Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCNSAExam Questions

Palo Alto Networks · Free Practice Questions · Last reviewed May 2026

PCNSA Exam Questions and Answers

48real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

80 exam questions
80 min time limit
Pass: 700/1000 / 1000
8 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Managing Objects2. Policy Evaluation and Management3. Securing Traffic4. Core Concepts5. Palo Alto Networks Platforms and Architecture6. Device Management and Services7. App-ID and Content-ID8. Decryption and Monitoring
1

Domain 1: Managing Objects

All Managing Objects questions
Q1
easyFull explanation →

An administrator needs to block traffic from a specific internal IP address to the internet. Which object type should be used in the security policy source field?

A

Address object

Address object directly defines a specific IP address.

B

Tag

C

Address group

D

Region

Why: To block traffic from a specific internal IP address to the internet, you must identify that source IP in the security policy rule. An Address Object is the correct object type because it represents a single IP address or subnet and can be directly placed in the source field of a security policy rule to match traffic from that host. Tags, Address Groups, and Regions are not designed to represent a single IP address for source matching in this context.
Q2
mediumFull explanation →

A company has multiple branch offices that use overlapping private IP ranges (192.168.0.0/16). To avoid conflicts when these branches connect to the data center via IPsec, the administrator needs to translate branch source IPs to unique addresses. Which object type is best suited for this task?

A

NAT address pool

NAT address pool specifies the translated IP addresses.

B

External dynamic list

C

Service group

D

IPsec Crypto profile

Why: A NAT address pool is the correct object type because it allows the administrator to translate overlapping private IP addresses (192.168.0.0/16) from multiple branch offices into unique, non-overlapping IP addresses before sending traffic over the IPsec tunnel. This prevents routing conflicts at the data center by ensuring each branch's source IPs are mapped to distinct addresses from a defined pool, a process known as source NAT (SNAT) or IP address translation.
Q3
hardFull explanation →

During a security audit, an administrator notices that a security policy rule uses an address group that includes an FQDN object. The FQDN resolves to multiple IP addresses that change frequently. What is the best practice for ensuring the firewall uses the current resolved IPs without manual intervention?

A

Use a region object instead

B

Create a dynamic address group with a tag-based filter

C

Use an FQDN object in the address group; the firewall resolves it automatically

FQDN objects automatically resolve and update IPs.

D

Manually add all possible IP addresses to an address group

Why: Option C is correct because Palo Alto Networks firewalls automatically resolve FQDN objects to their current IP addresses at runtime, without requiring manual updates. When an FQDN object is used in an address group, the firewall performs DNS resolution each time the policy is evaluated, ensuring that the latest IP addresses are used even if they change frequently.
Q4
mediumFull explanation →

An administrator wants to allow only specific applications (e.g., web-browsing, ssl) from the internal network to the internet. Which object type should be used in the security policy application field?

A

Application object

Application objects define specific applications like web-browsing.

B

Application filter

C

Application group

D

Service object

Why: The correct answer is A, Application object, because in Palo Alto Networks security policies, the application field uses predefined or custom application objects to identify traffic based on the application identity, not just port/protocol. This allows the administrator to permit specific applications like web-browsing (HTTP/HTTPS) and SSL while blocking others, even if they use the same ports. Application objects leverage App-ID technology to inspect traffic beyond Layer 4, ensuring only allowed applications pass.
Q5
mediumFull explanation →

Which TWO statements about External Dynamic Lists (EDLs) are true?

A

EDLs can be used in security policy source and destination fields.

EDLs can be used as address objects in policies.

B

EDLs have a fixed refresh interval that cannot be changed.

C

EDLs must be manually updated by an administrator.

D

EDLs support both IP addresses and URLs.

EDLs can contain IPs, URLs, or domains.

E

EDLs allow the administrator to add individual IPs directly via the GUI.

Why: Option A is correct because External Dynamic Lists (EDLs) can be used as source or destination objects in security policy rules. This allows the firewall to match traffic against a regularly updated list of IP addresses or URLs hosted externally, enabling dynamic threat intelligence integration without manual rule changes.
Q6
hardFull explanation →

An organization has a data center with servers in the 10.10.0.0/16 subnet and remote users who connect via GlobalProtect. The security team wants to ensure that only approved applications (web-browsing, ssl, dns) are allowed from the remote user subnet (172.16.0.0/24) to the data center. They create a security rule with source zone 'GP' (GlobalProtect), destination zone 'DC', source address '172.16.0.0/24', destination address '10.10.0.0/16', application 'web-browsing', 'ssl', 'dns', action 'allow'. After deployment, users complain that they cannot access a custom web application on port 8080, which uses HTTP but the application is identified as 'web-browsing'. The administrator checks the traffic logs and sees that the traffic is being denied by an implicit deny rule. What is the most likely cause?

A

The application 'web-browsing' does not cover port 8080 traffic.

App-ID identifies traffic based on signatures, not just port. Custom HTTP on 8080 may not match 'web-browsing' signature, so it is not allowed.

B

The rule order is incorrect; a previous rule is denying the traffic.

C

The destination address object 10.10.0.0/16 is incorrect.

D

The source zone 'GP' should be 'untrust'.

Why: The security rule explicitly allows applications 'web-browsing', 'ssl', and 'dns'. While the custom web application uses HTTP on port 8080 and is identified as 'web-browsing', the application 'web-browsing' in Palo Alto Networks firewalls is defined to use standard HTTP ports (typically 80, 8080 is not included by default). Since the application does not match the traffic on port 8080, the firewall does not consider this traffic as matching the application 'web-browsing', and it falls through to the implicit deny rule, causing the denial.

Want more Managing Objects practice?

Practice this domain
2

Domain 2: Policy Evaluation and Management

All Policy Evaluation and Management questions
Q1
mediumFull explanation →

A security administrator is troubleshooting a policy misconfiguration. The firewall is configured with a security rule that allows traffic from the 'Engineering' zone to the 'Servers' zone. However, traffic from an Engineering user to a server in the 'DMZ' zone is being denied. What is the most likely cause?

A

The rule only allows traffic from Engineering to Servers zone, not DMZ.

The rule explicitly allows Engineering to Servers; traffic to DMZ is not covered and is denied by default.

B

The rule is configured as an intrazone rule.

C

The rule is disabled in the rulebase.

D

SSL decryption is blocking the traffic.

Why: The security rule explicitly permits traffic from the 'Engineering' zone to the 'Servers' zone. Traffic destined to the 'DMZ' zone is a different zone, so the rule does not apply. By default, Palo Alto Networks firewalls enforce a deny-all policy for any traffic that does not match an explicit allow rule, which is why the traffic is denied.
Q2
hardFull explanation →

A network engineer needs to ensure that all traffic from the 'Guest' zone to the 'Internet' zone is inspected for malware, but also wants to allow high-bandwidth video conferencing traffic to bypass threat inspection for performance reasons. Which approach best achieves this?

A

Create two rules: one for general traffic with 'allow' action and a 'threat' profile, and a higher-priority rule for video conferencing traffic with 'allow' action and no threat profile.

This allows selective bypassing of threat inspection for video traffic while inspecting the rest.

B

Create a single rule with 'allow' action and no security profiles, and rely on the firewall's default behavior to inspect malware.

C

Create a single rule with 'allow' action and a 'threat' profile applied, and rely on the firewall's ability to skip inspection for video traffic automatically.

D

Use policy-based forwarding to route video traffic to a separate interface that has no security profiles.

Why: Option A is correct because it uses two security rules with different priorities: a higher-priority rule for video conferencing traffic with an 'allow' action and no threat profile to bypass inspection, and a lower-priority rule for general traffic with an 'allow' action and a threat profile to enforce malware inspection. This leverages the firewall's rule-ordering logic, where the first matching rule is applied, allowing selective bypass of threat inspection for specific traffic while maintaining security for other traffic.
Q3
easyFull explanation →

A firewall administrator notices that a security rule intended to block traffic from a specific IP address is not working. The rule is placed at the bottom of the security rulebase, and the traffic is being allowed by a rule higher in the list. What is the most likely cause?

A

The source IP is negated in the rule.

B

The rule is placed at the top of the rulebase and overridden by a later rule.

C

The rule is positioned below an allow rule that matches the same traffic.

First match wins, so the allow rule matches before the block rule.

D

The rule is disabled in the rulebase.

Why: Option C is correct because the Palo Alto Networks firewall evaluates security rules in top-down order, from the first rule in the rulebase to the last. If a rule that allows traffic is placed higher in the list, it will match and permit the traffic before the lower-placed block rule is ever evaluated. The block rule at the bottom is effectively never reached for that traffic, which is why the intended blocking action fails.
Q4
mediumFull explanation →

An organization has a security policy that requires all outbound HTTP traffic from the 'Corporate' zone to the 'Internet' zone to be inspected by the URL Filtering profile. However, the administrator notices that some users can still access blocked categories. What is the most likely cause?

A

The firewall is configured to use DNS sinkholing, which bypasses URL filtering.

B

The rule is placed too low in the rulebase and a higher rule allows traffic without URL filtering.

C

The rule uses a source zone of 'Corporate' but the users are in a different zone.

D

The URL Filtering profile is set to 'alert' instead of 'block' for the relevant categories.

An alert action logs but allows traffic; it does not block.

Why: Option D is correct because if the URL Filtering profile is set to 'alert' instead of 'block' for the relevant categories, the firewall will log the violation but still allow the traffic to pass. This means users can access blocked categories even though the rule is correctly applied, as the profile does not enforce a blocking action.
Q5
hardFull explanation →

A firewall administrator is tasked with implementing a policy that allows SSH access from the 'Admin' zone to the 'Core' zone only for specific administrators, and all other SSH attempts should be logged and dropped. The company has a large number of administrators. Which method is most efficient and scalable?

A

Create a single rule with source zone 'Admin', destination zone 'Core', application 'ssh', source user 'any', action 'allow' and enable logging.

B

Create a rule with source zone 'Admin', destination zone 'Core', application 'ssh', source user set to an LDAP group containing the administrators, action 'allow', and a second rule with same match criteria but action 'drop' and log at end.

User-ID integration allows scalable user-based policies.

C

Create a rule with source zone 'Admin', destination zone 'Core', application 'ssh', action 'allow', and rely on the firewall's default deny rule for others.

D

Create a rule with source zone 'Admin', destination zone 'Core', application 'ssh', source address list of all administrators' IPs, action 'allow', and a catch-all drop rule.

Why: Option B is correct because it uses an LDAP group as the source user attribute, which allows dynamic membership management without manual IP updates. The first rule permits SSH for the group, and the second rule logs and drops all other SSH attempts, ensuring only authorized administrators are allowed while unauthorized attempts are recorded for auditing. This approach is scalable for a large number of administrators because it leverages user-based policies rather than IP-based rules.
Q6
mediumFull explanation →

Which TWO statements correctly describe best practices for managing security policies in Palo Alto Networks firewalls? (Choose two.)

A

Enable logging on all rules to ensure complete audit trails.

B

Use zone-based policies instead of IP-based policies whenever possible.

Zone-based policies are more scalable and easier to manage.

C

Sort rules alphabetically by name to simplify rulebase navigation.

D

Disable unused rules rather than deleting them to preserve rule order for future use.

Disabling keeps the rule in the rulebase without affecting traffic.

E

Use service objects based on TCP/UDP ports to define application traffic.

Why: Option B is correct because zone-based policies reduce complexity and improve scalability by grouping interfaces into security zones, allowing policies to be applied based on traffic direction (e.g., from Trust to Untrust) rather than individual IP addresses. This aligns with Palo Alto Networks' best practice of using zones to simplify rule management and enhance security posture, as IP-based policies become unmanageable in dynamic environments.

Want more Policy Evaluation and Management practice?

Practice this domain
3

Domain 3: Securing Traffic

All Securing Traffic questions
Q1
mediumFull explanation →

A network engineer is troubleshooting a drop in traffic from a critical application. The traffic is allowed by the security policy, but the firewall is dropping the packets. The engineer views the session log and sees that the session is being terminated due to 'tcp-non-syn'. What is the most likely cause?

A

The TCP sequence numbers are out of order, causing the packets to be out of the expected window.

B

The NAT policy is misconfigured, causing the source IP to not be translated correctly.

C

The security policy uses an incorrect service object that doesn't match the application.

D

Asymmetric routing is causing packets to arrive at a firewall that did not see the initial SYN.

Asymmetric routing leads to tcp-non-syn drops because the firewall has no session for the non-SYN packet.

Why: When a firewall sees a non-SYN TCP packet without having seen the initial SYN, it cannot validate the TCP three-way handshake state. This typically occurs with asymmetric routing, where the SYN traverses one firewall and subsequent packets arrive at a different firewall that lacks the session state. The firewall drops these packets with the 'tcp-non-syn' reason because it has no corresponding session entry to associate them with.
Q2
easyFull explanation →

An organization wants to prevent data exfiltration via DNS tunneling. Which security profile should be applied to the outbound DNS traffic?

A

DNS Security profile

DNS Security is designed to detect and block DNS tunneling.

B

Vulnerability Protection profile

C

URL Filtering profile

D

Anti-Spyware profile

Why: DNS Security profile is specifically designed to detect and block DNS tunneling, which is a technique used to exfiltrate data by encoding it within DNS queries and responses. By inspecting DNS traffic for anomalies such as high query rates, unusual domain names, or non-standard record types, the DNS Security profile can identify and prevent data exfiltration attempts. Other security profiles do not have the specialized DNS-layer inspection capabilities required to counter this threat.
Q3
hardFull explanation →

A company has a firewall configured with multiple virtual routers. A user on a trusted network can ping the firewall's management IP but cannot reach an external server. The security policy allows the traffic. What is the most likely cause?

A

A zone protection profile is blocking ICMP packets.

B

The virtual router does not have a default route to the external network.

Without a route, the firewall cannot forward packets to the destination.

C

The decryption policy is blocking the traffic because it is not decrypted.

D

The NAT policy is missing for the outbound traffic.

Why: The most likely cause is that the virtual router lacks a default route to the external network. Even though the security policy permits the traffic, the firewall must have a route in the virtual router's routing table to forward packets toward the destination. Without a default route, the firewall drops the traffic because it cannot determine the next hop for the external server's IP address.
Q4
easyFull explanation →

When configuring a security policy rule to allow HTTP traffic from the internal zone to the external zone, which mandatory components must be defined?

A

Source Zone, Destination Zone, Application, and User

B

Source Zone, Destination Zone, Application, and Service

C

Source Zone, Destination Zone, Service, and Action

D

Source Zone, Destination Zone, Source Address, Destination Address, Application, and Action

These are the minimum required fields in a security policy rule.

Why: Option D is correct because a security policy rule in Palo Alto Networks firewalls requires at minimum the source zone, destination zone, source address, destination address, application, and action to be defined. For HTTP traffic from internal to external zones, these components ensure the rule is specific enough to match the intended traffic while leveraging App-ID for application identification, not just port-based service definitions.
Q5
mediumFull explanation →

An administrator needs to allow inbound SMTP traffic to a mail server located in the DMZ. The firewall has a public IP address on the external interface. Which configuration is necessary to ensure the mail server receives the traffic?

A

Configure a Source NAT rule to translate the mail server's IP to the public IP.

B

Configure a Destination NAT rule and a security policy rule allowing SMTP from external to DMZ.

Destination NAT translates the public IP to the private IP, and the policy allows the traffic.

C

Configure a security policy rule with source NAT to translate the public IP to the private IP.

D

Configure a security policy rule allowing SMTP from external to DMZ without NAT.

Why: To allow inbound SMTP traffic from the internet to a mail server in the DMZ, the firewall must perform Destination NAT (DNAT) to translate the public IP address on the external interface to the private IP address of the mail server. A corresponding security policy rule must permit SMTP (TCP port 25) traffic from the external zone to the DMZ zone. Without DNAT, the firewall would not know which internal server should receive the traffic, and without the security rule, the traffic would be blocked.
Q6
hardFull explanation →

Which TWO actions should be taken to protect against DNS tunneling? (Choose two.)

A

Enable DNS Security on the outbound DNS traffic.

DNS Security detects tunneling attempts.

B

Configure DNS policies to block requests to unknown domains.

This restricts DNS to known domains only.

C

Allow all TCP traffic on port 53.

D

Enable logging on all DNS traffic for analysis.

E

Block all UDP traffic on port 53.

Why: Option A is correct because DNS Security (DNSsec) on Palo Alto Networks firewalls can inspect and block DNS tunneling by identifying anomalous DNS queries and responses, such as those with unusually long domain names or high query rates. This feature uses threat intelligence and machine learning to detect tunneling attempts without relying solely on static domain block lists.

Want more Securing Traffic practice?

Practice this domain
4

Domain 4: Core Concepts

All Core Concepts questions
Q1
mediumFull explanation →

A network administrator notices that traffic from the internal network to a specific external server is being blocked unexpectedly. The firewall policy allows any-to-any outbound traffic. The administrator checks the Unified Policy and sees a Security policy rule that permits the traffic, but the traffic is still blocked. What is the most likely cause?

A

A Zone Protection profile is dropping the traffic.

B

The Security policy rule has a DoS Protection profile applied that is dropping traffic.

DoS Protection profiles can drop traffic even if the rule permits it.

C

A decryption policy is blocking the traffic.

D

The Security policy rule has a source zone mismatch.

Why: When a Security policy rule permits traffic but it is still blocked, the most likely cause is that a DoS Protection profile is applied to the rule. DoS Protection profiles can drop traffic based on session rate thresholds or other attack signatures, even when the base Security rule allows the session. This is a common misconfiguration because the profile operates as an additional enforcement layer above the permit action.
Q2
hardFull explanation →

An organization is deploying a Palo Alto Networks firewall in a data center with multiple virtual routers. The network team wants to ensure that traffic between two different virtual routers can be inspected by the firewall. Which configuration is required?

A

Install a virtual wire between the virtual routers.

B

Add static routes for the remote subnets in each virtual router.

C

Configure a default route in each virtual router pointing to the other.

D

Create a Security policy rule that allows traffic between the virtual routers.

Inter-virtual-router traffic must be permitted by Security policy to be inspected.

Why: Option D is correct because traffic between virtual routers must be explicitly permitted by a Security policy rule. Even though virtual routers provide separate routing tables, the firewall still enforces policy enforcement points; without a Security rule allowing the traffic, it will be denied by default. This ensures that inter-virtual-router traffic is inspected and controlled by the firewall's security engine.
Q3
easyFull explanation →

A security administrator wants to block users from accessing social media websites during business hours. The firewall is connected to the internet and has a Security policy that allows general web browsing. What is the most efficient way to block social media?

A

Create a new Security policy rule with an Application ID that blocks social-media applications.

B

Create a new Security policy rule with a URL Filtering profile that blocks the social-media category.

URL Filtering directly blocks access by category.

C

Add a Custom Signature to the existing rule to block social media traffic.

D

Modify the existing web browsing rule to deny social media destinations.

Why: Option B is correct because URL Filtering profiles are specifically designed to block entire categories of websites (like social media) based on URL categorization, which is the most efficient method for blocking access to social media sites. This approach leverages Palo Alto Networks' URL Filtering database, which categorizes millions of URLs, allowing the administrator to block the entire 'social-media' category with a single policy rule without needing to identify individual applications or destinations.
Q4
mediumFull explanation →

Refer to the exhibit. A firewall administrator is troubleshooting a performance issue. The number of half-open TCP connections is unusually high. What is a likely cause?

A

A DDoS attack is flooding the firewall with SYN packets.

B

An application on the internal network is not completing TCP handshakes.

Half-open connections indicate incomplete handshakes, likely due to application failure.

C

The firewall's TCP timeout setting is too short.

D

The firewall's hardware is failing.

Why: A high number of half-open TCP connections indicates that SYN packets are received but the three-way handshake is never completed. Option B is correct because an internal application that fails to send the final ACK (or does not respond to SYN-ACK) leaves connections in a half-open state, consuming firewall resources and degrading performance.
Q5
hardFull explanation →

A security engineer is configuring a Palo Alto Networks firewall to protect a web server. The engineer wants to ensure that only HTTP and HTTPS traffic is allowed to the server, and that the traffic is inspected for threats. Which TWO actions should the engineer take?

A

Create a Security policy rule that allows traffic from any source to the web server on destination ports 80 and 443.

This permits HTTP and HTTPS traffic.

B

Configure an SSL Forward Proxy decryption policy to decrypt HTTPS traffic.

C

Create a Security policy rule that allows all traffic to the web server and relies on Application ID to filter.

D

Create a Security policy rule that blocks all traffic not matching the web-browsing and ssl applications.

E

Attach a Vulnerability Protection profile to the Security policy rule.

This inspects traffic for threats.

Why: Option A is correct because a Security policy rule explicitly allowing traffic to destination ports 80 and 443 ensures only HTTP and HTTPS traffic reaches the web server, aligning with the requirement to restrict allowed traffic. This rule uses port-based matching to permit only the specified services, which is a foundational step in controlling access.
Q6
easyFull explanation →

A network administrator is configuring a new Palo Alto Networks firewall for the first time. Which THREE initial configuration steps are required to allow basic outbound internet access from the internal network?

A

Configure a DNS proxy to resolve domain names.

B

Assign an IP address to the internal interface and set it as a Layer 3 interface.

Required for internal network connectivity.

C

Enable User-ID to identify users on the network.

D

Create a Security policy rule that allows traffic from internal zone to external zone.

Required to permit outbound traffic.

E

Configure a source NAT policy to translate internal private IP addresses to the external public IP.

Necessary for outbound internet access.

Why: Option B is correct because the internal interface must be configured as a Layer 3 interface with an assigned IP address to route traffic. Without this, the firewall cannot forward packets from the internal network to the external network, as Layer 3 interfaces are required for IP routing and policy enforcement.

Want more Core Concepts practice?

Practice this domain
5

Domain 5: Palo Alto Networks Platforms and Architecture

All Palo Alto Networks Platforms and Architecture questions
Q1
easyFull explanation →

A security team notices that traffic from a specific internal subnet is not being inspected by the firewall. They have configured a security policy rule that matches the subnet and allows the traffic, but the traffic is still not being logged or inspected. What is the most likely cause?

A

The rule is placed below an earlier rule that also matches the traffic.

B

The firewall's license for the threat prevention subscription has expired.

C

The firewall is in an active/passive HA pair and the passive unit is handling traffic.

D

The rule is disabled in the rulebase.

A disabled rule is not evaluated, so traffic matching that rule will not be inspected.

Why: Option D is correct because if a security policy rule is disabled in the rulebase, it will not be evaluated or enforced, even if it matches the traffic. The firewall will skip the rule entirely, meaning no logging or inspection occurs for traffic that would have matched it. This directly explains why the traffic is not being inspected or logged despite the rule appearing to be configured.
Q2
mediumFull explanation →

An organization is deploying a Palo Alto Networks firewall in a data center to segment traffic between three application tiers: web, app, and database. The web servers must be accessible from the internet, the app servers must only be reachable from the web servers, and the database servers must only be reachable from the app servers. Which security policy design best meets these requirements?

A

Create three zones: Web, App, DB. Create rules that allow only necessary protocols (e.g., HTTP/HTTPS from internet to Web, specific ports from Web to App, and specific ports from App to DB).

This follows least-privilege principles by allowing only required traffic between specific zones and ports.

B

Create three zones: Web, App, DB. Allow all traffic from Web to App and App to DB, and block all other inter-zone traffic.

C

Place web servers in an untrust zone and app/database in a trust zone, then allow all traffic from trust to untrust.

D

Place all servers in the same zone and use rules to allow traffic between them.

Why: Option A is correct because it implements a least-privilege security model using Palo Alto Networks zones and granular application- and port-based rules. By creating separate zones (Web, App, DB) and explicitly allowing only the necessary protocols (e.g., HTTP/HTTPS from the internet to Web, specific ports from Web to App, and specific ports from App to DB), the firewall enforces strict segmentation and minimizes the attack surface. This design leverages the zone-based security paradigm of PAN-OS to control inter-zone traffic precisely, aligning with the principle of zero trust.
Q3
hardFull explanation →

A network administrator is troubleshooting a connectivity issue where users in the 192.168.1.0/24 subnet cannot reach a server at 10.0.0.10. The firewall has a rule that allows traffic from source zone 'Trust' to destination zone 'DMZ' with source address 192.168.1.0/24 and destination address 10.0.0.10. The traffic is matching the rule, but the packets are being dropped. What is the most likely reason?

A

The firewall does not have a route to the 10.0.0.0/24 network.

Without a route, the firewall cannot forward the packet to the destination, even if the security rule allows it.

B

The security rule is not placed at the top of the rulebase.

C

A zone protection profile is blocking the traffic.

D

The destination server does not have a route back to the 192.168.1.0/24 subnet.

Why: The traffic matches the security rule, but the firewall drops the packet because it cannot find a route to the destination network 10.0.0.0/24. In Palo Alto Networks firewalls, even if a security rule permits traffic, the firewall must have a valid route in its routing table to forward the packet to the next hop. Without a route, the firewall has no way to deliver the packet to the server at 10.0.0.10, resulting in a drop.
Q4
easyFull explanation →

A company wants to ensure that all traffic from the internet to their internal web server is inspected for threats. Which configuration component is essential to achieve this?

A

Destination NAT policy to translate the public IP to the internal server.

B

SSL decryption policy to decrypt traffic to the web server.

C

A security policy rule that allows traffic from the internet zone to the DMZ zone and has a threat prevention profile attached.

The security rule with a threat profile enables inspection of allowed traffic.

D

A QoS policy to prioritize web traffic.

Why: Option C is correct because a security policy rule that allows traffic from the internet zone to the DMZ zone with a threat prevention profile attached is the essential component to inspect all traffic from the internet to the internal web server for threats. The threat prevention profile enables the firewall to perform intrusion prevention system (IPS) and antivirus inspection on the allowed traffic, ensuring malicious content is blocked. Without this profile, traffic would be permitted but not inspected for threats, failing the requirement.
Q5
mediumFull explanation →

After upgrading the PAN-OS version on a firewall, the administrator notices that the commit operation takes significantly longer than before. What is the most likely cause?

A

The firewall's CPU and memory are insufficient for the new PAN-OS version.

B

The upgrade triggered a full commit of the entire configuration, which takes longer than a partial commit.

After an upgrade, the system often performs a full commit to apply structural changes, which is slower.

C

The firewall is performing a backup of the configuration.

D

The rulebase has grown too large.

Why: Option B is correct because after a PAN-OS upgrade, the firewall performs a full commit of the entire configuration, which processes all configuration objects, rules, and policies from scratch. This is inherently slower than a partial commit, which only processes changed objects. The full commit is a standard post-upgrade behavior to ensure configuration consistency with the new code base.
Q6
hardFull explanation →

A firewall is configured with multiple virtual routers. Traffic from a host in Vsys A needs to reach a server in Vsys B. Both virtual routers have direct routes to their respective subnets. What additional configuration is required?

A

Configure a virtual wire or route redistribution between the virtual routers of Vsys A and Vsys B.

Inter-vsys routing requires a path between the virtual routers, such as a virtual wire or route leak.

B

Create a security rule that allows traffic from the source zone in Vsys A to the destination zone in Vsys B.

C

Ensure both virtual routers are in the same virtual system.

D

Configure a NAT policy to translate the source IP to an IP in Vsys B's subnet.

Why: Virtual routers in different virtual systems (Vsys) are isolated by default. To enable inter-Vsys routing, you must configure either a virtual wire (which bridges the two Vsys at Layer 2) or route redistribution (which allows routes from one virtual router to be shared with the other). This provides the necessary Layer 3 connectivity between the Vsys A and Vsys B subnets.

Want more Palo Alto Networks Platforms and Architecture practice?

Practice this domain
6

Domain 6: Device Management and Services

All Device Management and Services questions
Q1
mediumFull explanation →

A security administrator notices that a user's traffic is being blocked unexpectedly. The user's IP is 10.1.1.100, and the traffic is destined to a web server at 192.168.2.10. The administrator has already verified that there are no security rules explicitly denying the traffic. Which Log Viewer query should the administrator use to quickly identify the cause?

A

Search Traffic logs with filters for source 10.1.1.100 and destination 192.168.2.10

Traffic logs show the action (allow/deny/drop) for each session, and filtering by IPs narrows down the specific session.

B

Search Threat logs for the destination IP

C

Search Config logs for any rule changes

D

Search System logs for the user's IP

Why: Traffic logs capture every session that passes through the firewall, including allowed and denied connections. By filtering for the specific source IP (10.1.1.100) and destination IP (192.168.2.10), the administrator can quickly see the exact session details, including the action taken (e.g., deny, drop) and the reason (e.g., no matching rule, application override). This is the most direct method to identify why traffic is being blocked when no explicit deny rule exists.
Q2
easyFull explanation →

A company wants to deploy a new firewall with a management interface on a separate VLAN to ensure management traffic is isolated from production traffic. Which interface type should be used for management access?

A

HA1 interface

B

VLAN interface

C

Ethernet 1/1

D

MGT (Management) interface

The MGT interface is a dedicated management port that can be assigned an IP on a separate VLAN for out-of-band management.

Why: The MGT (Management) interface is a dedicated physical port on Palo Alto Networks firewalls designed specifically for out-of-band management traffic. It operates on a separate routing table and does not participate in production data forwarding, ensuring complete isolation of management traffic from production traffic as required by the scenario.
Q3
hardFull explanation →

During a firewall upgrade from PAN-OS 9.1 to 10.0, the administrator receives an error that the upgrade cannot proceed because there is a pending commit. The administrator checks the commit status and sees that a commit was initiated but has not completed. What is the best course of action?

A

Reboot the firewall to clear the pending commit

B

Run 'commit force yes' from the CLI to force the commit

Forcing the commit will complete or abort the pending commit, clearing the block.

C

Wait for the commit to complete automatically

D

Cancel the upgrade and restart

Why: Option B is correct because the 'commit force yes' command overrides a stuck or incomplete commit by forcing the commit operation to proceed, which clears the pending commit state and allows the upgrade to continue. In PAN-OS, a pending commit blocks administrative operations like upgrades, and forcing the commit is the safest way to resolve this without disrupting the firewall's operational state.
Q4
mediumFull explanation →

An administrator needs to generate a report showing all applications used by a specific user group over the past week. Which method is most efficient?

A

Export Traffic logs to CSV and analyze in Excel

B

Use the Top Applications report in the Reports tab

C

Use the ACC (Application Command Center) and filter by user group and time range

ACC provides a customizable dashboard with historical data by application and user group.

D

Use the Monitor tab's Session Browser with a filter for the user group

Why: The ACC (Application Command Center) is purpose-built for rapid application visibility and analysis. By filtering by user group and time range directly within the ACC, the administrator can instantly see the top applications used by that group without exporting or manually parsing logs, making it the most efficient method for this specific reporting need.
Q5
easyFull explanation →

A network engineer wants to configure a new VLAN interface on a Palo Alto Networks firewall. After creating the VLAN object and assigning it to an Ethernet interface, the VLAN interface remains down. What is the most likely cause?

A

The VLAN interface needs an IP address configured

B

The VLAN interface must be assigned to a virtual router

C

The firewall needs a commit to apply the changes

D

The Ethernet interface is not set to layer 2 mode or the VLAN tag is not allowed

For a VLAN interface to be up, the parent Ethernet interface must be in layer 2 mode and the VLAN tag must be in the allowed list.

Why: For a VLAN interface to be operational on a Palo Alto Networks firewall, the underlying Ethernet interface must be configured in Layer 2 mode and the specific VLAN tag must be allowed on that interface. If the Ethernet interface remains in Layer 3 mode or the VLAN tag is not included in the allowed list, the VLAN interface will remain administratively down, as it cannot associate with a physical port that is not set to accept VLAN traffic.
Q6
hardFull explanation →

An organization is deploying a firewall in a high-availability (HA) pair. The administrator wants to ensure that session state is synchronized between the firewalls so that active sessions are not dropped during failover. Which configuration is required?

A

Configure HA1 and HA2 interfaces with appropriate IPs

B

Enable Config Sync on the HA General tab

C

Enable Session Setup and State Synchronization under HA configuration

These settings enable the synchronization of session state information between HA peers.

D

Configure Path Monitoring to detect link failures

Why: Option C is correct because session state synchronization (also known as stateful failover) requires enabling both Session Setup and State Synchronization under the HA configuration. This ensures that the active firewall's session table is continuously replicated to the passive firewall, so when a failover occurs, existing sessions are not dropped and can continue without interruption.

Want more Device Management and Services practice?

Practice this domain
7

Domain 7: App-ID and Content-ID

All App-ID and Content-ID questions
Q1
mediumFull explanation →

A company uses App-ID to control cloud storage applications. Users report that uploads to Google Drive are blocked even though a rule allows 'google-drive-base'. What is the most likely cause?

A

The firewall is not connected to the cloud for App-ID updates.

B

The rule allows only 'google-drive-base' but the uploads use 'google-drive-upload'.

Google Drive has multiple sub-apps; uploads are a different app-ID.

C

Decryption is not enabled for Google Drive traffic.

D

An application override is configured for Google Drive.

Why: App-ID uses multiple application signatures to identify different functions within an application. 'google-drive-base' covers basic Google Drive traffic, but uploads are typically identified by a separate application signature, 'google-drive-upload'. Since the rule only allows 'google-drive-base', the firewall blocks the upload traffic because it does not match the permitted application. This is a common scenario where granular App-ID signatures must be explicitly allowed for specific actions like uploads.
Q2
hardFull explanation →

A security team notices that custom application 'myapp' is not being identified by App-ID even though the correct application override is in place. What should they verify first?

A

Ensure the application uses a standard port.

B

Ensure SSL decryption is enabled for the application.

C

Check if the application override is applied to the correct rule.

D

Verify that the traffic reaches the firewall and is allowed by a security policy rule that has App-ID enabled.

If traffic is blocked by an earlier rule, App-ID never processes it.

Why: Option D is correct because App-ID identification occurs after the firewall receives traffic and matches a security policy rule. Even with a correct application override, the traffic must first be allowed by a security policy rule that has App-ID enabled; otherwise, the override is never evaluated. The override only applies to the application identification process, not to the policy enforcement layer.
Q3
easyFull explanation →

A security administrator wants to block all traffic using the BitTorrent protocol regardless of port. Which method should they use?

A

Use URL Filtering to block BitTorrent.

B

Create a security rule with Application set to 'bittorrent' and Action set to 'Deny'.

App-ID identifies BitTorrent across any port.

C

Use Data Filtering to block BitTorrent traffic.

D

Block the commonly used ports for BitTorrent.

Why: Option B is correct because Palo Alto Networks firewalls use App-ID to identify applications like BitTorrent by their unique signatures, regardless of port or encryption. By creating a security rule with the application set to 'bittorrent' and action set to 'Deny', the firewall blocks all BitTorrent traffic even if it uses non-standard ports or tries to masquerade as other protocols.
Q4
hardFull explanation →

After a security policy change, users complain that they cannot upload files to a custom web application. The rule allows the custom application 'webapp' and Content-ID is enabled. What is the most likely cause?

A

The application 'webapp' is not allowed due to an application override.

B

SSL decryption is not enabled.

C

A file blocking profile is blocking the upload.

File blocking is part of Content-ID and can prevent uploads.

D

App-ID is not identifying the application correctly.

Why: The correct answer is C because a file blocking profile, when enabled with Content-ID, can block uploads of specific file types even if the application itself is allowed. In this scenario, the rule permits the custom application 'webapp' and Content-ID is enabled, so the most likely reason for upload failure is that a file blocking profile is configured to block the file type being uploaded, not an issue with App-ID or SSL decryption.
Q5
mediumFull explanation →

A security engineer is troubleshooting why YouTube video streaming is not being identified as 'youtube-streaming' but instead as 'youtube-base'. What could be the reason?

A

The firewall has not received the latest App-ID update.

B

SSL decryption is not configured.

C

The traffic lacks enough signatures to identify the sub-application.

If only partial identification is possible, it shows as the parent app.

D

A security rule is blocking the sub-application.

Why: Option C is correct because App-ID uses a multi-layered approach to identify applications, including signatures, SSL decryption, and behavioral analysis. When YouTube traffic is classified as 'youtube-base' instead of the more specific 'youtube-streaming', it indicates that the firewall has identified the base application (YouTube) but lacks sufficient signatures or heuristics to differentiate the streaming sub-application. This typically occurs when the traffic does not contain enough distinct patterns (e.g., specific HTTP headers, TLS SNI, or packet sizes) to trigger the sub-application signature.
Q6
easyFull explanation →

What is the primary benefit of using Content-ID in a security policy?

A

It blocks malicious URLs.

B

It prioritizes traffic for specific applications.

C

It enables threat prevention and file blocking on allowed applications.

Content-ID inspects content after App-ID allows the application.

D

It identifies applications regardless of port.

Why: Content-ID is the component of Palo Alto Networks' next-generation firewall that performs deep packet inspection on allowed application traffic. It enables threat prevention (e.g., antivirus, anti-spyware, vulnerability protection) and file blocking (e.g., blocking specific file types like .exe or .pdf) by scanning the content within the application sessions that have been identified by App-ID. Without Content-ID, the firewall would only allow or deny traffic based on application identity, but would not inspect the payload for threats or enforce file-based controls.

Want more App-ID and Content-ID practice?

Practice this domain
8

Domain 8: Decryption and Monitoring

All Decryption and Monitoring questions
Q1
hardFull explanation →

A security engineer notices that HTTPS traffic to a critical business application is being decrypted and re-encrypted, causing performance issues. The application uses a certificate from a public CA. The engineer wants to minimize decryption overhead while still inspecting for threats. Which decryption policy configuration best achieves this?

A

Create a decryption policy rule with action 'Decrypt' and a custom URL category for the application.

B

Create a decryption policy rule with action 'No Decrypt' and disable certificate status check.

C

Create a decryption policy rule with action 'No Decrypt' and enable 'Forward Trust Certificate' and 'Forward Untrust Certificate' with certificate status check.

This allows trusted certificates to pass without decryption, reducing overhead while still validating certificates.

D

Create a decryption policy rule with action 'Decrypt' and source zone set to 'Untrust'.

Why: Option C is correct because setting the action to 'No Decrypt' with a Forward Trust Certificate and Forward Untrust Certificate enabled, along with certificate status check, allows the firewall to validate the server certificate and forward the original encrypted traffic without decrypting it. This minimizes decryption overhead while still performing certificate inspection to detect threats like revoked or untrusted certificates, which is ideal for traffic from a public CA where decryption is not required for threat detection.
Q2
mediumFull explanation →

A company implements SSL Forward Proxy decryption. Users report that some internal applications fail to load after deployment. The firewall is configured with a CA-signed certificate for decryption. What is the most likely cause of the application failures?

A

The decryption policy uses 'No Decrypt' for the internal application's URL category.

B

The decryption policy is set to 'Decrypt' for all traffic, causing performance bottlenecks.

C

The firewall's CA certificate is not installed in the trusted root store on user endpoints.

Without trust, browsers show certificate errors and block the connection.

D

The firewall is configured to decrypt traffic from the internal zone, but not the external zone.

Why: Option C is correct because SSL Forward Proxy decryption requires the firewall's CA certificate to be trusted by client endpoints. When the firewall generates a new certificate for the internal application's server, the client must trust the firewall's CA to avoid certificate validation errors. Without the CA in the trusted root store, browsers and applications will reject the connection, causing failures for internal applications that rely on SSL/TLS.
Q3
easyFull explanation →

A network administrator wants to monitor traffic that is not decrypted due to a 'No Decrypt' policy rule. Which log type would show that decryption was bypassed?

A

URL Filtering logs

B

Threat logs

C

Tunnel Inspection logs

Tunnel Inspection logs record decryption decisions, including 'No Decrypt' actions.

D

Traffic logs

Why: Tunnel Inspection logs are specifically designed to record traffic that bypasses decryption due to a 'No Decrypt' policy rule. When a decryption policy is set to 'No Decrypt', the firewall does not inspect the encrypted payload, but Tunnel Inspection logs capture metadata about the bypassed session, including the reason for bypass. This allows administrators to monitor and audit traffic that was not decrypted, ensuring visibility into policy exceptions.
Q4
hardFull explanation →

A company has a decryption policy that decrypts all outbound SSL traffic. Recently, users accessing a partner website receive a certificate warning. The partner uses a self-signed certificate. The firewall is configured with a CA-signed certificate for decryption. Which action should the firewall take?

A

The firewall will present the server's self-signed certificate to the client, causing a warning.

Since the certificate is untrusted, the firewall displays a warning to the client.

B

The firewall will block the connection and generate an alert.

C

The firewall will decrypt the traffic using its own certificate and re-encrypt with the partner's certificate.

D

The firewall will automatically trust the self-signed certificate and pass traffic without decryption.

Why: When a firewall is configured for SSL decryption with a CA-signed certificate, it acts as a man-in-the-middle. For outbound traffic to a server using a self-signed certificate, the firewall cannot validate the server's certificate against a trusted CA. It will present the server's self-signed certificate to the client, which the client's browser does not trust, causing a certificate warning.
Q5
easyFull explanation →

Which monitoring tool in Palo Alto Networks firewall provides real-time visibility into decryption statistics, such as the number of sessions decrypted and certificate errors?

A

Dashboard

The Dashboard includes decryption widgets for real-time monitoring.

B

Policy Optimizer

C

Log Viewer

D

Reports

Why: The Dashboard in Palo Alto Networks firewall provides real-time visibility into decryption statistics, including the number of sessions decrypted, certificate errors, and decryption failures. This is accessible via the 'Decryption' widget on the Dashboard, which aggregates live data from the decryption engine without requiring log queries or report generation.
Q6
mediumFull explanation →

An organization deploys SSL Forward Proxy decryption. They want to ensure that traffic to financial websites is not decrypted due to compliance requirements. Which decryption policy configuration should be used?

A

Create a decryption rule with action 'Decrypt' and destination zone 'Untrust'.

B

Create a decryption rule with action 'No Decrypt' for the URL category 'Financial Services'.

This skips decryption for finance sites.

C

Create a decryption rule with action 'No Decrypt' for all traffic, then a rule above it to decrypt all other traffic.

D

Create a decryption rule with action 'Decrypt' for the URL category 'Financial Services'.

Why: SSL Forward Proxy decryption rules are evaluated in order, and the first matching rule determines the action. To exclude financial websites from decryption, you must create a rule with action 'No Decrypt' that matches the 'Financial Services' URL category. This ensures traffic to those sites is not decrypted, meeting compliance requirements.

Want more Decryption and Monitoring practice?

Practice this domain

Frequently asked questions

How many questions are on the PCNSA exam?

The PCNSA exam has 80 questions and must be completed in 80 minutes. The passing score is 700/1000.

What types of questions appear on the PCNSA exam?

Scenario-based questions covering exam objectives with detailed answer explanations.

How are PCNSA questions organised by domain?

The exam covers 8 domains: Managing Objects, Policy Evaluation and Management, Securing Traffic, Core Concepts, Palo Alto Networks Platforms and Architecture, Device Management and Services, App-ID and Content-ID, Decryption and Monitoring. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual PCNSA exam questions?

No. These are original exam-style practice questions written against the official Palo Alto Networks PCNSA exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 80 PCNSA questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all PCNSA questionsTake a timed practice test