Practice PCNSA Core Concepts questions with full explanations on every answer.
Start practicing
Core Concepts — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A network administrator notices that traffic from the internal network to a specific external server is being blocked unexpectedly. The firewall policy allows any-to-any outbound traffic. The administrator checks the Unified Policy and sees a Security policy rule that permits the traffic, but the traffic is still blocked. What is the most likely cause?
2An organization is deploying a Palo Alto Networks firewall in a data center with multiple virtual routers. The network team wants to ensure that traffic between two different virtual routers can be inspected by the firewall. Which configuration is required?
3A security administrator wants to block users from accessing social media websites during business hours. The firewall is connected to the internet and has a Security policy that allows general web browsing. What is the most efficient way to block social media?
4Refer to the exhibit. A firewall administrator is troubleshooting a performance issue. The number of half-open TCP connections is unusually high. What is a likely cause?
5A security engineer is configuring a Palo Alto Networks firewall to protect a web server. The engineer wants to ensure that only HTTP and HTTPS traffic is allowed to the server, and that the traffic is inspected for threats. Which TWO actions should the engineer take?
6A network administrator is configuring a new Palo Alto Networks firewall for the first time. Which THREE initial configuration steps are required to allow basic outbound internet access from the internal network?
7Your organization has deployed a Palo Alto Networks PA-5250 firewall in a high-availability active/passive configuration. The firewall is connected to two ISPs for redundancy. The internal network uses OSPF with the firewall as an ASBR redistributing a default route. Recently, users reported intermittent connectivity to external resources. During troubleshooting, you notice that the active firewall's management interface has high CPU usage, and the show session all command displays many sessions in the 'active' state but with minimal data transfer. The passive firewall shows no such issues. The OSPF neighbor relationships are stable. What is the most likely cause of the intermittent connectivity?
8Refer to the exhibit. A firewall has learned three routes for the 10.0.1.0/24 network. Which route will be used for forwarding traffic destined to 10.0.1.1?
9Which THREE actions can a Security policy rule perform on traffic?
10A security administrator is troubleshooting a site-to-site IPsec VPN between two Palo Alto Networks firewalls. The Phase 1 proposal includes AES-256, SHA-256, and DH Group 14 with a lifetime of 28800 seconds. The Phase 2 proposal includes AES-256, SHA-256, and PFS with DH Group 14. The tunnel is established and traffic is flowing, but intermittently the tunnel drops and re-establishes. The logs show the following error: 'Phase 2 negotiation failed because no suitable proposal found.' Both firewalls have identical IKE gateway and IPsec crypto profile configurations. Which option is the most likely cause of this issue?
11Drag and drop the steps to configure a NAT policy on a Palo Alto Networks firewall into the correct order.
12Match each log type to its description.
13A security administrator notices that traffic from a specific subnet is not being logged in the Traffic logs, although the traffic is allowed by a security policy rule. Which configuration setting should be verified?
14A company wants to ensure that all internet-bound HTTP traffic is decrypted for inspection before being forwarded to the next-generation firewall for policy enforcement. Which deployment method should be used?
15An organization is experiencing high CPU utilization on the firewall dataplane, causing latency in packet processing. The administrator notices that a large number of small packets are being processed by a specific security rule that allows any service. What is the best first step to reduce CPU load without impacting legitimate traffic?
16A network administrator wants to allow FTP traffic from the internal network (zone: trust) to an external server (zone: untrust) while ensuring that the firewall can inspect the FTP control and data channels. Which security rule configuration is required?
17An administrator configures a security policy rule to block traffic from IP address 10.1.1.1 to 10.2.2.2 on any service. However, traffic from 10.1.1.1 to 10.2.2.2 is still passing through the firewall. After checking all rules, what is the most likely cause?
18A firewall administrator is troubleshooting a scenario where outbound HTTPS traffic to a specific website is being blocked. The security rule allows application 'ssl' and service 'application-default'. The URL Filtering profile blocks the category 'hacking'. The administrator confirms the destination URL falls under 'hacking' category. Which action should be taken to allow the traffic while maintaining security?
19Which of the following is a best practice when configuring an HA (High Availability) pair of Palo Alto Networks firewalls?
20An administrator needs to create a rule that allows internal users to access a public web server hosted in the DMZ. The firewall is in layer 3 mode. Which rule configuration is correct for this scenario?
21During a security audit, it is discovered that some traffic from the 'guest' zone to the 'untrust' zone is not being inspected by Threat Prevention profiles. The security rule that matches this traffic has a Threat Prevention profile applied. What is a likely reason for the lack of inspection?
22Which TWO of the following are key benefits of using an Application-Based Security Policy compared to a Port-Based Security Policy? (Choose TWO.)
23Which THREE of the following actions are valid actions for a security policy rule on a Palo Alto Networks firewall? (Choose THREE.)
24Which TWO of the following are required to configure a site-to-site VPN using IKEv2 on Palo Alto Networks firewalls? (Choose TWO.)
25Refer to the exhibit. Based on the session information, which type of NAT is being performed?
26Refer to the exhibit. An administrator observes that HTTP requests from the 10.0.0.0/24 network to the 172.16.1.0/24 network are being logged but the logs show that the action taken is 'deny'. What is the most likely cause?
27Refer to the exhibit. An administrator notices that SSH traffic from the trust zone to the untrust zone is being blocked. The administrator expected it to be allowed by rule 2. What is the most likely reason?
28A network administrator notices that traffic from the internal zone to the external zone is being denied, even though a security policy allowing all outbound traffic exists. The internal zone is configured with a zone protection profile that has Flood Protection enabled. What is the most likely cause of the denial?
29A company uses destination NAT to translate a public IP to an internal server. They need to ensure that traffic sourced from the internal network to the public IP is also translated correctly. What is the best practice to achieve this?
30An organization is planning to deploy SSL decryption for outbound traffic. They want to inspect all traffic from internal users to the internet, but they need to exclude traffic to financial sites for compliance reasons. Which approach should be taken?
31A security engineer is creating a security policy that should allow access to Salesforce.com for the sales team. The engineer configures the policy to allow application 'ssl' with no restriction on URL category. How can the engineer ensure that only traffic to Salesforce.com is allowed and not all SSL traffic?
32A company uses Active Directory for user authentication. They want to enforce security policies based on user identity. What is the required first step to enable User-ID on the Palo Alto Networks firewall?
33An administrator wants to protect the firewall management interface from unauthorized access. The management interface is on a separate management network. Which of the following is the best security practice to restrict access?
34A firewall administrator needs to generate a report that shows the top applications consuming bandwidth over the last week. Which Palo Alto Networks tool should be used?
35Two Palo Alto Networks firewalls are deployed in an active/passive high availability pair. The passive firewall does not synchronize configuration changes. What is the most likely cause?
36Users report that some internal services are not accessible when connected via VPN, but they work when on the local network. The firewall has a policy allowing all traffic from the VPN zone to the internal zone. What should the administrator check first?
37Which TWO are valid methods for authenticating administrative users on Palo Alto Networks firewalls? (Choose two.)
38Which THREE actions can improve firewall performance by reducing CPU load? (Choose three.)
39Which THREE are default security profile groups in PAN-OS? (Choose three.)
40Refer to the exhibit. A user in the trust zone attempts to access https://www.example.com. The traffic matches rule 2 first. What is the expected behavior?
41Refer to the exhibit. A packet arrives with source IP 192.168.1.10, destination IP 203.0.113.10, destination port 80, from zone trust. After this NAT rule is applied, what will be the destination IP and port of the packet?
42A multinational company has deployed a Palo Alto Networks firewall in a datacenter to provide internet access to employees in the corporate office and remote branches via IPsec VPN. The firewall is configured with multiple virtual routers, security zones (trust, untrust, dmz, vpn), and policies for application and URL filtering. Recently, users in the corporate office report that they cannot access a critical cloud-based CRM application (https://crm.company.com) from their workstations, while access from remote VPN users works fine. Other websites are accessible from the corporate office. The IT team has verified that DNS resolution is correct and that the CRM server responds to pings from the firewall's management IP. The security policy includes a rule from trust to untrust that allows application 'crm-base' and 'ssl' with URL category 'crm-sites'. The administrator has checked the traffic logs and sees that sessions are being denied with the reason 'application mismatch'. Which of the following is the most likely cause and correct course of action?
43A network administrator is configuring a new security policy to allow specific inbound traffic to a web server. The policy must be as specific as possible to minimize risk. Which configuration approach is correct?
44A security administrator is troubleshooting an issue where users cannot access a specific website. The security policy allows web-browsing from the internal zone to the external zone. Which TWO actions should the administrator take to verify the traffic is being matched and allowed?
45A company has a Palo Alto Networks firewall in a data center, connecting internal users (zone: Internal) to the internet (zone: Untrust). Recently, users report that they cannot access the corporate HR portal hosted on a server in the DMZ (zone: DMZ, IP 10.10.10.10) using HTTPS. The firewall has a security policy that allows traffic from Internal to DMZ with application web-browsing and service https-ssl. The policy is in place and committed. The administrator verifies that the web server is running and reachable from within the DMZ. From the firewall, a ping from the management interface to the server is successful. However, when a user tries to access https://10.10.10.10, the connection times out. Traffic logs show no sessions logged for that traffic. What is the most likely cause?
46An organization uses a Palo Alto Networks firewall to segment its network into three zones: Corp (10.0.1.0/24), Guest (10.0.2.0/24), and Mgmt (10.0.3.0/24). The firewall is running PAN-OS 10.0. The administrator wants to ensure that only devices from the Corp zone can access the management interface of the firewall via SSH from the internal network. The management interface is physically connected to the Mgmt network, and its IP is 10.0.3.1/24. A security policy must be configured to permit this access. Which approach should the administrator take?
47A network administrator is migrating from a legacy firewall to a new Palo Alto Networks firewall. The current firewall has a large number of ACL rules that allow traffic based on source/destination IP and port. The administrator wants to convert these rules to App-ID based policies on the Palo Alto firewall. What is the recommended best practice to ensure a smooth migration while maintaining security?
48A security administrator is reviewing best practices for creating security policies on a Palo Alto Networks firewall. Which two of the following are recommended practices?
49Refer to the exhibit. A user at IP 10.1.1.5 on the untrust zone is trying to access a server on the trust zone. The traffic is being blocked by a default deny rule instead of being allowed by rule1. What is the most likely reason?
50A small company runs a Palo Alto Networks PA-220 firewall with three zones: trust (internal users), untrust (internet), and dmz (public-facing services). They host a web server on IP 10.0.1.10 in the dmz zone, serving HTTPS content. The administrator created a security policy rule that allows traffic from untrust to dmz with source 'any', destination 10.0.1.10, service HTTPS, and action allow. No security profiles are applied to this rule. Users outside the company can access the web server successfully. However, the administrator notices from log reports that certain application-based attacks, such as SQL injection and cross-site scripting, are reaching the web server undetected. The firewall has the required threat prevention licenses installed. What is the best course of action to improve security posture?
The Core Concepts domain covers the key concepts tested in this area of the PCNSA exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSA domains — no account required.
The Courseiva PCNSA question bank contains 50 questions in the Core Concepts domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Core Concepts domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included