Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCNSADomainsPolicy Evaluation and Management
PCNSAFree — No Signup

Policy Evaluation and Management

Practice PCNSA Policy Evaluation and Management questions with full explanations on every answer.

57questions

Start practicing

Policy Evaluation and Management — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

PCNSA Domains

Managing ObjectsPolicy Evaluation and ManagementSecuring TrafficCore ConceptsPalo Alto Networks Platforms and ArchitectureDevice Management and ServicesApp-ID and Content-IDDecryption and Monitoring

Practice Policy Evaluation and Management questions

10Q20Q30Q50Q

All PCNSA Policy Evaluation and Management questions (57)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security administrator is troubleshooting a policy misconfiguration. The firewall is configured with a security rule that allows traffic from the 'Engineering' zone to the 'Servers' zone. However, traffic from an Engineering user to a server in the 'DMZ' zone is being denied. What is the most likely cause?

2

A network engineer needs to ensure that all traffic from the 'Guest' zone to the 'Internet' zone is inspected for malware, but also wants to allow high-bandwidth video conferencing traffic to bypass threat inspection for performance reasons. Which approach best achieves this?

3

A firewall administrator notices that a security rule intended to block traffic from a specific IP address is not working. The rule is placed at the bottom of the security rulebase, and the traffic is being allowed by a rule higher in the list. What is the most likely cause?

4

An organization has a security policy that requires all outbound HTTP traffic from the 'Corporate' zone to the 'Internet' zone to be inspected by the URL Filtering profile. However, the administrator notices that some users can still access blocked categories. What is the most likely cause?

5

A firewall administrator is tasked with implementing a policy that allows SSH access from the 'Admin' zone to the 'Core' zone only for specific administrators, and all other SSH attempts should be logged and dropped. The company has a large number of administrators. Which method is most efficient and scalable?

6

Which TWO statements correctly describe best practices for managing security policies in Palo Alto Networks firewalls? (Choose two.)

7

Which THREE factors should be considered when troubleshooting a 'deny' rule that is unexpectedly blocking traffic? (Choose three.)

8

A user at 192.168.1.10 attempts to access a social networking site (application: social-networking). Based on the exhibit, what will the firewall do?

9

A company has a Palo Alto Networks firewall in production. They recently configured a new security policy rule to allow outbound HTTPS traffic from the internal network (10.0.0.0/8) to the internet. The rule is placed after a block rule that denies all traffic from 10.0.0.0/8 to any external destination. After committing, users report that HTTPS access is still blocked. The administrator checks the firewall logs and sees that the traffic is being denied by the block rule. The administrator verifies the rule order: the new allow rule is at position 5, and the block rule is at position 3. The administrator also checks that the source zone (Trust) and destination zone (Untrust) are correct. What is the most likely cause of the issue?

10

A security administrator notices that traffic from an internal user to a specific external web application is being blocked unexpectedly. The user's IP is 10.10.1.50 and the destination is 203.0.113.5 on port 443. The administrator has already verified that there is a security rule allowing the traffic. Which two logs should the administrator check first to diagnose the issue?

11

A firewall administrator is troubleshooting a situation where traffic from the 'Engineering' zone (source zone) to the 'Servers' zone (destination zone) is being allowed, but the desired behavior is to block it. The administrator runs 'show running security-policy' and sees the following rules in order: Rule1: from Engineering to Servers allow; Rule2: from Engineering to Servers deny; Rule3: from any to Servers allow. Which TWO statements are true regarding policy evaluation?

12

Refer to the exhibit. A user on the Sales subnet (10.10.1.50) attempts to browse to an external website using HTTP (port 80) to download a legitimate file. The website's IP is 203.0.113.50. Which rule will match this traffic?

13

Drag and drop the steps to configure Active/Passive High Availability on a Palo Alto Networks firewall into the correct order.

14

Match each security rule type to its purpose.

15

A network administrator notices that traffic from a specific subnet is being denied even though there is a permit rule that matches the source and destination. The rulebase has over 500 rules. What is the most likely cause?

16

After a policy change, a security administrator commits the candidate configuration, but the changes do not take effect immediately for all users. Some users report connectivity issues while others do not. What should the administrator check first?

17

A company wants to block file-sharing applications like BitTorrent, but allow HTTP and HTTPS. Which type of policy is most appropriate to achieve this granular control?

18

An administrator is troubleshooting why a rule is not being hit. The rule has source zone Trust, destination zone Untrust, source address 10.0.0.0/8, destination address any, application web-browsing, action allow, and log at session end. The traffic is coming from 10.1.1.1 to 1.2.3.4 on port 80, zone Trust to Untrust. The rule count shows zero hits. What could be the issue?

19

An administrator wants to use Policy Optimizer to consolidate rules. Which of the following is a prerequisite for using Policy Optimizer on a rule?

20

A security rule is configured with source zone 'Trust', destination zone 'Untrust', source address 'any', destination address '10.10.10.0/24', application 'ssl', service 'https', action 'allow', log at session end. A user from Trust zone tries to access https://10.10.10.5. The traffic is not matching. What is the most likely reason?

21

What does a 'shadowed' rule mean in the context of policy evaluation?

22

How can an administrator quickly identify which security rules are not being used in order to clean up the rulebase?

23

An administrator needs to apply a security profile that includes anti-malware and vulnerability protection to all traffic from the internal network to the internet. However, there is already a rule that allows this traffic without any profiles. What is the most efficient way to apply the profiles?

24

A security administrator is analyzing the rulebase for best practices. Which TWO of the following are recommended practices for security policy management? (Choose two.)

25

An administrator is troubleshooting why a policy is not being matched. Which THREE of the following are valid reasons a security rule might not be hit? (Choose three.)

26

An administrator wants to ensure that traffic from the corporate network to the internet is inspected by the firewall's threat prevention features. Which TWO of the following are required to achieve this? (Choose two.)

27

Refer to the exhibit. An administrator is analyzing the rulebase. Traffic from source 10.1.1.5 to destination 8.8.8.8 using web-browsing application (HTTP TCP/80). Which rule will match?

28

Refer to the exhibit. The administrator sees that traffic from 10.10.1.12 is being denied by rule2. Which action should the administrator take to allow this traffic while maintaining security?

29

Refer to the exhibit. A security rule is configured with destination address group 'internal-servers'. A packet with destination IP 10.10.20.5 arrives. Will the rule match?

30

A security administrator notices that a newly added security rule, designed to allow SSH traffic from the engineering department to a Linux server, is not being matched. The rule is placed above an existing 'deny all' rule. What is the most likely cause?

31

A company is migrating from a legacy firewall to a Palo Alto Networks firewall. The legacy policy has many rules with overlapping source and destination objects. Which feature should the administrator use to simplify the policy before migration?

32

An administrator configures a security policy with three rules in order: Rule1 allows any to any with log at session start, Rule2 allows HTTP from trust to untrust, Rule3 denies any. Traffic from an internal user to an external web server is logged as allowed. Which rule processed the traffic?

33

An administrator wants to ensure that all traffic from the engineering zone to the server zone is logged, but only when a session is established. Which log setting should be configured in the security rule?

34

A security administrator is troubleshooting a rule that appears to be matching correctly but is not allowing traffic. The rule uses source zone 'Trust' and destination zone 'Untrust', and the action is 'allow'. The traffic source is in the 'DMZ' zone. What is the most likely reason the traffic is denied?

35

An administrator needs to implement a policy where traffic from the 'Sales' zone to the 'Finance' zone is allowed only for the 'ms-office365' application, but traffic from 'Sales' to 'Finance' using any other application must be denied. Which rule design meets this requirement efficiently?

36

An administrator is reviewing the rulebase and finds a rule with a hit count of 0 over the past 30 days. What action should the administrator consider?

37

A company needs to restrict access to a critical server from external IP addresses, but internal users should have full access. Which rule structure should be used?

38

An administrator is using Policy Tester to validate a rule before deployment. The rule allows HTTP and HTTPS from user 'John' (IP 10.1.1.10) to server 192.168.1.100. The tester shows 'No match' for traffic from John's IP to the server on port 80. What could be the reason?

39

Which TWO are best practices for managing security policies in a Palo Alto Networks firewall?

40

Which TWO factors affect the order in which security rules are evaluated?

41

Which THREE are valid methods to test security policy effectiveness before deployment?

42

Refer to the exhibit. The administrator wants to remove unused rules to improve performance. Which rule should be removed?

43

Refer to the exhibit. Traffic from Sales zone to Finance zone reaches destination 10.10.10.10 using application 'ssl'. What action does the firewall take?

44

Refer to the exhibit. An internal DNS server in the trust zone communicates with an external DNS server in the untrust zone. Which rule will match the DNS traffic?

45

A network administrator adds a new security rule allowing HTTP from the Trust zone to the Untrust zone. After committing, traffic from the Trust zone to the Untrust zone is still blocked. What is the most likely cause?

46

A company wants to block all traffic from the Guest zone to the Corporate zone except DNS. What is the best practice for configuring the security policy?

47

An administrator notices that traffic from a specific IP 10.10.10.5 is not matching the expected security rule that should allow HTTP traffic. The rule uses a source address object defined as '10.10.10.0/24'. Upon investigation, the administrator finds that the traffic is from IP 10.10.10.5, but the rule still does not match. What is the most likely cause?

48

An administrator wants to require users in the Internal zone to authenticate via User-ID before accessing the Internet. Which policy configuration is necessary to enforce this requirement?

49

Which THREE actions can be taken based on hit counts in security rules? (Select three.)

50

Which TWO methods can be used to help prevent rule shadowing? (Select two.)

51

A company has a Palo Alto Networks firewall with multiple virtual routers. The security policy has a rule that allows SSH from the 'Internal' zone to the 'DMZ' zone. Recently, a new subnet 10.10.20.0/24 was added to the Internal zone. Users in that subnet report they cannot SSH to a server at 192.168.1.10 in the DMZ, while users from other subnets in Internal can. The rule has source address object '10.0.0.0/8' which includes the new subnet. The rule's source zone is Internal, destination zone is DMZ, and application is SSH. The administrator confirms the new subnet's IPs are within 10.0.0.0/8. What is the most likely cause of the problem?

52

A network administrator is tasked with implementing a policy that allows traffic from the 'Sales' zone to the 'Internet' zone only for web-browsing (application: web-browsing) and blocks all other traffic. The administrator creates a rule at the top of the security policy with source zone Sales, destination zone Internet, application web-browsing, action allow. Below that, a rule with source zone Sales, destination zone Internet, application any, action deny. After committing, users in Sales can browse the web normally. However, the administrator discovers that some users are able to use applications like YouTube and Facebook which use web-browsing as part of their app-id. The administrator wants to ensure that only HTTP/HTTPS traffic for general web browsing is allowed, not other web-based applications. What should the administrator do?

53

A small business has a Palo Alto Networks firewall with a single security policy rule that allows all traffic from the 'Trust' zone to the 'Untrust' zone. The business recently experienced a malware infection originating from an internal host that communicated with known malicious IP addresses. The administrator wants to implement a security policy to block traffic to these malicious IP destinations. The administrator has a list of 500 malicious IP addresses that may change frequently. What is the most efficient way to create a policy to block traffic to these IPs?

54

An administrator has configured multiple security rules for a data center. There is a rule that allows SSH from the 'Management' zone to the 'Server' zone. Recently, the administrator added a new rule allowing SSH from a new 'Admin' zone to the 'Server' zone. The Admin rule is placed above the Management rule. Both rules specify the correct zones, application SSH, and action allow. After committing, SSH traffic from the Admin zone is being denied. What is the most likely issue?

55

Which TWO are required to configure a Forward Proxy Decryption rule?

56

A user from 10.0.0.5 tries to access 8.8.8.8 on TCP 443. The traffic is matched to the above rule. Which additional configuration is required for the traffic to be decrypted?

57

A company has multiple branch offices connected via IPsec tunnels to a central datacenter. The central datacenter has a PA-5250 running PAN-OS 10.1. The security team wants to enforce that traffic between branches is inspected by the central firewall, not directly between branches. They configure security policies to allow inter-branch traffic through the central firewall. However, they notice that traffic between two branches (Branch A and Branch B) is not traversing the central firewall and is instead going directly between the branches via the IPsec tunnels which are configured as route-based VPNs. The security team has verified that the security policies are correctly configured to require the traffic to go through the central datacenter. What is the most likely cause?

Practice all 57 Policy Evaluation and Management questions

Other PCNSA exam domains

Managing ObjectsSecuring TrafficCore ConceptsPalo Alto Networks Platforms and ArchitectureDevice Management and ServicesApp-ID and Content-IDDecryption and Monitoring

Frequently asked questions

What does the Policy Evaluation and Management domain cover on the PCNSA exam?

The Policy Evaluation and Management domain covers the key concepts tested in this area of the PCNSA exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSA domains — no account required.

How many Policy Evaluation and Management questions are in the PCNSA question bank?

The Courseiva PCNSA question bank contains 57 questions in the Policy Evaluation and Management domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Policy Evaluation and Management for PCNSA?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Policy Evaluation and Management questions for PCNSA?

Yes — the session launcher on this page draws questions exclusively from the Policy Evaluation and Management domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your PCNSA domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide