Practice PCNSA Securing Traffic questions with full explanations on every answer.
Start practicing
Securing Traffic — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A network engineer is troubleshooting a drop in traffic from a critical application. The traffic is allowed by the security policy, but the firewall is dropping the packets. The engineer views the session log and sees that the session is being terminated due to 'tcp-non-syn'. What is the most likely cause?
2An organization wants to prevent data exfiltration via DNS tunneling. Which security profile should be applied to the outbound DNS traffic?
3A company has a firewall configured with multiple virtual routers. A user on a trusted network can ping the firewall's management IP but cannot reach an external server. The security policy allows the traffic. What is the most likely cause?
4When configuring a security policy rule to allow HTTP traffic from the internal zone to the external zone, which mandatory components must be defined?
5An administrator needs to allow inbound SMTP traffic to a mail server located in the DMZ. The firewall has a public IP address on the external interface. Which configuration is necessary to ensure the mail server receives the traffic?
6Which TWO actions should be taken to protect against DNS tunneling? (Choose two.)
7Which THREE are valid methods to decrypt SSL/TLS traffic on a Palo Alto Networks firewall? (Choose three.)
8A financial services company uses a Palo Alto Networks PA-5220 firewall in an active/passive HA pair at their headquarters. They have a single zone 'Trust-LAN' for internal users and a single zone 'Untrust-WAN' for internet traffic. The security policy currently includes a rule that allows all outbound HTTP/HTTPS traffic from 'Trust-LAN' to 'Untrust-WAN' with no security profiles applied. Recently, users have been complaining about slow internet performance, and the IT team suspects malware or botnet activity. The firewall's logs show numerous sessions to known malicious IPs, but the firewall is not blocking them. The network architect decides to implement URL Filtering and Threat Prevention profiles on the outbound rule. However, after committing the changes, some users report that legitimate websites (e.g., online banking, cloud apps) are being blocked. The IT team verifies that the URL Filtering profile is set to 'alert' for all categories except 'malware' which is 'block', and the Threat Prevention profile is set to 'default' action. What is the most likely cause of the legitimate website blocking?
9A security administrator notices traffic from an internal user to a known malicious IP address in the corporate network. The traffic is allowed despite a security rule that blocks traffic to that IP. The rule is in a rulebase with multiple rules, and the administrator verifies that the malicious IP is correctly listed in a custom object used by the rule. What is the most likely cause of this issue?
10Which TWO actions can be taken in a security policy rule to allow traffic from the corporate network to the internet while also logging the traffic?
11Refer to the exhibit. A user at IP 10.10.10.10 tries to browse to http://192.0.2.50. Which rule matches this traffic?
12Drag and drop the steps to perform a packet capture (tcpdump) on a Palo Alto Networks firewall using the CLI into the correct order.
13Match each PAN-OS component to its role.
14A network administrator wants to allow HTTP and HTTPS traffic from untrust zone to DMZ zone for a web server, but block all other traffic. What is the most efficient way to achieve this with a single rule?
15A company is experiencing performance issues due to large amounts of encrypted traffic. They want to offload decryption to a dedicated appliance but still maintain visibility. Which feature should they configure on the Palo Alto Networks firewall?
16An organization has a security policy that allows all traffic from the corporate user zone to the internet, but they want to block access to social media sites only for a specific group of users in the HR department. What is the best approach?
17A firewall administrator wants to ensure that all traffic from the inside zone to the outside zone is inspected for threats, but without causing a bottleneck. Which profile group should be applied to the security rule?
18A company uses Palo Alto Networks firewall and wants to configure NAT to allow internal users to access the internet using a public IP address pool. Which NAT type should be used?
19During a security audit, it is discovered that some applications are being incorrectly identified by the Palo Alto Networks firewall. What should the administrator do to improve application identification accuracy?
20An administrator needs to block all traffic from a specific IP address on the external interface. What is the simplest method?
21A user reports being unable to access an external FTP server, but other users can access it. The firewall logs show the traffic being denied. What should the administrator check first?
22A company is implementing SSL Decryption with a forward proxy for outbound traffic. They want to ensure that traffic to sensitive sites like banking is not decrypted. What is the correct configuration?
23An administrator wants to enforce that only certain approved applications can be used on the network. Which TWO features should be configured?
24When creating a security policy to block malware, which THREE profile types should be applied for comprehensive protection?
25An organization uses GlobalProtect for remote access. They want to ensure that only compliant devices can connect. Which TWO GlobalProtect features should be enabled?
26Based on the exhibit, what will happen to an HTTPS request from an untrust zone user to destination IP 10.1.1.50?
27An administrator notices that SSH tunnels are being blocked by the firewall. According to the exhibit, what is the most likely cause?
28Based on the exhibit, what is the role of the rule "Allow_Outbound"?
29A security administrator notices that traffic from the internal trust zone to the external untrust zone is being allowed despite a security policy rule explicitly denying that traffic. The rule is present in the policy list and the match conditions seem correct. What is the most likely cause of this issue?
30A company wants to block all social media except LinkedIn. Which combination of URL filtering actions should be implemented?
31An organization has implemented SSL forward proxy decryption. Users on Windows workstations report that many HTTPS sites show certificate errors. The firewall's decryption policy is configured correctly. What is the most likely cause?
32A company's security policy uses application-based rules. However, some traffic from a new cloud application is being blocked even though the application is allowed in the rule. What should the administrator check first?
33An administrator wants to block traffic from a specific user using User-ID. What is required to identify users in security policies?
34Traffic between two internal zones is being dropped due to a security policy rule that blocks any traffic. However, the administrator needs to allow specific inter-zone traffic for a critical application. The allowed traffic is sourced from a special IP range. How should the administrator configure the security policy to permit only this traffic while still blocking other traffic?
35A company is using Security Profiles (Antivirus, Anti-Spyware, Vulnerability Protection) in their security policies. Malware is still getting through. What is a common misconfiguration that could cause this?
36An organization wants to hide internal IP addresses when accessing the Internet. Which type of NAT should be configured?
37A firewall is configured with multiple virtual systems (vsys). An administrator wants to allow traffic from vsys1 to vsys2 while keeping other inter-vsys traffic blocked. How should this be accomplished?
38Which TWO of the following are methods to identify users for User-ID? (Choose two.)
39Which THREE components are required to successfully decrypt outbound SSL traffic using forward proxy? (Choose three.)
40Which TWO security profile types are used to block known malware? (Choose two.)
41A user at source IP 10.1.1.1 initiates an HTTPS connection to a web server on the internet. Which rule will the traffic match?
42A workstation at 10.0.0.5 sends traffic to destination 8.8.8.8. Which NAT rule will be applied?
43Based on the log entry, what is the most likely reason for the TCP reset from the client?
44A company uses SSL Forward Proxy to decrypt all outbound HTTPS traffic. Users report significant performance degradation when accessing external web applications. Which action should the administrator take to improve performance while maintaining security?
45A large enterprise with thousands of security rules wants to reduce rule count without compromising security visibility. The current rules use many specific applications and services. Which strategy should be implemented to consolidate rules effectively?
46Which TWO of the following are valid methods to bypass URL filtering for internal users while still enforcing it on external traffic?
47A network administrator is troubleshooting a connectivity issue. The firewall has a security rule that allows traffic from the Trust zone to the Untrust zone for the subnet 192.168.1.0/24 with application 'web-browsing'. However, users in that subnet cannot access any external websites. The administrator checks the logs and sees that the traffic is being blocked by a rule named 'Deny All' that is listed before the allow rule in the policy order. What is the most likely cause of the problem? The rule order is incorrect; the allow rule is below the 'Deny All' rule. The source address object for the allow rule is misconfigured with a wrong subnet mask. The application 'web-browsing' is not being properly identified by App-ID. The User-ID agent is overriding the allow rule and triggering a block action.
48A company configures GlobalProtect for remote access. Remote users can successfully connect to the firewall and obtain an IP address, but they cannot access internal resources (e.g., file servers) located in the internal network. The firewall has a security rule that allows traffic from the GlobalProtect zone to the internal zone with appropriate applications. Logs show that traffic from remote users is being matched to a different rule that denies inter-zone traffic from the GlobalProtect zone to the internal zone. The administrator checks the GlobalProtect gateway configuration and sees that the gateway assigns IP addresses from a pool, but no internal routes are defined. What is the most likely issue? The GlobalProtect gateway configuration is missing internal resource routes or split-tunneling settings. The User-ID agent is not mapping remote usernames correctly. The source zone in the security rule is set to 'Trust' instead of 'GlobalProtect'. The internal resources require a specific security profile that is not applied to the rule.
49An organization implements SSL Forward Proxy to decrypt outbound HTTPS traffic, with a security rule that includes Vulnerability Protection and Anti-Malware profiles. Despite this, certain malware downloaded over HTTPS is not being blocked. The administrator observes that the traffic is decrypted and matches the security rule. The decryption policy excludes decryption for financial services category. The malware is delivered from a known malicious domain that is not in the financial services category. The analysis shows that the malware uses a custom packer that is not recognized by the current Anti-Malware signatures. What is the most likely reason the malware bypasses detection? The decryption exclusion list includes the domain of the malware source. The Anti-Malware profile is set to 'default' which may not block unknown malware effectively. The firewall is missing the latest content updates for WildFire. The security rule uses application 'ssl' but not 'web-browsing' for the traffic.
50A security administrator configures log forwarding to send threat logs to a central SIEM. The administrator creates a log forwarding profile that includes 'threat' and 'traffic' log types, and applies the profile to several security rules. After verifying, the SIEM receives logs for allowed traffic, but does not receive any logs for denied traffic. The administrator confirms that the deny rules also have the same log forwarding profile applied. What is the most likely cause of the missing denied traffic logs? The log forwarding profile is not configured to forward logs for denied sessions. The SIEM is not configured to receive syslog messages for deny actions. The firewall is logging only at session end and the deny sessions are not completing. The log forwarding profile only includes 'traffic' logs and not 'threat' logs.
51An organization wants to segment internal traffic between the Engineering and Finance departments and apply threat prevention. Which TWO actions should be taken? (Choose two.)
52Refer to the exhibit. A user from 10.0.0.10 attempts to access an HTTP website hosted on 203.0.113.5 using TCP port 8080. The connection fails. The firewall logs show no session for this traffic. What is the most likely cause?
53A company recently deployed a Palo Alto Networks PA-220 firewall to secure outbound web access. The security policies include a rule named 'Allow-Web' with the following configuration: source zone 'Inside', destination zone 'Outside', application 'web-browsing', service 'application-default', action 'allow'. All other traffic is denied by a default deny rule. Users report that they can access most public websites, but they cannot access a partner's website hosted at 203.0.113.50 on TCP port 8080. Connections to this site time out. DNS resolution for the hostname works correctly. The firewall logs show that traffic from internal users to 203.0.113.50:8080 is not matching any rule and is being denied by the default deny rule. Which action should the administrator take to resolve the issue while adhering to security best practices?
The Securing Traffic domain covers the key concepts tested in this area of the PCNSA exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSA domains — no account required.
The Courseiva PCNSA question bank contains 53 questions in the Securing Traffic domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Securing Traffic domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included