Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCNSADomainsSecuring Traffic
PCNSAFree — No Signup

Securing Traffic

Practice PCNSA Securing Traffic questions with full explanations on every answer.

53questions

Start practicing

Securing Traffic — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

PCNSA Domains

Managing ObjectsPolicy Evaluation and ManagementSecuring TrafficCore ConceptsPalo Alto Networks Platforms and ArchitectureDevice Management and ServicesApp-ID and Content-IDDecryption and Monitoring

Practice Securing Traffic questions

10Q20Q30Q50Q

All PCNSA Securing Traffic questions (53)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A network engineer is troubleshooting a drop in traffic from a critical application. The traffic is allowed by the security policy, but the firewall is dropping the packets. The engineer views the session log and sees that the session is being terminated due to 'tcp-non-syn'. What is the most likely cause?

2

An organization wants to prevent data exfiltration via DNS tunneling. Which security profile should be applied to the outbound DNS traffic?

3

A company has a firewall configured with multiple virtual routers. A user on a trusted network can ping the firewall's management IP but cannot reach an external server. The security policy allows the traffic. What is the most likely cause?

4

When configuring a security policy rule to allow HTTP traffic from the internal zone to the external zone, which mandatory components must be defined?

5

An administrator needs to allow inbound SMTP traffic to a mail server located in the DMZ. The firewall has a public IP address on the external interface. Which configuration is necessary to ensure the mail server receives the traffic?

6

Which TWO actions should be taken to protect against DNS tunneling? (Choose two.)

7

Which THREE are valid methods to decrypt SSL/TLS traffic on a Palo Alto Networks firewall? (Choose three.)

8

A financial services company uses a Palo Alto Networks PA-5220 firewall in an active/passive HA pair at their headquarters. They have a single zone 'Trust-LAN' for internal users and a single zone 'Untrust-WAN' for internet traffic. The security policy currently includes a rule that allows all outbound HTTP/HTTPS traffic from 'Trust-LAN' to 'Untrust-WAN' with no security profiles applied. Recently, users have been complaining about slow internet performance, and the IT team suspects malware or botnet activity. The firewall's logs show numerous sessions to known malicious IPs, but the firewall is not blocking them. The network architect decides to implement URL Filtering and Threat Prevention profiles on the outbound rule. However, after committing the changes, some users report that legitimate websites (e.g., online banking, cloud apps) are being blocked. The IT team verifies that the URL Filtering profile is set to 'alert' for all categories except 'malware' which is 'block', and the Threat Prevention profile is set to 'default' action. What is the most likely cause of the legitimate website blocking?

9

A security administrator notices traffic from an internal user to a known malicious IP address in the corporate network. The traffic is allowed despite a security rule that blocks traffic to that IP. The rule is in a rulebase with multiple rules, and the administrator verifies that the malicious IP is correctly listed in a custom object used by the rule. What is the most likely cause of this issue?

10

Which TWO actions can be taken in a security policy rule to allow traffic from the corporate network to the internet while also logging the traffic?

11

Refer to the exhibit. A user at IP 10.10.10.10 tries to browse to http://192.0.2.50. Which rule matches this traffic?

12

Drag and drop the steps to perform a packet capture (tcpdump) on a Palo Alto Networks firewall using the CLI into the correct order.

13

Match each PAN-OS component to its role.

14

A network administrator wants to allow HTTP and HTTPS traffic from untrust zone to DMZ zone for a web server, but block all other traffic. What is the most efficient way to achieve this with a single rule?

15

A company is experiencing performance issues due to large amounts of encrypted traffic. They want to offload decryption to a dedicated appliance but still maintain visibility. Which feature should they configure on the Palo Alto Networks firewall?

16

An organization has a security policy that allows all traffic from the corporate user zone to the internet, but they want to block access to social media sites only for a specific group of users in the HR department. What is the best approach?

17

A firewall administrator wants to ensure that all traffic from the inside zone to the outside zone is inspected for threats, but without causing a bottleneck. Which profile group should be applied to the security rule?

18

A company uses Palo Alto Networks firewall and wants to configure NAT to allow internal users to access the internet using a public IP address pool. Which NAT type should be used?

19

During a security audit, it is discovered that some applications are being incorrectly identified by the Palo Alto Networks firewall. What should the administrator do to improve application identification accuracy?

20

An administrator needs to block all traffic from a specific IP address on the external interface. What is the simplest method?

21

A user reports being unable to access an external FTP server, but other users can access it. The firewall logs show the traffic being denied. What should the administrator check first?

22

A company is implementing SSL Decryption with a forward proxy for outbound traffic. They want to ensure that traffic to sensitive sites like banking is not decrypted. What is the correct configuration?

23

An administrator wants to enforce that only certain approved applications can be used on the network. Which TWO features should be configured?

24

When creating a security policy to block malware, which THREE profile types should be applied for comprehensive protection?

25

An organization uses GlobalProtect for remote access. They want to ensure that only compliant devices can connect. Which TWO GlobalProtect features should be enabled?

26

Based on the exhibit, what will happen to an HTTPS request from an untrust zone user to destination IP 10.1.1.50?

27

An administrator notices that SSH tunnels are being blocked by the firewall. According to the exhibit, what is the most likely cause?

28

Based on the exhibit, what is the role of the rule "Allow_Outbound"?

29

A security administrator notices that traffic from the internal trust zone to the external untrust zone is being allowed despite a security policy rule explicitly denying that traffic. The rule is present in the policy list and the match conditions seem correct. What is the most likely cause of this issue?

30

A company wants to block all social media except LinkedIn. Which combination of URL filtering actions should be implemented?

31

An organization has implemented SSL forward proxy decryption. Users on Windows workstations report that many HTTPS sites show certificate errors. The firewall's decryption policy is configured correctly. What is the most likely cause?

32

A company's security policy uses application-based rules. However, some traffic from a new cloud application is being blocked even though the application is allowed in the rule. What should the administrator check first?

33

An administrator wants to block traffic from a specific user using User-ID. What is required to identify users in security policies?

34

Traffic between two internal zones is being dropped due to a security policy rule that blocks any traffic. However, the administrator needs to allow specific inter-zone traffic for a critical application. The allowed traffic is sourced from a special IP range. How should the administrator configure the security policy to permit only this traffic while still blocking other traffic?

35

A company is using Security Profiles (Antivirus, Anti-Spyware, Vulnerability Protection) in their security policies. Malware is still getting through. What is a common misconfiguration that could cause this?

36

An organization wants to hide internal IP addresses when accessing the Internet. Which type of NAT should be configured?

37

A firewall is configured with multiple virtual systems (vsys). An administrator wants to allow traffic from vsys1 to vsys2 while keeping other inter-vsys traffic blocked. How should this be accomplished?

38

Which TWO of the following are methods to identify users for User-ID? (Choose two.)

39

Which THREE components are required to successfully decrypt outbound SSL traffic using forward proxy? (Choose three.)

40

Which TWO security profile types are used to block known malware? (Choose two.)

41

A user at source IP 10.1.1.1 initiates an HTTPS connection to a web server on the internet. Which rule will the traffic match?

42

A workstation at 10.0.0.5 sends traffic to destination 8.8.8.8. Which NAT rule will be applied?

43

Based on the log entry, what is the most likely reason for the TCP reset from the client?

44

A company uses SSL Forward Proxy to decrypt all outbound HTTPS traffic. Users report significant performance degradation when accessing external web applications. Which action should the administrator take to improve performance while maintaining security?

45

A large enterprise with thousands of security rules wants to reduce rule count without compromising security visibility. The current rules use many specific applications and services. Which strategy should be implemented to consolidate rules effectively?

46

Which TWO of the following are valid methods to bypass URL filtering for internal users while still enforcing it on external traffic?

47

A network administrator is troubleshooting a connectivity issue. The firewall has a security rule that allows traffic from the Trust zone to the Untrust zone for the subnet 192.168.1.0/24 with application 'web-browsing'. However, users in that subnet cannot access any external websites. The administrator checks the logs and sees that the traffic is being blocked by a rule named 'Deny All' that is listed before the allow rule in the policy order. What is the most likely cause of the problem? The rule order is incorrect; the allow rule is below the 'Deny All' rule. The source address object for the allow rule is misconfigured with a wrong subnet mask. The application 'web-browsing' is not being properly identified by App-ID. The User-ID agent is overriding the allow rule and triggering a block action.

48

A company configures GlobalProtect for remote access. Remote users can successfully connect to the firewall and obtain an IP address, but they cannot access internal resources (e.g., file servers) located in the internal network. The firewall has a security rule that allows traffic from the GlobalProtect zone to the internal zone with appropriate applications. Logs show that traffic from remote users is being matched to a different rule that denies inter-zone traffic from the GlobalProtect zone to the internal zone. The administrator checks the GlobalProtect gateway configuration and sees that the gateway assigns IP addresses from a pool, but no internal routes are defined. What is the most likely issue? The GlobalProtect gateway configuration is missing internal resource routes or split-tunneling settings. The User-ID agent is not mapping remote usernames correctly. The source zone in the security rule is set to 'Trust' instead of 'GlobalProtect'. The internal resources require a specific security profile that is not applied to the rule.

49

An organization implements SSL Forward Proxy to decrypt outbound HTTPS traffic, with a security rule that includes Vulnerability Protection and Anti-Malware profiles. Despite this, certain malware downloaded over HTTPS is not being blocked. The administrator observes that the traffic is decrypted and matches the security rule. The decryption policy excludes decryption for financial services category. The malware is delivered from a known malicious domain that is not in the financial services category. The analysis shows that the malware uses a custom packer that is not recognized by the current Anti-Malware signatures. What is the most likely reason the malware bypasses detection? The decryption exclusion list includes the domain of the malware source. The Anti-Malware profile is set to 'default' which may not block unknown malware effectively. The firewall is missing the latest content updates for WildFire. The security rule uses application 'ssl' but not 'web-browsing' for the traffic.

50

A security administrator configures log forwarding to send threat logs to a central SIEM. The administrator creates a log forwarding profile that includes 'threat' and 'traffic' log types, and applies the profile to several security rules. After verifying, the SIEM receives logs for allowed traffic, but does not receive any logs for denied traffic. The administrator confirms that the deny rules also have the same log forwarding profile applied. What is the most likely cause of the missing denied traffic logs? The log forwarding profile is not configured to forward logs for denied sessions. The SIEM is not configured to receive syslog messages for deny actions. The firewall is logging only at session end and the deny sessions are not completing. The log forwarding profile only includes 'traffic' logs and not 'threat' logs.

51

An organization wants to segment internal traffic between the Engineering and Finance departments and apply threat prevention. Which TWO actions should be taken? (Choose two.)

52

Refer to the exhibit. A user from 10.0.0.10 attempts to access an HTTP website hosted on 203.0.113.5 using TCP port 8080. The connection fails. The firewall logs show no session for this traffic. What is the most likely cause?

53

A company recently deployed a Palo Alto Networks PA-220 firewall to secure outbound web access. The security policies include a rule named 'Allow-Web' with the following configuration: source zone 'Inside', destination zone 'Outside', application 'web-browsing', service 'application-default', action 'allow'. All other traffic is denied by a default deny rule. Users report that they can access most public websites, but they cannot access a partner's website hosted at 203.0.113.50 on TCP port 8080. Connections to this site time out. DNS resolution for the hostname works correctly. The firewall logs show that traffic from internal users to 203.0.113.50:8080 is not matching any rule and is being denied by the default deny rule. Which action should the administrator take to resolve the issue while adhering to security best practices?

Practice all 53 Securing Traffic questions

Other PCNSA exam domains

Managing ObjectsPolicy Evaluation and ManagementCore ConceptsPalo Alto Networks Platforms and ArchitectureDevice Management and ServicesApp-ID and Content-IDDecryption and Monitoring

Frequently asked questions

What does the Securing Traffic domain cover on the PCNSA exam?

The Securing Traffic domain covers the key concepts tested in this area of the PCNSA exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSA domains — no account required.

How many Securing Traffic questions are in the PCNSA question bank?

The Courseiva PCNSA question bank contains 53 questions in the Securing Traffic domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Securing Traffic for PCNSA?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Securing Traffic questions for PCNSA?

Yes — the session launcher on this page draws questions exclusively from the Securing Traffic domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your PCNSA domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide