesApp-ID and Content-IDDecryption and Monitoring

Practice Managing Objects questions

10Q20Q30Q50Q

All PCNSA Managing Objects questions (53)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

An administrator needs to block traffic from a specific internal IP address to the internet. Which object type should be used in the security policy source field?

2

A company has multiple branch offices that use overlapping private IP ranges (192.168.0.0/16). To avoid conflicts when these branches connect to the data center via IPsec, the administrator needs to translate branch source IPs to unique addresses. Which object type is best suited for this task?

3

During a security audit, an administrator notices that a security policy rule uses an address group that includes an FQDN object. The FQDN resolves to multiple IP addresses that change frequently. What is the best practice for ensuring the firewall uses the current resolved IPs without manual intervention?

4

An administrator wants to allow only specific applications (e.g., web-browsing, ssl) from the internal network to the internet. Which object type should be used in the security policy application field?

5

Which TWO statements about External Dynamic Lists (EDLs) are true?

6

An organization has a data center with servers in the 10.10.0.0/16 subnet and remote users who connect via GlobalProtect. The security team wants to ensure that only approved applications (web-browsing, ssl, dns) are allowed from the remote user subnet (172.16.0.0/24) to the data center. They create a security rule with source zone 'GP' (GlobalProtect), destination zone 'DC', source address '172.16.0.0/24', destination address '10.10.0.0/16', application 'web-browsing', 'ssl', 'dns', action 'allow'. After deployment, users complain that they cannot access a custom web application on port 8080, which uses HTTP but the application is identified as 'web-browsing'. The administrator checks the traffic logs and sees that the traffic is being denied by an implicit deny rule. What is the most likely cause?

7

Refer to the exhibit. An administrator configured a dynamic address group named 'WebServers-Group' with filter 'WebServer-*'. However, the group does not include the address objects 'WebServer-1' and 'WebServer-2'. What is the most likely reason?

8

Which TWO of the following are valid methods to add an IP address to a pre-existing address group in PAN-OS? (Select two.)

9

A security administrator manages a Palo Alto Networks firewall in a large enterprise. The company has multiple remote sites connected via IPSec VPNs. Each site has its own subnet (e.g., Site A: 10.10.1.0/24, Site B: 10.10.2.0/24). The administrator needs to create a security policy that allows all inter-site traffic but blocks all traffic to and from the internet except for specific services. The administrator wants to use address groups to simplify management. Currently, there are address groups for each site (e.g., 'Site-A-Networks', 'Site-B-Networks') containing the respective subnets. The administrator also has an address group 'Internet-Allow' for allowed external IPs. The policy should have a rule that permits traffic from any site to any other site, and a rule that permits traffic from internal networks to the 'Internet-Allow' group for destination ports 80 and 443. Which of the following approaches best achieves this with minimal administrative overhead?

10

Drag and drop the steps to configure a site-to-site IPsec VPN on a Palo Alto Networks firewall into the correct order.

11

Drag and drop the steps to configure a VLAN interface on a Palo Alto Networks firewall into the correct order.

12

Match each firewall deployment mode to its description.

13

Match each PAN-OS CLI command to its function.

14

A network administrator needs to block traffic to a specific external website. Which object type should be used in the security policy to define the destination?

15

An administrator has created an address group that includes an FQDN address object. When the FQDN's IP address changes, how does the firewall update the group?

16

An organization uses multiple firewalls and wants to share dynamic address groups across them. Which feature should be used?

17

A security policy rule references a service object "HTTP" which is pre-defined. What is the default port for the HTTP service object?

18

An administrator needs to allow traffic from multiple subnets to a specific internal server. The subnets are all part of the same address group. Which object would simplify the security policy rule?

19

A company uses dynamic address groups based on tags. A virtual machine receives the tag "WebServer". After the VM is decommissioned, the tag is removed. What happens to the dynamic address group?

20

Which object type is used to group multiple service objects together for use in a security policy?

21

An administrator creates a custom service object for TCP port 3389. What is the standard name for this service?

22

A firewall administrator needs to allow traffic based on the application, not just port. Which type of object should be used in the security policy?

23

Which TWO types of address objects can be used in a security policy? (Choose two.)

24

Which THREE are valid object types in Palo Alto Networks NGFW? (Choose three.)

25

A security policy rule has an action of "allow". Which TWO objects are mandatory for the rule to be valid? (Choose two.)

26

How many address objects are members of the 'web-servers' address group?

27

Based on the log excerpt, which object is used for the destination address?

28

A security policy rule uses 'MyService' and 'ServerGroup'. What is the destination port of the allowed traffic?

29

A security administrator needs to create an address object for a single host with IP address 192.168.1.100. Which address type should the administrator choose?

30

An administrator wants to group multiple servers with different IP addresses that all use the same port 443. What is the most efficient way to create a security policy rule for this traffic?

31

A company needs to block a list of known malicious domains that is updated daily by a threat intelligence vendor. Which Palo Alto Networks object should be used?

32

An administrator creates a dynamic address group named 'prod-servers' configured to match any tag with the value 'production'. After tagging address objects with 'Production' (capital P), the group does not include them. What is the most likely cause?

33

An administrator wants to create a service object for TCP port 8080 and call it 'web-proxy'. Which properties must be specified?

34

A large enterprise uses dynamic address groups based on tags to manage firewall policies. The administrator notices that a specific address object is being incorrectly included in a dynamic address group that should only contain servers from a different region. What could be the reason?

35

An administrator is troubleshooting a security policy that uses a service group containing both TCP and UDP service objects. The policy is intended to allow DNS traffic (UDP 53 and TCP 53). The rule is not allowing TCP DNS. What is the most likely issue?

36

An organization uses an External Dynamic List (EDL) to block IP addresses. The EDL is updated every 5 minutes on the server, but the firewall still uses the old list even after the refresh interval. What is the most likely cause?

37

An admin creates an application group named 'web-apps' that includes 'web-browsing' and 'ssl'. They apply it to a security rule. However, traffic from a client accessing Facebook is being blocked. What is a likely reason?

38

An administrator needs to create a service group for a custom application that uses TCP ports 1000 and 2000. Which two methods will successfully create a service group that can be used in a single security rule? (Choose two.)

39

Which three of the following are valid types of address objects in Palo Alto Networks? (Choose three.)

40

Which three of the following are true about tag-based dynamic address groups? (Choose three.)

41

Refer to the exhibit. An admin adds a new address object 'web-04' with IP 10.0.0.4 and applies it to a security policy that references the address group 'web-servers'. However, traffic to 10.0.0.4 is not allowed. What is the most likely cause?

42

Refer to the exhibit. An admin adds a new address object 'db-03' with IP 10.0.0.3 and tags it with 'database'. However, 'db-03' does not appear in the group. What could be the reason?

43

Refer to the exhibit. An admin reviews the traffic log and sees that traffic from 192.168.1.100 to 10.0.0.50 is allowed by rule 'rule1'. The rule uses a service group 'web-services' which includes 'service-http' and 'service-https'. However, the admin intended to block HTTPS traffic. What is the misconfiguration?

44

A security administrator is configuring an address object for a web server accessible from the internet. The server has a public IP of 203.0.113.10/32 and a private IP of 10.0.1.10/32. The administrator needs to create a security policy that allows inbound HTTPS traffic to the server. Which address object type should be used for the destination?

45

An organization has deployed Palo Alto Networks firewalls in a multi-tenant environment. Each tenant has its own set of address objects and address groups. The firewall administrator wants to ensure that address objects from one tenant cannot be used in security policies of another tenant. What is the best practice to achieve this?

46

Which TWO of the following are valid types of address objects in Palo Alto Networks? (Choose two.)

47

A company uses a Palo Alto Networks firewall to control outbound access. They have created custom application filters to block social media and streaming. However, they need to allow a specific corporate YouTube channel for training videos. The administrator creates an application group "Corporate-YouTube" containing the "youtube-base" application, and adds a security rule to allow traffic from internal users to the application group. Despite this, users still cannot access the corporate YouTube channel. What is the most likely reason?

48

A network administrator manages a Palo Alto Networks firewall in a datacenter. They have configured dynamic address groups (DAGs) to automatically include servers based on tags. The tags are assigned via User-ID from Active Directory. The administrator notices that some servers that should be in the DAG are not appearing, while others are correctly added. The firewall is configured to receive User-ID information from a domain controller via the PAN-OS Agent. The tags are correctly assigned in Active Directory. What should the administrator verify first?

49

A small business uses a Palo Alto Networks PA-220 firewall. The administrator needs to create a security policy to allow inbound VPN connections from remote employees using IPsec. The remote employees connect using dynamic IP addresses. The administrator creates an address object "Remote-VPN-Users" of type "IP Range" but that doesn't work because the IPs are not known. What address object type should be used instead?

50

A healthcare organization uses Palo Alto Networks firewalls to secure patient data. They have strict compliance requirements to log all access to medical records servers. The servers are grouped in an address group "Medical-Servers". The administrator wants to ensure that any security policy that uses this address group as destination also logs the session end. They also want to reduce administrative overhead. What is the best way to enforce logging for all policies referencing this group?

51

A security administrator needs to create address objects for a group of servers that share the same subnet 192.168.10.0/24. Which TWO methods can be used to efficiently manage these objects in Palo Alto Networks firewall configuration?

52

Refer to the exhibit. A newly deployed web server has an address object with tags 'Production' and 'Web'. However, the 'Allow SSL to Internet' security rule using the dynamic address group 'MyServers' as source is not matching traffic destined to the internet. What is the most likely cause?

53

A company with a Palo Alto Networks firewall operating in Layer 2 transparent mode wants to control access to an internal ERP system. The ERP system uses a non-standard TCP port 4444. The security administrator creates a custom application object named 'ERP' with protocol set to 'tcp' and port range 4444-4444. Then, a security policy is configured allowing application 'ERP' from the internal zone to the ERP server zone. Users report they cannot connect to the ERP system. Firewall logs show no traffic matching the application 'ERP'. What should the administrator do to resolve the issue?

Practice all 53 Managing Objects questions

Other PCNSA exam domains

Policy Evaluation and ManagementSecuring TrafficCore ConceptsPalo Alto Networks Platforms and ArchitectureDevice Management and ServicesApp-ID and Content-IDDecryption and Monitoring

Frequently asked questions

What does the Managing Objects domain cover on the PCNSA exam?

The Managing Objects domain covers the key concepts tested in this area of the PCNSA exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSA domains — no account required.

How many Managing Objects questions are in the PCNSA question bank?

The Courseiva PCNSA question bank contains 53 questions in the Managing Objects domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Managing Objects for PCNSA?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Managing Objects questions for PCNSA?

Yes — the session launcher on this page draws questions exclusively from the Managing Objects domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your PCNSA domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide