Palo Alto Networks · Free Practice Questions · Last reviewed May 2026
48real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
An administrator needs to block traffic from a specific internal IP address to the internet. Which object type should be used in the security policy source field?
Address object
Address object directly defines a specific IP address.
Tag
Address group
Region
A company has multiple branch offices that use overlapping private IP ranges (192.168.0.0/16). To avoid conflicts when these branches connect to the data center via IPsec, the administrator needs to translate branch source IPs to unique addresses. Which object type is best suited for this task?
NAT address pool
NAT address pool specifies the translated IP addresses.
External dynamic list
Service group
IPsec Crypto profile
During a security audit, an administrator notices that a security policy rule uses an address group that includes an FQDN object. The FQDN resolves to multiple IP addresses that change frequently. What is the best practice for ensuring the firewall uses the current resolved IPs without manual intervention?
Use a region object instead
Create a dynamic address group with a tag-based filter
Use an FQDN object in the address group; the firewall resolves it automatically
FQDN objects automatically resolve and update IPs.
Manually add all possible IP addresses to an address group
An administrator wants to allow only specific applications (e.g., web-browsing, ssl) from the internal network to the internet. Which object type should be used in the security policy application field?
Application object
Application objects define specific applications like web-browsing.
Application filter
Application group
Service object
Which TWO statements about External Dynamic Lists (EDLs) are true?
EDLs can be used in security policy source and destination fields.
EDLs can be used as address objects in policies.
EDLs have a fixed refresh interval that cannot be changed.
EDLs must be manually updated by an administrator.
EDLs support both IP addresses and URLs.
EDLs can contain IPs, URLs, or domains.
EDLs allow the administrator to add individual IPs directly via the GUI.
An organization has a data center with servers in the 10.10.0.0/16 subnet and remote users who connect via GlobalProtect. The security team wants to ensure that only approved applications (web-browsing, ssl, dns) are allowed from the remote user subnet (172.16.0.0/24) to the data center. They create a security rule with source zone 'GP' (GlobalProtect), destination zone 'DC', source address '172.16.0.0/24', destination address '10.10.0.0/16', application 'web-browsing', 'ssl', 'dns', action 'allow'. After deployment, users complain that they cannot access a custom web application on port 8080, which uses HTTP but the application is identified as 'web-browsing'. The administrator checks the traffic logs and sees that the traffic is being denied by an implicit deny rule. What is the most likely cause?
The application 'web-browsing' does not cover port 8080 traffic.
App-ID identifies traffic based on signatures, not just port. Custom HTTP on 8080 may not match 'web-browsing' signature, so it is not allowed.
The rule order is incorrect; a previous rule is denying the traffic.
The destination address object 10.10.0.0/16 is incorrect.
The source zone 'GP' should be 'untrust'.
Want more Managing Objects practice?
Practice this domainA security administrator is troubleshooting a policy misconfiguration. The firewall is configured with a security rule that allows traffic from the 'Engineering' zone to the 'Servers' zone. However, traffic from an Engineering user to a server in the 'DMZ' zone is being denied. What is the most likely cause?
The rule only allows traffic from Engineering to Servers zone, not DMZ.
The rule explicitly allows Engineering to Servers; traffic to DMZ is not covered and is denied by default.
The rule is configured as an intrazone rule.
The rule is disabled in the rulebase.
SSL decryption is blocking the traffic.
A network engineer needs to ensure that all traffic from the 'Guest' zone to the 'Internet' zone is inspected for malware, but also wants to allow high-bandwidth video conferencing traffic to bypass threat inspection for performance reasons. Which approach best achieves this?
Create two rules: one for general traffic with 'allow' action and a 'threat' profile, and a higher-priority rule for video conferencing traffic with 'allow' action and no threat profile.
This allows selective bypassing of threat inspection for video traffic while inspecting the rest.
Create a single rule with 'allow' action and no security profiles, and rely on the firewall's default behavior to inspect malware.
Create a single rule with 'allow' action and a 'threat' profile applied, and rely on the firewall's ability to skip inspection for video traffic automatically.
Use policy-based forwarding to route video traffic to a separate interface that has no security profiles.
A firewall administrator notices that a security rule intended to block traffic from a specific IP address is not working. The rule is placed at the bottom of the security rulebase, and the traffic is being allowed by a rule higher in the list. What is the most likely cause?
The source IP is negated in the rule.
The rule is placed at the top of the rulebase and overridden by a later rule.
The rule is positioned below an allow rule that matches the same traffic.
First match wins, so the allow rule matches before the block rule.
The rule is disabled in the rulebase.
An organization has a security policy that requires all outbound HTTP traffic from the 'Corporate' zone to the 'Internet' zone to be inspected by the URL Filtering profile. However, the administrator notices that some users can still access blocked categories. What is the most likely cause?
The firewall is configured to use DNS sinkholing, which bypasses URL filtering.
The rule is placed too low in the rulebase and a higher rule allows traffic without URL filtering.
The rule uses a source zone of 'Corporate' but the users are in a different zone.
The URL Filtering profile is set to 'alert' instead of 'block' for the relevant categories.
An alert action logs but allows traffic; it does not block.
A firewall administrator is tasked with implementing a policy that allows SSH access from the 'Admin' zone to the 'Core' zone only for specific administrators, and all other SSH attempts should be logged and dropped. The company has a large number of administrators. Which method is most efficient and scalable?
Create a single rule with source zone 'Admin', destination zone 'Core', application 'ssh', source user 'any', action 'allow' and enable logging.
Create a rule with source zone 'Admin', destination zone 'Core', application 'ssh', source user set to an LDAP group containing the administrators, action 'allow', and a second rule with same match criteria but action 'drop' and log at end.
User-ID integration allows scalable user-based policies.
Create a rule with source zone 'Admin', destination zone 'Core', application 'ssh', action 'allow', and rely on the firewall's default deny rule for others.
Create a rule with source zone 'Admin', destination zone 'Core', application 'ssh', source address list of all administrators' IPs, action 'allow', and a catch-all drop rule.
Which TWO statements correctly describe best practices for managing security policies in Palo Alto Networks firewalls? (Choose two.)
Enable logging on all rules to ensure complete audit trails.
Use zone-based policies instead of IP-based policies whenever possible.
Zone-based policies are more scalable and easier to manage.
Sort rules alphabetically by name to simplify rulebase navigation.
Disable unused rules rather than deleting them to preserve rule order for future use.
Disabling keeps the rule in the rulebase without affecting traffic.
Use service objects based on TCP/UDP ports to define application traffic.
Want more Policy Evaluation and Management practice?
Practice this domainA network engineer is troubleshooting a drop in traffic from a critical application. The traffic is allowed by the security policy, but the firewall is dropping the packets. The engineer views the session log and sees that the session is being terminated due to 'tcp-non-syn'. What is the most likely cause?
The TCP sequence numbers are out of order, causing the packets to be out of the expected window.
The NAT policy is misconfigured, causing the source IP to not be translated correctly.
The security policy uses an incorrect service object that doesn't match the application.
Asymmetric routing is causing packets to arrive at a firewall that did not see the initial SYN.
Asymmetric routing leads to tcp-non-syn drops because the firewall has no session for the non-SYN packet.
An organization wants to prevent data exfiltration via DNS tunneling. Which security profile should be applied to the outbound DNS traffic?
DNS Security profile
DNS Security is designed to detect and block DNS tunneling.
Vulnerability Protection profile
URL Filtering profile
Anti-Spyware profile
A company has a firewall configured with multiple virtual routers. A user on a trusted network can ping the firewall's management IP but cannot reach an external server. The security policy allows the traffic. What is the most likely cause?
A zone protection profile is blocking ICMP packets.
The virtual router does not have a default route to the external network.
Without a route, the firewall cannot forward packets to the destination.
The decryption policy is blocking the traffic because it is not decrypted.
The NAT policy is missing for the outbound traffic.
When configuring a security policy rule to allow HTTP traffic from the internal zone to the external zone, which mandatory components must be defined?
Source Zone, Destination Zone, Application, and User
Source Zone, Destination Zone, Application, and Service
Source Zone, Destination Zone, Service, and Action
Source Zone, Destination Zone, Source Address, Destination Address, Application, and Action
These are the minimum required fields in a security policy rule.
An administrator needs to allow inbound SMTP traffic to a mail server located in the DMZ. The firewall has a public IP address on the external interface. Which configuration is necessary to ensure the mail server receives the traffic?
Configure a Source NAT rule to translate the mail server's IP to the public IP.
Configure a Destination NAT rule and a security policy rule allowing SMTP from external to DMZ.
Destination NAT translates the public IP to the private IP, and the policy allows the traffic.
Configure a security policy rule with source NAT to translate the public IP to the private IP.
Configure a security policy rule allowing SMTP from external to DMZ without NAT.
Which TWO actions should be taken to protect against DNS tunneling? (Choose two.)
Enable DNS Security on the outbound DNS traffic.
DNS Security detects tunneling attempts.
Configure DNS policies to block requests to unknown domains.
This restricts DNS to known domains only.
Allow all TCP traffic on port 53.
Enable logging on all DNS traffic for analysis.
Block all UDP traffic on port 53.
Want more Securing Traffic practice?
Practice this domainA network administrator notices that traffic from the internal network to a specific external server is being blocked unexpectedly. The firewall policy allows any-to-any outbound traffic. The administrator checks the Unified Policy and sees a Security policy rule that permits the traffic, but the traffic is still blocked. What is the most likely cause?
A Zone Protection profile is dropping the traffic.
The Security policy rule has a DoS Protection profile applied that is dropping traffic.
DoS Protection profiles can drop traffic even if the rule permits it.
A decryption policy is blocking the traffic.
The Security policy rule has a source zone mismatch.
An organization is deploying a Palo Alto Networks firewall in a data center with multiple virtual routers. The network team wants to ensure that traffic between two different virtual routers can be inspected by the firewall. Which configuration is required?
Install a virtual wire between the virtual routers.
Add static routes for the remote subnets in each virtual router.
Configure a default route in each virtual router pointing to the other.
Create a Security policy rule that allows traffic between the virtual routers.
Inter-virtual-router traffic must be permitted by Security policy to be inspected.
A security administrator wants to block users from accessing social media websites during business hours. The firewall is connected to the internet and has a Security policy that allows general web browsing. What is the most efficient way to block social media?
Create a new Security policy rule with an Application ID that blocks social-media applications.
Create a new Security policy rule with a URL Filtering profile that blocks the social-media category.
URL Filtering directly blocks access by category.
Add a Custom Signature to the existing rule to block social media traffic.
Modify the existing web browsing rule to deny social media destinations.
Refer to the exhibit. A firewall administrator is troubleshooting a performance issue. The number of half-open TCP connections is unusually high. What is a likely cause?
A DDoS attack is flooding the firewall with SYN packets.
An application on the internal network is not completing TCP handshakes.
Half-open connections indicate incomplete handshakes, likely due to application failure.
The firewall's TCP timeout setting is too short.
The firewall's hardware is failing.
A security engineer is configuring a Palo Alto Networks firewall to protect a web server. The engineer wants to ensure that only HTTP and HTTPS traffic is allowed to the server, and that the traffic is inspected for threats. Which TWO actions should the engineer take?
Create a Security policy rule that allows traffic from any source to the web server on destination ports 80 and 443.
This permits HTTP and HTTPS traffic.
Configure an SSL Forward Proxy decryption policy to decrypt HTTPS traffic.
Create a Security policy rule that allows all traffic to the web server and relies on Application ID to filter.
Create a Security policy rule that blocks all traffic not matching the web-browsing and ssl applications.
Attach a Vulnerability Protection profile to the Security policy rule.
This inspects traffic for threats.
A network administrator is configuring a new Palo Alto Networks firewall for the first time. Which THREE initial configuration steps are required to allow basic outbound internet access from the internal network?
Configure a DNS proxy to resolve domain names.
Assign an IP address to the internal interface and set it as a Layer 3 interface.
Required for internal network connectivity.
Enable User-ID to identify users on the network.
Create a Security policy rule that allows traffic from internal zone to external zone.
Required to permit outbound traffic.
Configure a source NAT policy to translate internal private IP addresses to the external public IP.
Necessary for outbound internet access.
Want more Core Concepts practice?
Practice this domainA security team notices that traffic from a specific internal subnet is not being inspected by the firewall. They have configured a security policy rule that matches the subnet and allows the traffic, but the traffic is still not being logged or inspected. What is the most likely cause?
The rule is placed below an earlier rule that also matches the traffic.
The firewall's license for the threat prevention subscription has expired.
The firewall is in an active/passive HA pair and the passive unit is handling traffic.
The rule is disabled in the rulebase.
A disabled rule is not evaluated, so traffic matching that rule will not be inspected.
An organization is deploying a Palo Alto Networks firewall in a data center to segment traffic between three application tiers: web, app, and database. The web servers must be accessible from the internet, the app servers must only be reachable from the web servers, and the database servers must only be reachable from the app servers. Which security policy design best meets these requirements?
Create three zones: Web, App, DB. Create rules that allow only necessary protocols (e.g., HTTP/HTTPS from internet to Web, specific ports from Web to App, and specific ports from App to DB).
This follows least-privilege principles by allowing only required traffic between specific zones and ports.
Create three zones: Web, App, DB. Allow all traffic from Web to App and App to DB, and block all other inter-zone traffic.
Place web servers in an untrust zone and app/database in a trust zone, then allow all traffic from trust to untrust.
Place all servers in the same zone and use rules to allow traffic between them.
A network administrator is troubleshooting a connectivity issue where users in the 192.168.1.0/24 subnet cannot reach a server at 10.0.0.10. The firewall has a rule that allows traffic from source zone 'Trust' to destination zone 'DMZ' with source address 192.168.1.0/24 and destination address 10.0.0.10. The traffic is matching the rule, but the packets are being dropped. What is the most likely reason?
The firewall does not have a route to the 10.0.0.0/24 network.
Without a route, the firewall cannot forward the packet to the destination, even if the security rule allows it.
The security rule is not placed at the top of the rulebase.
A zone protection profile is blocking the traffic.
The destination server does not have a route back to the 192.168.1.0/24 subnet.
A company wants to ensure that all traffic from the internet to their internal web server is inspected for threats. Which configuration component is essential to achieve this?
Destination NAT policy to translate the public IP to the internal server.
SSL decryption policy to decrypt traffic to the web server.
A security policy rule that allows traffic from the internet zone to the DMZ zone and has a threat prevention profile attached.
The security rule with a threat profile enables inspection of allowed traffic.
A QoS policy to prioritize web traffic.
After upgrading the PAN-OS version on a firewall, the administrator notices that the commit operation takes significantly longer than before. What is the most likely cause?
The firewall's CPU and memory are insufficient for the new PAN-OS version.
The upgrade triggered a full commit of the entire configuration, which takes longer than a partial commit.
After an upgrade, the system often performs a full commit to apply structural changes, which is slower.
The firewall is performing a backup of the configuration.
The rulebase has grown too large.
A firewall is configured with multiple virtual routers. Traffic from a host in Vsys A needs to reach a server in Vsys B. Both virtual routers have direct routes to their respective subnets. What additional configuration is required?
Configure a virtual wire or route redistribution between the virtual routers of Vsys A and Vsys B.
Inter-vsys routing requires a path between the virtual routers, such as a virtual wire or route leak.
Create a security rule that allows traffic from the source zone in Vsys A to the destination zone in Vsys B.
Ensure both virtual routers are in the same virtual system.
Configure a NAT policy to translate the source IP to an IP in Vsys B's subnet.
Want more Palo Alto Networks Platforms and Architecture practice?
Practice this domainA security administrator notices that a user's traffic is being blocked unexpectedly. The user's IP is 10.1.1.100, and the traffic is destined to a web server at 192.168.2.10. The administrator has already verified that there are no security rules explicitly denying the traffic. Which Log Viewer query should the administrator use to quickly identify the cause?
Search Traffic logs with filters for source 10.1.1.100 and destination 192.168.2.10
Traffic logs show the action (allow/deny/drop) for each session, and filtering by IPs narrows down the specific session.
Search Threat logs for the destination IP
Search Config logs for any rule changes
Search System logs for the user's IP
A company wants to deploy a new firewall with a management interface on a separate VLAN to ensure management traffic is isolated from production traffic. Which interface type should be used for management access?
HA1 interface
VLAN interface
Ethernet 1/1
MGT (Management) interface
The MGT interface is a dedicated management port that can be assigned an IP on a separate VLAN for out-of-band management.
During a firewall upgrade from PAN-OS 9.1 to 10.0, the administrator receives an error that the upgrade cannot proceed because there is a pending commit. The administrator checks the commit status and sees that a commit was initiated but has not completed. What is the best course of action?
Reboot the firewall to clear the pending commit
Run 'commit force yes' from the CLI to force the commit
Forcing the commit will complete or abort the pending commit, clearing the block.
Wait for the commit to complete automatically
Cancel the upgrade and restart
An administrator needs to generate a report showing all applications used by a specific user group over the past week. Which method is most efficient?
Export Traffic logs to CSV and analyze in Excel
Use the Top Applications report in the Reports tab
Use the ACC (Application Command Center) and filter by user group and time range
ACC provides a customizable dashboard with historical data by application and user group.
Use the Monitor tab's Session Browser with a filter for the user group
A network engineer wants to configure a new VLAN interface on a Palo Alto Networks firewall. After creating the VLAN object and assigning it to an Ethernet interface, the VLAN interface remains down. What is the most likely cause?
The VLAN interface needs an IP address configured
The VLAN interface must be assigned to a virtual router
The firewall needs a commit to apply the changes
The Ethernet interface is not set to layer 2 mode or the VLAN tag is not allowed
For a VLAN interface to be up, the parent Ethernet interface must be in layer 2 mode and the VLAN tag must be in the allowed list.
An organization is deploying a firewall in a high-availability (HA) pair. The administrator wants to ensure that session state is synchronized between the firewalls so that active sessions are not dropped during failover. Which configuration is required?
Configure HA1 and HA2 interfaces with appropriate IPs
Enable Config Sync on the HA General tab
Enable Session Setup and State Synchronization under HA configuration
These settings enable the synchronization of session state information between HA peers.
Configure Path Monitoring to detect link failures
Want more Device Management and Services practice?
Practice this domainA company uses App-ID to control cloud storage applications. Users report that uploads to Google Drive are blocked even though a rule allows 'google-drive-base'. What is the most likely cause?
The firewall is not connected to the cloud for App-ID updates.
The rule allows only 'google-drive-base' but the uploads use 'google-drive-upload'.
Google Drive has multiple sub-apps; uploads are a different app-ID.
Decryption is not enabled for Google Drive traffic.
An application override is configured for Google Drive.
A security team notices that custom application 'myapp' is not being identified by App-ID even though the correct application override is in place. What should they verify first?
Ensure the application uses a standard port.
Ensure SSL decryption is enabled for the application.
Check if the application override is applied to the correct rule.
Verify that the traffic reaches the firewall and is allowed by a security policy rule that has App-ID enabled.
If traffic is blocked by an earlier rule, App-ID never processes it.
A security administrator wants to block all traffic using the BitTorrent protocol regardless of port. Which method should they use?
Use URL Filtering to block BitTorrent.
Create a security rule with Application set to 'bittorrent' and Action set to 'Deny'.
App-ID identifies BitTorrent across any port.
Use Data Filtering to block BitTorrent traffic.
Block the commonly used ports for BitTorrent.
After a security policy change, users complain that they cannot upload files to a custom web application. The rule allows the custom application 'webapp' and Content-ID is enabled. What is the most likely cause?
The application 'webapp' is not allowed due to an application override.
SSL decryption is not enabled.
A file blocking profile is blocking the upload.
File blocking is part of Content-ID and can prevent uploads.
App-ID is not identifying the application correctly.
A security engineer is troubleshooting why YouTube video streaming is not being identified as 'youtube-streaming' but instead as 'youtube-base'. What could be the reason?
The firewall has not received the latest App-ID update.
SSL decryption is not configured.
The traffic lacks enough signatures to identify the sub-application.
If only partial identification is possible, it shows as the parent app.
A security rule is blocking the sub-application.
What is the primary benefit of using Content-ID in a security policy?
It blocks malicious URLs.
It prioritizes traffic for specific applications.
It enables threat prevention and file blocking on allowed applications.
Content-ID inspects content after App-ID allows the application.
It identifies applications regardless of port.
Want more App-ID and Content-ID practice?
Practice this domainA security engineer notices that HTTPS traffic to a critical business application is being decrypted and re-encrypted, causing performance issues. The application uses a certificate from a public CA. The engineer wants to minimize decryption overhead while still inspecting for threats. Which decryption policy configuration best achieves this?
Create a decryption policy rule with action 'Decrypt' and a custom URL category for the application.
Create a decryption policy rule with action 'No Decrypt' and disable certificate status check.
Create a decryption policy rule with action 'No Decrypt' and enable 'Forward Trust Certificate' and 'Forward Untrust Certificate' with certificate status check.
This allows trusted certificates to pass without decryption, reducing overhead while still validating certificates.
Create a decryption policy rule with action 'Decrypt' and source zone set to 'Untrust'.
A company implements SSL Forward Proxy decryption. Users report that some internal applications fail to load after deployment. The firewall is configured with a CA-signed certificate for decryption. What is the most likely cause of the application failures?
The decryption policy uses 'No Decrypt' for the internal application's URL category.
The decryption policy is set to 'Decrypt' for all traffic, causing performance bottlenecks.
The firewall's CA certificate is not installed in the trusted root store on user endpoints.
Without trust, browsers show certificate errors and block the connection.
The firewall is configured to decrypt traffic from the internal zone, but not the external zone.
A network administrator wants to monitor traffic that is not decrypted due to a 'No Decrypt' policy rule. Which log type would show that decryption was bypassed?
URL Filtering logs
Threat logs
Tunnel Inspection logs
Tunnel Inspection logs record decryption decisions, including 'No Decrypt' actions.
Traffic logs
A company has a decryption policy that decrypts all outbound SSL traffic. Recently, users accessing a partner website receive a certificate warning. The partner uses a self-signed certificate. The firewall is configured with a CA-signed certificate for decryption. Which action should the firewall take?
The firewall will present the server's self-signed certificate to the client, causing a warning.
Since the certificate is untrusted, the firewall displays a warning to the client.
The firewall will block the connection and generate an alert.
The firewall will decrypt the traffic using its own certificate and re-encrypt with the partner's certificate.
The firewall will automatically trust the self-signed certificate and pass traffic without decryption.
Which monitoring tool in Palo Alto Networks firewall provides real-time visibility into decryption statistics, such as the number of sessions decrypted and certificate errors?
Dashboard
The Dashboard includes decryption widgets for real-time monitoring.
Policy Optimizer
Log Viewer
Reports
An organization deploys SSL Forward Proxy decryption. They want to ensure that traffic to financial websites is not decrypted due to compliance requirements. Which decryption policy configuration should be used?
Create a decryption rule with action 'Decrypt' and destination zone 'Untrust'.
Create a decryption rule with action 'No Decrypt' for the URL category 'Financial Services'.
This skips decryption for finance sites.
Create a decryption rule with action 'No Decrypt' for all traffic, then a rule above it to decrypt all other traffic.
Create a decryption rule with action 'Decrypt' for the URL category 'Financial Services'.
Want more Decryption and Monitoring practice?
Practice this domainThe PCNSA exam has 80 questions and must be completed in 80 minutes. The passing score is 700/1000.
Scenario-based questions covering exam objectives with detailed answer explanations.
The exam covers 8 domains: Managing Objects, Policy Evaluation and Management, Securing Traffic, Core Concepts, Palo Alto Networks Platforms and Architecture, Device Management and Services, App-ID and Content-ID, Decryption and Monitoring. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Palo Alto Networks PCNSA exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.