Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCNSADomainsPalo Alto Networks Platforms and Architecture
PCNSAFree — No Signup

Palo Alto Networks Platforms and Architecture

Practice PCNSA Palo Alto Networks Platforms and Architecture questions with full explanations on every answer.

69questions

Start practicing

Palo Alto Networks Platforms and Architecture — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

PCNSA Domains

Managing ObjectsPolicy Evaluation and ManagementSecuring TrafficCore ConceptsPalo Alto Networks Platforms and ArchitectureDevice Management and ServicesApp-ID and Content-IDDecryption and Monitoring

Practice Palo Alto Networks Platforms and Architecture questions

10Q20Q30Q50Q

All PCNSA Palo Alto Networks Platforms and Architecture questions (69)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security team notices that traffic from a specific internal subnet is not being inspected by the firewall. They have configured a security policy rule that matches the subnet and allows the traffic, but the traffic is still not being logged or inspected. What is the most likely cause?

2

An organization is deploying a Palo Alto Networks firewall in a data center to segment traffic between three application tiers: web, app, and database. The web servers must be accessible from the internet, the app servers must only be reachable from the web servers, and the database servers must only be reachable from the app servers. Which security policy design best meets these requirements?

3

A network administrator is troubleshooting a connectivity issue where users in the 192.168.1.0/24 subnet cannot reach a server at 10.0.0.10. The firewall has a rule that allows traffic from source zone 'Trust' to destination zone 'DMZ' with source address 192.168.1.0/24 and destination address 10.0.0.10. The traffic is matching the rule, but the packets are being dropped. What is the most likely reason?

4

A company wants to ensure that all traffic from the internet to their internal web server is inspected for threats. Which configuration component is essential to achieve this?

5

After upgrading the PAN-OS version on a firewall, the administrator notices that the commit operation takes significantly longer than before. What is the most likely cause?

6

A firewall is configured with multiple virtual routers. Traffic from a host in Vsys A needs to reach a server in Vsys B. Both virtual routers have direct routes to their respective subnets. What additional configuration is required?

7

An administrator needs to provide internet access to employees while blocking access to social media sites. Which feature should be used to identify and block social media traffic?

8

A security team is deploying a Palo Alto Networks firewall in an AWS VPC using the VM-Series. They need to ensure that traffic between two subnets within the same VPC is inspected by the firewall. What is the required network configuration?

9

An organization uses GlobalProtect for remote access. Users report that they cannot connect to the portal. The firewall's GlobalProtect portal configuration is correct, and the firewall has a valid certificate. What is the most likely cause of the issue?

10

An administrator is configuring a new Palo Alto Networks firewall and wants to ensure that management access to the firewall is secure. Which of the following is a best practice for securing management access?

11

A firewall is configured with multiple security zones. Traffic from the 'Untrust' zone to the 'DMZ' zone is allowed for web services. The administrator wants to ensure that the DMZ servers cannot initiate connections to the Untrust zone. What is the correct approach?

12

A security engineer is troubleshooting a connectivity issue where internal users cannot reach a public web server hosted on the internet. The firewall is configured with a security policy that allows traffic from the internal zone to the external zone on port 80. The engineer notices that traffic is being dropped. Upon checking the session table, the engineer sees that the session is initiated correctly but the return traffic is not matching the existing session. What is the most likely cause?

13

A network administrator is designing a Palo Alto Networks firewall deployment for a large enterprise with multiple branch offices. The requirement is to ensure that if the primary firewall at headquarters fails, the branch offices can still access the internet via a local breakout using a redundant firewall at the branch. Which architecture best meets this requirement with minimal complexity?

14

Which TWO of the following are valid methods to deploy a Palo Alto Networks firewall in a virtualized environment? (Choose two.)

15

Refer to the exhibit. A user from the trust zone (10.0.0.5) is trying to access a web server at 203.0.113.1 on port 80. The firewall shows a session with application 'incomplete'. What is the most likely reason for this?

16

Drag and drop the steps to configure a User-ID agent on a Palo Alto Networks firewall into the correct order.

17

Match each Palo Alto Networks service to its typical use.

18

A company needs to deploy a firewall for a branch office with 50 users. Which Palo Alto Networks platform is most appropriate for this requirement?

19

A network administrator notices that the firewall's dataplane CPU is consistently above 80% during peak hours. The administrator wants to reduce CPU load without impacting security. Which action should the administrator take?

20

An organization deploys VM-Series firewalls in a public cloud. They need to ensure consistent security policy management across multiple cloud accounts. Which architecture best addresses this requirement?

21

An administrator is configuring Network Address Translation (NAT) on a Palo Alto Networks firewall. Which of the following statements about the order of NAT rule evaluation is correct?

22

Which of the following is a best practice when creating security policy rules on a Palo Alto Networks firewall?

23

Two Palo Alto Networks firewalls are configured in an active/passive high-availability pair. During a failover event, the passive firewall becomes active but the session table is empty. What is the most likely cause?

24

An administrator needs to decrypt HTTPS traffic from external users to the company's web servers. Which decryption policy should the administrator configure?

25

Which Palo Alto Networks subscription service provides real-time threat intelligence about unknown files and links?

26

A security policy allows traffic from zone 'Trust' to zone 'Untrust' for HTTP and HTTPS. The administrator notices that the traffic is being processed by the firewall but no session is created in the session table for the first packet of a new connection. What is the most likely reason?

27

Refer to the exhibit. The firewall is currently running PAN-OS 9.1.4. The administrator wants to upgrade to the latest available version shown. What should the administrator do first?

28

Refer to the exhibit. The firewall cannot reach the Internet. Based on the routing table, what is the most likely cause?

29

Refer to the exhibit. Which profile group is applied to this security rule?

30

Which TWO of the following are valid methods to centrally manage multiple Palo Alto Networks firewalls?

31

Which THREE of the following are requirements for configuring High Availability (HA) on Palo Alto Networks firewalls?

32

Which TWO of the following are valid log types on a Palo Alto Networks firewall?

33

A company has a PA-5250 firewall with 10 Gbps threat prevention throughput. They are planning to enable SSL decryption for all traffic. What is the most likely impact on the firewall's throughput?

34

A network administrator is configuring a new PA-220 firewall. The management interface (MGT) must be accessible from the internal network for GUI access. Which IP address should be assigned to the MGT interface?

35

Two PA-3220 firewalls are configured in an active/passive HA pair. The passive firewall's configuration becomes out of sync with the active firewall after a software upgrade. What is the most efficient way to resynchronize the configuration?

36

A company uses Palo Alto Networks firewalls and wants to decrypt inbound traffic to their web server. Which decryption type should be configured?

37

A network engineer needs to apply the same security policy to multiple firewalls. Which tool should be used to centralize policy management?

38

A firewall is configured to send logs to an external syslog server. Some logs are missing, but other logs are arriving. Which step should be taken to troubleshoot this issue?

39

A security administrator wants to block traffic from a specific country using the firewall. How can this be achieved with minimal administrative overhead?

40

An organization has multiple virtual routers on a single firewall. Traffic between two virtual routers must be inspected by security policies. How should this be configured?

41

A PA-5250 firewall is experiencing high CPU usage on the dataplane. Analysis shows that a large amount of traffic is being processed by the application identification engine. What can be done to reduce the CPU load?

42

Which TWO of the following are valid dataplane components in a Palo Alto Networks firewall?

43

Which THREE of the following are valid features of Palo Alto Networks active/passive HA?

44

Which TWO of the following are stages in the packet processing flow on a Palo Alto Networks firewall?

45

Based on the exhibit, what is the most likely cause if the firewall is dropping new connections but existing sessions continue to work?

46

Based on the exhibit, what will happen when a user in the trust zone attempts to access an HTTPS website (TCP 443)?

47

Based on the exhibit, what action did the firewall take on this traffic?

48

A junior administrator is investigating a network issue where traffic to a critical server is being blocked. To see the specific security rule that matched and the action taken, which log should the administrator review?

49

A network engineer is configuring a new PA-220 firewall in a small branch office. The firewall must be managed centrally from Panorama. What is the first step after physically installing the firewall?

50

A security architect is planning a deployment for a multi-tenant data center where each tenant requires isolated security policies and separate administrators. Which Palo Alto Networks architecture best meets these requirements?

51

An administrator needs to deploy a Palo Alto Networks firewall in a location where the network infrastructure does not support routing. The firewall must be transparent to the existing network. Which deployment mode should be used?

52

A company is expanding its network and needs to add a new data center. The two data centers will be connected via a WAN link. To protect the traffic between data centers, the security team wants to use site-to-site VPNs. Which Palo Alto Networks feature is used to route traffic between VPN tunnels and security zones?

53

An organization is experiencing performance degradation on their PA-5250 firewall after enabling SSL decryption for all traffic. The firewall's CPU usage is consistently above 80%. The decision is made to offload SSL decryption to a dedicated appliance. Which deployment architecture allows the Palo Alto firewall to inspect decrypted traffic while the decryption occurs elsewhere?

54

A network administrator wants to ensure that if the primary firewall fails, a secondary firewall takes over without any manual intervention. Which high availability feature is essential for this automatic failover?

55

A company deploys a Palo Alto Networks firewall in a cloud environment using the VM-Series. The firewall must scale to handle traffic spikes. Which architectural approach provides the best elasticity and management simplicity?

56

A security engineer must ensure that all traffic from a specific branch office to the internet is inspected by the company's Palo Alto firewall before reaching the internet. However, the branch office has a local router that routes directly to the ISP. What architectural change is required to enforce this?

57

Which three components are part of the Palo Alto Networks Next-Generation Firewall architecture? (Choose three.)

58

A company is designing a high availability deployment and wants to minimize downtime. Which two configurations are required for session failover? (Choose two.)

59

A security architect is evaluating the VM-Series firewall for a private cloud deployment. Which three features are specific to the VM-Series that differentiate it from physical Palo Alto firewalls? (Choose three.)

60

Refer to the exhibit. A network engineer executes the "show system info" command and sees the above output. Based on the model and PAN-OS version, which of the following is true about this firewall?

61

A large enterprise operates multiple data centers with a Palo Alto Networks firewall pair in each data center in active/passive HA. The firewalls are managed by Panorama. Recently, after a power outage in Data Center A, both firewalls in that data center came back online but are not passing traffic. The network team confirms that the switches and routers are operational. The Panorama administrator sees that both firewalls are connected and show green in the Managed Devices tab. However, the active firewall in Data Center A shows "HA state: passive" and the other firewall also shows "passive". The administrator suspects a configuration issue. What is the most likely cause and corrective action?

62

A small business uses a single PA-220 firewall for internet access and has three internal zones: Trust, DMZ, and Guest. Users in the Trust zone report intermittent connectivity to a public cloud application. The firewall administrator checks the traffic logs and sees that sessions to the cloud application show "Application: ssl" and "Action: allow". The administrator suspects the issue might be related to decryption. The firewall currently has a decryption policy that decrypts all outbound HTTPS traffic for threat inspection. The cloud application uses certificate pinning and breaks when decrypted. What is the best solution to allow this application to function while still decrypting other traffic?

63

A network administrator is configuring a Palo Alto Networks firewall in a datacenter. Which TWO traffic types can be inspected by the firewall's Threat Prevention subscription? (Choose two.)

64

A medium-sized enterprise recently deployed a pair of PA-5250 firewalls in an active/passive high-availability configuration. The network team notices that after a failover event, the new active firewall does not pass any traffic for about 30 seconds, even though the session table is synchronized. Users report that existing connections break and need to be re-established. The firewall is configured to use session state synchronization and failover triggers based on link state and ping to the next-hop gateway. Which action should the administrator take to minimize traffic disruption during failover?

65

A large financial institution runs a PA-5250 firewall in a virtual wire mode between two core switches. The firewall is configured with multiple virtual wire sub-interfaces to segregate traffic for different VLANs. Recently, the security team noticed that multicast traffic from a critical trading application is not being forwarded across the virtual wire link. The firewall has multicast policies enabled, and the trading application uses IGMPv3. The administrator has verified that the firewall's multicast policy allows the traffic and that the IGMP snooping is enabled on the adjacent switches. However, the multicast stream does not reach the receivers on the other side. Which step should the administrator take to resolve this issue?

66

A company has a single Palo Alto Networks firewall protecting its internet connection. The IT team wants to allow remote employees to access internal resources using GlobalProtect. They have already configured the portal and gateway on the firewall, and users can successfully connect and obtain an IP address from the IP pool assigned to the gateway. However, remote users report that they cannot access any internal servers after connecting. The firewall has security policies that allow traffic from the GlobalProtect gateway's IP pool to the internal servers. Which additional configuration step is most likely required?

67

A small business needs a firewall that supports at least 500 Mbps firewall throughput and includes integrated SD-WAN capabilities. Which TWO Palo Alto Networks platforms meet these requirements? (Choose two.)

68

Refer to the exhibit. A network administrator sees this output from a Palo Alto Networks firewall. What does the 'System mode: virtual' indicate about this firewall?

69

A company has deployed PA-220 firewalls at 50 branch offices, each connected to the corporate headquarters via IPSec VPN tunnels. Recently, users have reported slow file transfers across the VPN, especially for large files. The network team has checked link utilization and found that the VPN tunnel bandwidth is under 20% utilized, and CPU on the firewalls is around 40%. The security policies are basic, with no threat prevention profiles applied to the VPN traffic. The team suspects the issue is related to VPN performance. After reviewing the configuration, they notice that the VPN tunnels are configured with default settings. Which of the following actions would most likely improve VPN throughput without requiring hardware upgrades or changing the security level?

Practice all 69 Palo Alto Networks Platforms and Architecture questions

Other PCNSA exam domains

Managing ObjectsPolicy Evaluation and ManagementSecuring TrafficCore ConceptsDevice Management and ServicesApp-ID and Content-IDDecryption and Monitoring

Frequently asked questions

What does the Palo Alto Networks Platforms and Architecture domain cover on the PCNSA exam?

The Palo Alto Networks Platforms and Architecture domain covers the key concepts tested in this area of the PCNSA exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSA domains — no account required.

How many Palo Alto Networks Platforms and Architecture questions are in the PCNSA question bank?

The Courseiva PCNSA question bank contains 69 questions in the Palo Alto Networks Platforms and Architecture domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Palo Alto Networks Platforms and Architecture for PCNSA?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Palo Alto Networks Platforms and Architecture questions for PCNSA?

Yes — the session launcher on this page draws questions exclusively from the Palo Alto Networks Platforms and Architecture domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your PCNSA domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide