Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCNSADomainsCore Concepts
PCNSAFree — No Signup

Core Concepts

Practice PCNSA Core Concepts questions with full explanations on every answer.

50questions

Start practicing

Core Concepts — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

PCNSA Domains

Managing ObjectsPolicy Evaluation and ManagementSecuring TrafficCore ConceptsPalo Alto Networks Platforms and ArchitectureDevice Management and ServicesApp-ID and Content-IDDecryption and Monitoring

Practice Core Concepts questions

10Q20Q30Q50Q

All PCNSA Core Concepts questions (50)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A network administrator notices that traffic from the internal network to a specific external server is being blocked unexpectedly. The firewall policy allows any-to-any outbound traffic. The administrator checks the Unified Policy and sees a Security policy rule that permits the traffic, but the traffic is still blocked. What is the most likely cause?

2

An organization is deploying a Palo Alto Networks firewall in a data center with multiple virtual routers. The network team wants to ensure that traffic between two different virtual routers can be inspected by the firewall. Which configuration is required?

3

A security administrator wants to block users from accessing social media websites during business hours. The firewall is connected to the internet and has a Security policy that allows general web browsing. What is the most efficient way to block social media?

4

Refer to the exhibit. A firewall administrator is troubleshooting a performance issue. The number of half-open TCP connections is unusually high. What is a likely cause?

5

A security engineer is configuring a Palo Alto Networks firewall to protect a web server. The engineer wants to ensure that only HTTP and HTTPS traffic is allowed to the server, and that the traffic is inspected for threats. Which TWO actions should the engineer take?

6

A network administrator is configuring a new Palo Alto Networks firewall for the first time. Which THREE initial configuration steps are required to allow basic outbound internet access from the internal network?

7

Your organization has deployed a Palo Alto Networks PA-5250 firewall in a high-availability active/passive configuration. The firewall is connected to two ISPs for redundancy. The internal network uses OSPF with the firewall as an ASBR redistributing a default route. Recently, users reported intermittent connectivity to external resources. During troubleshooting, you notice that the active firewall's management interface has high CPU usage, and the show session all command displays many sessions in the 'active' state but with minimal data transfer. The passive firewall shows no such issues. The OSPF neighbor relationships are stable. What is the most likely cause of the intermittent connectivity?

8

Refer to the exhibit. A firewall has learned three routes for the 10.0.1.0/24 network. Which route will be used for forwarding traffic destined to 10.0.1.1?

9

Which THREE actions can a Security policy rule perform on traffic?

10

A security administrator is troubleshooting a site-to-site IPsec VPN between two Palo Alto Networks firewalls. The Phase 1 proposal includes AES-256, SHA-256, and DH Group 14 with a lifetime of 28800 seconds. The Phase 2 proposal includes AES-256, SHA-256, and PFS with DH Group 14. The tunnel is established and traffic is flowing, but intermittently the tunnel drops and re-establishes. The logs show the following error: 'Phase 2 negotiation failed because no suitable proposal found.' Both firewalls have identical IKE gateway and IPsec crypto profile configurations. Which option is the most likely cause of this issue?

11

Drag and drop the steps to configure a NAT policy on a Palo Alto Networks firewall into the correct order.

12

Match each log type to its description.

13

A security administrator notices that traffic from a specific subnet is not being logged in the Traffic logs, although the traffic is allowed by a security policy rule. Which configuration setting should be verified?

14

A company wants to ensure that all internet-bound HTTP traffic is decrypted for inspection before being forwarded to the next-generation firewall for policy enforcement. Which deployment method should be used?

15

An organization is experiencing high CPU utilization on the firewall dataplane, causing latency in packet processing. The administrator notices that a large number of small packets are being processed by a specific security rule that allows any service. What is the best first step to reduce CPU load without impacting legitimate traffic?

16

A network administrator wants to allow FTP traffic from the internal network (zone: trust) to an external server (zone: untrust) while ensuring that the firewall can inspect the FTP control and data channels. Which security rule configuration is required?

17

An administrator configures a security policy rule to block traffic from IP address 10.1.1.1 to 10.2.2.2 on any service. However, traffic from 10.1.1.1 to 10.2.2.2 is still passing through the firewall. After checking all rules, what is the most likely cause?

18

A firewall administrator is troubleshooting a scenario where outbound HTTPS traffic to a specific website is being blocked. The security rule allows application 'ssl' and service 'application-default'. The URL Filtering profile blocks the category 'hacking'. The administrator confirms the destination URL falls under 'hacking' category. Which action should be taken to allow the traffic while maintaining security?

19

Which of the following is a best practice when configuring an HA (High Availability) pair of Palo Alto Networks firewalls?

20

An administrator needs to create a rule that allows internal users to access a public web server hosted in the DMZ. The firewall is in layer 3 mode. Which rule configuration is correct for this scenario?

21

During a security audit, it is discovered that some traffic from the 'guest' zone to the 'untrust' zone is not being inspected by Threat Prevention profiles. The security rule that matches this traffic has a Threat Prevention profile applied. What is a likely reason for the lack of inspection?

22

Which TWO of the following are key benefits of using an Application-Based Security Policy compared to a Port-Based Security Policy? (Choose TWO.)

23

Which THREE of the following actions are valid actions for a security policy rule on a Palo Alto Networks firewall? (Choose THREE.)

24

Which TWO of the following are required to configure a site-to-site VPN using IKEv2 on Palo Alto Networks firewalls? (Choose TWO.)

25

Refer to the exhibit. Based on the session information, which type of NAT is being performed?

26

Refer to the exhibit. An administrator observes that HTTP requests from the 10.0.0.0/24 network to the 172.16.1.0/24 network are being logged but the logs show that the action taken is 'deny'. What is the most likely cause?

27

Refer to the exhibit. An administrator notices that SSH traffic from the trust zone to the untrust zone is being blocked. The administrator expected it to be allowed by rule 2. What is the most likely reason?

28

A network administrator notices that traffic from the internal zone to the external zone is being denied, even though a security policy allowing all outbound traffic exists. The internal zone is configured with a zone protection profile that has Flood Protection enabled. What is the most likely cause of the denial?

29

A company uses destination NAT to translate a public IP to an internal server. They need to ensure that traffic sourced from the internal network to the public IP is also translated correctly. What is the best practice to achieve this?

30

An organization is planning to deploy SSL decryption for outbound traffic. They want to inspect all traffic from internal users to the internet, but they need to exclude traffic to financial sites for compliance reasons. Which approach should be taken?

31

A security engineer is creating a security policy that should allow access to Salesforce.com for the sales team. The engineer configures the policy to allow application 'ssl' with no restriction on URL category. How can the engineer ensure that only traffic to Salesforce.com is allowed and not all SSL traffic?

32

A company uses Active Directory for user authentication. They want to enforce security policies based on user identity. What is the required first step to enable User-ID on the Palo Alto Networks firewall?

33

An administrator wants to protect the firewall management interface from unauthorized access. The management interface is on a separate management network. Which of the following is the best security practice to restrict access?

34

A firewall administrator needs to generate a report that shows the top applications consuming bandwidth over the last week. Which Palo Alto Networks tool should be used?

35

Two Palo Alto Networks firewalls are deployed in an active/passive high availability pair. The passive firewall does not synchronize configuration changes. What is the most likely cause?

36

Users report that some internal services are not accessible when connected via VPN, but they work when on the local network. The firewall has a policy allowing all traffic from the VPN zone to the internal zone. What should the administrator check first?

37

Which TWO are valid methods for authenticating administrative users on Palo Alto Networks firewalls? (Choose two.)

38

Which THREE actions can improve firewall performance by reducing CPU load? (Choose three.)

39

Which THREE are default security profile groups in PAN-OS? (Choose three.)

40

Refer to the exhibit. A user in the trust zone attempts to access https://www.example.com. The traffic matches rule 2 first. What is the expected behavior?

41

Refer to the exhibit. A packet arrives with source IP 192.168.1.10, destination IP 203.0.113.10, destination port 80, from zone trust. After this NAT rule is applied, what will be the destination IP and port of the packet?

42

A multinational company has deployed a Palo Alto Networks firewall in a datacenter to provide internet access to employees in the corporate office and remote branches via IPsec VPN. The firewall is configured with multiple virtual routers, security zones (trust, untrust, dmz, vpn), and policies for application and URL filtering. Recently, users in the corporate office report that they cannot access a critical cloud-based CRM application (https://crm.company.com) from their workstations, while access from remote VPN users works fine. Other websites are accessible from the corporate office. The IT team has verified that DNS resolution is correct and that the CRM server responds to pings from the firewall's management IP. The security policy includes a rule from trust to untrust that allows application 'crm-base' and 'ssl' with URL category 'crm-sites'. The administrator has checked the traffic logs and sees that sessions are being denied with the reason 'application mismatch'. Which of the following is the most likely cause and correct course of action?

43

A network administrator is configuring a new security policy to allow specific inbound traffic to a web server. The policy must be as specific as possible to minimize risk. Which configuration approach is correct?

44

A security administrator is troubleshooting an issue where users cannot access a specific website. The security policy allows web-browsing from the internal zone to the external zone. Which TWO actions should the administrator take to verify the traffic is being matched and allowed?

45

A company has a Palo Alto Networks firewall in a data center, connecting internal users (zone: Internal) to the internet (zone: Untrust). Recently, users report that they cannot access the corporate HR portal hosted on a server in the DMZ (zone: DMZ, IP 10.10.10.10) using HTTPS. The firewall has a security policy that allows traffic from Internal to DMZ with application web-browsing and service https-ssl. The policy is in place and committed. The administrator verifies that the web server is running and reachable from within the DMZ. From the firewall, a ping from the management interface to the server is successful. However, when a user tries to access https://10.10.10.10, the connection times out. Traffic logs show no sessions logged for that traffic. What is the most likely cause?

46

An organization uses a Palo Alto Networks firewall to segment its network into three zones: Corp (10.0.1.0/24), Guest (10.0.2.0/24), and Mgmt (10.0.3.0/24). The firewall is running PAN-OS 10.0. The administrator wants to ensure that only devices from the Corp zone can access the management interface of the firewall via SSH from the internal network. The management interface is physically connected to the Mgmt network, and its IP is 10.0.3.1/24. A security policy must be configured to permit this access. Which approach should the administrator take?

47

A network administrator is migrating from a legacy firewall to a new Palo Alto Networks firewall. The current firewall has a large number of ACL rules that allow traffic based on source/destination IP and port. The administrator wants to convert these rules to App-ID based policies on the Palo Alto firewall. What is the recommended best practice to ensure a smooth migration while maintaining security?

48

A security administrator is reviewing best practices for creating security policies on a Palo Alto Networks firewall. Which two of the following are recommended practices?

49

Refer to the exhibit. A user at IP 10.1.1.5 on the untrust zone is trying to access a server on the trust zone. The traffic is being blocked by a default deny rule instead of being allowed by rule1. What is the most likely reason?

50

A small company runs a Palo Alto Networks PA-220 firewall with three zones: trust (internal users), untrust (internet), and dmz (public-facing services). They host a web server on IP 10.0.1.10 in the dmz zone, serving HTTPS content. The administrator created a security policy rule that allows traffic from untrust to dmz with source 'any', destination 10.0.1.10, service HTTPS, and action allow. No security profiles are applied to this rule. Users outside the company can access the web server successfully. However, the administrator notices from log reports that certain application-based attacks, such as SQL injection and cross-site scripting, are reaching the web server undetected. The firewall has the required threat prevention licenses installed. What is the best course of action to improve security posture?

Practice all 50 Core Concepts questions

Other PCNSA exam domains

Managing ObjectsPolicy Evaluation and ManagementSecuring TrafficPalo Alto Networks Platforms and ArchitectureDevice Management and ServicesApp-ID and Content-IDDecryption and Monitoring

Frequently asked questions

What does the Core Concepts domain cover on the PCNSA exam?

The Core Concepts domain covers the key concepts tested in this area of the PCNSA exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSA domains — no account required.

How many Core Concepts questions are in the PCNSA question bank?

The Courseiva PCNSA question bank contains 50 questions in the Core Concepts domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Core Concepts for PCNSA?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Core Concepts questions for PCNSA?

Yes — the session launcher on this page draws questions exclusively from the Core Concepts domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your PCNSA domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide