Practice PCNSA Palo Alto Networks Platforms and Architecture questions with full explanations on every answer.
Start practicing
Palo Alto Networks Platforms and Architecture — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security team notices that traffic from a specific internal subnet is not being inspected by the firewall. They have configured a security policy rule that matches the subnet and allows the traffic, but the traffic is still not being logged or inspected. What is the most likely cause?
2An organization is deploying a Palo Alto Networks firewall in a data center to segment traffic between three application tiers: web, app, and database. The web servers must be accessible from the internet, the app servers must only be reachable from the web servers, and the database servers must only be reachable from the app servers. Which security policy design best meets these requirements?
3A network administrator is troubleshooting a connectivity issue where users in the 192.168.1.0/24 subnet cannot reach a server at 10.0.0.10. The firewall has a rule that allows traffic from source zone 'Trust' to destination zone 'DMZ' with source address 192.168.1.0/24 and destination address 10.0.0.10. The traffic is matching the rule, but the packets are being dropped. What is the most likely reason?
4A company wants to ensure that all traffic from the internet to their internal web server is inspected for threats. Which configuration component is essential to achieve this?
5After upgrading the PAN-OS version on a firewall, the administrator notices that the commit operation takes significantly longer than before. What is the most likely cause?
6A firewall is configured with multiple virtual routers. Traffic from a host in Vsys A needs to reach a server in Vsys B. Both virtual routers have direct routes to their respective subnets. What additional configuration is required?
7An administrator needs to provide internet access to employees while blocking access to social media sites. Which feature should be used to identify and block social media traffic?
8A security team is deploying a Palo Alto Networks firewall in an AWS VPC using the VM-Series. They need to ensure that traffic between two subnets within the same VPC is inspected by the firewall. What is the required network configuration?
9An organization uses GlobalProtect for remote access. Users report that they cannot connect to the portal. The firewall's GlobalProtect portal configuration is correct, and the firewall has a valid certificate. What is the most likely cause of the issue?
10An administrator is configuring a new Palo Alto Networks firewall and wants to ensure that management access to the firewall is secure. Which of the following is a best practice for securing management access?
11A firewall is configured with multiple security zones. Traffic from the 'Untrust' zone to the 'DMZ' zone is allowed for web services. The administrator wants to ensure that the DMZ servers cannot initiate connections to the Untrust zone. What is the correct approach?
12A security engineer is troubleshooting a connectivity issue where internal users cannot reach a public web server hosted on the internet. The firewall is configured with a security policy that allows traffic from the internal zone to the external zone on port 80. The engineer notices that traffic is being dropped. Upon checking the session table, the engineer sees that the session is initiated correctly but the return traffic is not matching the existing session. What is the most likely cause?
13A network administrator is designing a Palo Alto Networks firewall deployment for a large enterprise with multiple branch offices. The requirement is to ensure that if the primary firewall at headquarters fails, the branch offices can still access the internet via a local breakout using a redundant firewall at the branch. Which architecture best meets this requirement with minimal complexity?
14Which TWO of the following are valid methods to deploy a Palo Alto Networks firewall in a virtualized environment? (Choose two.)
15Refer to the exhibit. A user from the trust zone (10.0.0.5) is trying to access a web server at 203.0.113.1 on port 80. The firewall shows a session with application 'incomplete'. What is the most likely reason for this?
16Drag and drop the steps to configure a User-ID agent on a Palo Alto Networks firewall into the correct order.
17Match each Palo Alto Networks service to its typical use.
18A company needs to deploy a firewall for a branch office with 50 users. Which Palo Alto Networks platform is most appropriate for this requirement?
19A network administrator notices that the firewall's dataplane CPU is consistently above 80% during peak hours. The administrator wants to reduce CPU load without impacting security. Which action should the administrator take?
20An organization deploys VM-Series firewalls in a public cloud. They need to ensure consistent security policy management across multiple cloud accounts. Which architecture best addresses this requirement?
21An administrator is configuring Network Address Translation (NAT) on a Palo Alto Networks firewall. Which of the following statements about the order of NAT rule evaluation is correct?
22Which of the following is a best practice when creating security policy rules on a Palo Alto Networks firewall?
23Two Palo Alto Networks firewalls are configured in an active/passive high-availability pair. During a failover event, the passive firewall becomes active but the session table is empty. What is the most likely cause?
24An administrator needs to decrypt HTTPS traffic from external users to the company's web servers. Which decryption policy should the administrator configure?
25Which Palo Alto Networks subscription service provides real-time threat intelligence about unknown files and links?
26A security policy allows traffic from zone 'Trust' to zone 'Untrust' for HTTP and HTTPS. The administrator notices that the traffic is being processed by the firewall but no session is created in the session table for the first packet of a new connection. What is the most likely reason?
27Refer to the exhibit. The firewall is currently running PAN-OS 9.1.4. The administrator wants to upgrade to the latest available version shown. What should the administrator do first?
28Refer to the exhibit. The firewall cannot reach the Internet. Based on the routing table, what is the most likely cause?
29Refer to the exhibit. Which profile group is applied to this security rule?
30Which TWO of the following are valid methods to centrally manage multiple Palo Alto Networks firewalls?
31Which THREE of the following are requirements for configuring High Availability (HA) on Palo Alto Networks firewalls?
32Which TWO of the following are valid log types on a Palo Alto Networks firewall?
33A company has a PA-5250 firewall with 10 Gbps threat prevention throughput. They are planning to enable SSL decryption for all traffic. What is the most likely impact on the firewall's throughput?
34A network administrator is configuring a new PA-220 firewall. The management interface (MGT) must be accessible from the internal network for GUI access. Which IP address should be assigned to the MGT interface?
35Two PA-3220 firewalls are configured in an active/passive HA pair. The passive firewall's configuration becomes out of sync with the active firewall after a software upgrade. What is the most efficient way to resynchronize the configuration?
36A company uses Palo Alto Networks firewalls and wants to decrypt inbound traffic to their web server. Which decryption type should be configured?
37A network engineer needs to apply the same security policy to multiple firewalls. Which tool should be used to centralize policy management?
38A firewall is configured to send logs to an external syslog server. Some logs are missing, but other logs are arriving. Which step should be taken to troubleshoot this issue?
39A security administrator wants to block traffic from a specific country using the firewall. How can this be achieved with minimal administrative overhead?
40An organization has multiple virtual routers on a single firewall. Traffic between two virtual routers must be inspected by security policies. How should this be configured?
41A PA-5250 firewall is experiencing high CPU usage on the dataplane. Analysis shows that a large amount of traffic is being processed by the application identification engine. What can be done to reduce the CPU load?
42Which TWO of the following are valid dataplane components in a Palo Alto Networks firewall?
43Which THREE of the following are valid features of Palo Alto Networks active/passive HA?
44Which TWO of the following are stages in the packet processing flow on a Palo Alto Networks firewall?
45Based on the exhibit, what is the most likely cause if the firewall is dropping new connections but existing sessions continue to work?
46Based on the exhibit, what will happen when a user in the trust zone attempts to access an HTTPS website (TCP 443)?
47Based on the exhibit, what action did the firewall take on this traffic?
48A junior administrator is investigating a network issue where traffic to a critical server is being blocked. To see the specific security rule that matched and the action taken, which log should the administrator review?
49A network engineer is configuring a new PA-220 firewall in a small branch office. The firewall must be managed centrally from Panorama. What is the first step after physically installing the firewall?
50A security architect is planning a deployment for a multi-tenant data center where each tenant requires isolated security policies and separate administrators. Which Palo Alto Networks architecture best meets these requirements?
51An administrator needs to deploy a Palo Alto Networks firewall in a location where the network infrastructure does not support routing. The firewall must be transparent to the existing network. Which deployment mode should be used?
52A company is expanding its network and needs to add a new data center. The two data centers will be connected via a WAN link. To protect the traffic between data centers, the security team wants to use site-to-site VPNs. Which Palo Alto Networks feature is used to route traffic between VPN tunnels and security zones?
53An organization is experiencing performance degradation on their PA-5250 firewall after enabling SSL decryption for all traffic. The firewall's CPU usage is consistently above 80%. The decision is made to offload SSL decryption to a dedicated appliance. Which deployment architecture allows the Palo Alto firewall to inspect decrypted traffic while the decryption occurs elsewhere?
54A network administrator wants to ensure that if the primary firewall fails, a secondary firewall takes over without any manual intervention. Which high availability feature is essential for this automatic failover?
55A company deploys a Palo Alto Networks firewall in a cloud environment using the VM-Series. The firewall must scale to handle traffic spikes. Which architectural approach provides the best elasticity and management simplicity?
56A security engineer must ensure that all traffic from a specific branch office to the internet is inspected by the company's Palo Alto firewall before reaching the internet. However, the branch office has a local router that routes directly to the ISP. What architectural change is required to enforce this?
57Which three components are part of the Palo Alto Networks Next-Generation Firewall architecture? (Choose three.)
58A company is designing a high availability deployment and wants to minimize downtime. Which two configurations are required for session failover? (Choose two.)
59A security architect is evaluating the VM-Series firewall for a private cloud deployment. Which three features are specific to the VM-Series that differentiate it from physical Palo Alto firewalls? (Choose three.)
60Refer to the exhibit. A network engineer executes the "show system info" command and sees the above output. Based on the model and PAN-OS version, which of the following is true about this firewall?
61A large enterprise operates multiple data centers with a Palo Alto Networks firewall pair in each data center in active/passive HA. The firewalls are managed by Panorama. Recently, after a power outage in Data Center A, both firewalls in that data center came back online but are not passing traffic. The network team confirms that the switches and routers are operational. The Panorama administrator sees that both firewalls are connected and show green in the Managed Devices tab. However, the active firewall in Data Center A shows "HA state: passive" and the other firewall also shows "passive". The administrator suspects a configuration issue. What is the most likely cause and corrective action?
62A small business uses a single PA-220 firewall for internet access and has three internal zones: Trust, DMZ, and Guest. Users in the Trust zone report intermittent connectivity to a public cloud application. The firewall administrator checks the traffic logs and sees that sessions to the cloud application show "Application: ssl" and "Action: allow". The administrator suspects the issue might be related to decryption. The firewall currently has a decryption policy that decrypts all outbound HTTPS traffic for threat inspection. The cloud application uses certificate pinning and breaks when decrypted. What is the best solution to allow this application to function while still decrypting other traffic?
63A network administrator is configuring a Palo Alto Networks firewall in a datacenter. Which TWO traffic types can be inspected by the firewall's Threat Prevention subscription? (Choose two.)
64A medium-sized enterprise recently deployed a pair of PA-5250 firewalls in an active/passive high-availability configuration. The network team notices that after a failover event, the new active firewall does not pass any traffic for about 30 seconds, even though the session table is synchronized. Users report that existing connections break and need to be re-established. The firewall is configured to use session state synchronization and failover triggers based on link state and ping to the next-hop gateway. Which action should the administrator take to minimize traffic disruption during failover?
65A large financial institution runs a PA-5250 firewall in a virtual wire mode between two core switches. The firewall is configured with multiple virtual wire sub-interfaces to segregate traffic for different VLANs. Recently, the security team noticed that multicast traffic from a critical trading application is not being forwarded across the virtual wire link. The firewall has multicast policies enabled, and the trading application uses IGMPv3. The administrator has verified that the firewall's multicast policy allows the traffic and that the IGMP snooping is enabled on the adjacent switches. However, the multicast stream does not reach the receivers on the other side. Which step should the administrator take to resolve this issue?
66A company has a single Palo Alto Networks firewall protecting its internet connection. The IT team wants to allow remote employees to access internal resources using GlobalProtect. They have already configured the portal and gateway on the firewall, and users can successfully connect and obtain an IP address from the IP pool assigned to the gateway. However, remote users report that they cannot access any internal servers after connecting. The firewall has security policies that allow traffic from the GlobalProtect gateway's IP pool to the internal servers. Which additional configuration step is most likely required?
67A small business needs a firewall that supports at least 500 Mbps firewall throughput and includes integrated SD-WAN capabilities. Which TWO Palo Alto Networks platforms meet these requirements? (Choose two.)
68Refer to the exhibit. A network administrator sees this output from a Palo Alto Networks firewall. What does the 'System mode: virtual' indicate about this firewall?
69A company has deployed PA-220 firewalls at 50 branch offices, each connected to the corporate headquarters via IPSec VPN tunnels. Recently, users have reported slow file transfers across the VPN, especially for large files. The network team has checked link utilization and found that the VPN tunnel bandwidth is under 20% utilized, and CPU on the firewalls is around 40%. The security policies are basic, with no threat prevention profiles applied to the VPN traffic. The team suspects the issue is related to VPN performance. After reviewing the configuration, they notice that the VPN tunnels are configured with default settings. Which of the following actions would most likely improve VPN throughput without requiring hardware upgrades or changing the security level?
The Palo Alto Networks Platforms and Architecture domain covers the key concepts tested in this area of the PCNSA exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSA domains — no account required.
The Courseiva PCNSA question bank contains 69 questions in the Palo Alto Networks Platforms and Architecture domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Palo Alto Networks Platforms and Architecture domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included