Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Device Management and Services practice sets

PCNSA Device Management and Services • Complete Question Bank

PCNSA Device Management and Services — All Questions With Answers

Complete PCNSA Device Management and Services question bank — all 0 questions with answers and detailed explanations.

116
Questions
Free
No signup
Certifications/PCNSA/Practice Test/Device Management and Services/All Questions
Question 1mediummultiple choice
Read the full Device Management and Services explanation →

A security administrator notices that a user's traffic is being blocked unexpectedly. The user's IP is 10.1.1.100, and the traffic is destined to a web server at 192.168.2.10. The administrator has already verified that there are no security rules explicitly denying the traffic. Which Log Viewer query should the administrator use to quickly identify the cause?

Question 2easymultiple choice
Open the full VLAN trunking answer →

A company wants to deploy a new firewall with a management interface on a separate VLAN to ensure management traffic is isolated from production traffic. Which interface type should be used for management access?

Question 3hardmultiple choice
Read the full Device Management and Services explanation →

During a firewall upgrade from PAN-OS 9.1 to 10.0, the administrator receives an error that the upgrade cannot proceed because there is a pending commit. The administrator checks the commit status and sees that a commit was initiated but has not completed. What is the best course of action?

Question 4mediummultiple choice
Read the full Device Management and Services explanation →

An administrator needs to generate a report showing all applications used by a specific user group over the past week. Which method is most efficient?

Question 5easymultiple choice
Open the full VLAN trunking answer →

A network engineer wants to configure a new VLAN interface on a Palo Alto Networks firewall. After creating the VLAN object and assigning it to an Ethernet interface, the VLAN interface remains down. What is the most likely cause?

Question 6hardmultiple choice
Read the full Device Management and Services explanation →

An organization is deploying a firewall in a high-availability (HA) pair. The administrator wants to ensure that session state is synchronized between the firewalls so that active sessions are not dropped during failover. Which configuration is required?

Question 7mediummultiple choice
Read the full Device Management and Services explanation →

A security analyst notices that a legitimate application is being incorrectly identified as a different application by the firewall. What is the best first step to resolve this issue?

Question 8easymultiple choice
Read the full Device Management and Services explanation →

An administrator needs to back up the firewall configuration before making changes. Which method creates a complete backup that can be restored to the same or a different firewall?

Question 9mediummulti select
Read the full Device Management and Services explanation →

Which TWO of the following are valid methods to upgrade the PAN-OS version on a Palo Alto Networks firewall?

Question 10hardmulti select
Read the full Device Management and Services explanation →

Which THREE of the following are valid steps when configuring a new virtual wire (vwire) on a Palo Alto Networks firewall?

Question 11mediummulti select
Read the full Device Management and Services explanation →

Which TWO of the following are valid methods to collect a technical support file from a Palo Alto Networks firewall?

Question 12mediummultiple choice
Read the full Device Management and Services explanation →

Refer to the exhibit. The firewall is experiencing performance issues and dropping sessions. Based on the exhibit, what is the most likely cause?

Exhibit

Refer to the exhibit.

admin@PA-500> show system info | match uptime
System time: Fri Aug 23 14:22:10 2024
Uptime: 0 days, 2:15:33

admin@PA-500> show system resources
CPU: 45%  Memory: 78%

admin@PA-500> show session info
Total active sessions: 85000
Max sessions: 100000

admin@PA-500> show running resource-monitor
Resource: dataplane
CPU: 89%  Memory: 92%
Question 13hardmultiple choice
Read the full Device Management and Services explanation →

Refer to the exhibit. A user at 10.1.1.50 is unable to connect to 192.168.1.100 on TCP port 443. The traffic log shows no entries for that source IP. Which security rule is expected to match this traffic?

Exhibit

Refer to the exhibit.

admin@PA-3020> show running security-policy

rulebase security rules
  rule 1 name "Allow-Sales"
    source [ 10.1.1.0/24 ]
    destination [ 192.168.1.0/24 ]
    application [ ms-sql ]
    service [ tcp-1433 ]
    action allow
    log-start no
  rule 2 name "Allow-HR"
    source [ 10.1.2.0/24 ]
    destination [ 192.168.2.0/24 ]
    application [ web-browsing ]
    service [ application-default ]
    action allow
    log-start yes

admin@PA-3020> show session id 12345
Source IP: 10.1.1.50
Destination IP: 192.168.1.100
Application: ssl
Service: tcp-443

admin@PA-3020> show log traffic | match 10.1.1.50
... no results ...
Question 14hardmultiple choice
Read the full Device Management and Services explanation →

A company has two Palo Alto Networks firewalls in an active/passive HA pair (PA-5250) running PAN-OS 10.1. The HA configuration uses dedicated HA1 (control link) and HA2 (data link) interfaces. The network team recently replaced a failed switch that connected the HA1 interfaces. After the switch replacement, the HA pair is not forming. The administrator logs into the active firewall and runs 'show high-availability state' which shows the local state as 'active' and the peer state as 'unknown'. The HA1 interface status shows 'link down'. The administrator checks the physical connections and confirms the cables are connected and the switch ports are up. What is the most likely cause and the best course of action?

Question 15mediummultiple choice
Read the full Device Management and Services explanation →

A network administrator notices that a specific user behind a PA-820 firewall is unable to reach a critical SaaS application, while other users can access it without issues. The administrator checks the traffic logs and sees the session is being denied. Which step should the administrator take next to identify the root cause?

Question 16easymultiple choice
Read the full Device Management and Services explanation →

A security engineer needs to ensure that all traffic from the internal network to the internet is inspected by the firewall. The firewall is deployed in layer 3 mode with virtual wire subinterfaces. Which configuration is required to achieve this?

Question 17hardmultiple choice
Read the full Device Management and Services explanation →

A company has a PA-5250 firewall in an active/passive HA pair. During a maintenance window, the administrator upgrades the passive firewall from PAN-OS 10.0 to 10.1. After the upgrade, the passive firewall fails to synchronize with the active firewall. The active firewall remains at 10.0. What is the most likely cause?

Question 18easymultiple choice
Read the full NAT/PAT explanation →

A network administrator wants to allow FTP traffic from the internal network to a specific external server. The administrator creates a security policy rule with source zone 'internal', destination zone 'external', destination IP of the server, and application 'ftp'. However, the traffic is still blocked. What is the most likely reason?

Question 19mediummultiple choice
Read the full NAT/PAT explanation →

A security administrator notices that a security policy rule is not matching traffic that should be allowed. The rule specifies source address as 10.0.1.0/24, destination address as 192.168.2.0/24, and application 'web-browsing'. The traffic originates from 10.0.1.5 to 192.168.2.10 using HTTPS. The traffic log shows that another rule with higher priority is matching and denying the traffic. What should the administrator check first?

Question 20mediummulti select
Review the full routing breakdown →

Which TWO of the following are required when configuring a new virtual router on a Palo Alto Networks firewall?

Question 21hardmulti select
Read the full Device Management and Services explanation →

A company is deploying a PA-220 firewall in a branch office. The firewall will be managed by Panorama. Which THREE of the following are required to establish a successful connection between the firewall and Panorama?

Question 22mediummultiple choice
Read the full Device Management and Services explanation →

Refer to the exhibit. A firewall has the configuration shown. A security policy allows traffic from the internal zone to the external zone. However, users on the internal network (192.168.1.0/24) cannot reach the internet. What is the most likely cause?

Exhibit

> show system info

hostname: PA-5250
model: PA-5250
sw-version: 10.1.3
app-version: 8340-5987
threat-version: 8340-5987

> show running ip-route

destination: 0.0.0.0/0
nexthop: 10.0.0.1
interface: ethernet1/1

> show interface ethernet1/1

interface: ethernet1/1
state: up
ip address: 10.0.0.2/24
zone: external

> show interface ethernet1/2

interface: ethernet1/2
state: down
ip address: 192.168.1.1/24
zone: internal
Question 23mediummultiple choice
Read the full Device Management and Services explanation →

A security administrator manages a Palo Alto Networks firewall with multiple virtual systems (vsys). The firewall is configured to use Panorama for centralized management. The administrator notices that after committing a configuration change on Panorama, the firewall's vsys2 is not receiving the updated configuration. The firewall can reach Panorama, and other vsys are updated correctly. The administrator verifies that Panorama's device group hierarchy includes the firewall and that the vsys2 template stack is correctly assigned. What is the most likely cause of this issue?

Question 24mediumdrag order
Read the full Device Management and Services explanation →

Drag and drop the steps to configure a security policy on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 25mediumdrag order
Read the full Device Management and Services explanation →

Drag and drop the steps to configure a GlobalProtect portal and gateway on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 26mediumdrag order
Read the full Device Management and Services explanation →

Drag and drop the steps to perform a factory reset on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 27mediummatching
Read the full Device Management and Services explanation →

Match each Palo Alto Networks feature to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Identifies applications regardless of port

Maps IP addresses to usernames

Inspects files and data for threats

Cloud-based malware analysis

VPN client for remote access

Question 28mediummatching
Read the full Device Management and Services explanation →

Match each protocol to its default port used by Palo Alto Networks.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

443

22

N/A (ICMP)

161

Question 29mediummatching
Read the full Device Management and Services explanation →

Match each Palo Alto Networks feature to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Threat Prevention

Decryption

User-ID

App-ID

Question 30easymultiple choice
Read the full Device Management and Services explanation →

A network admin needs to push a security policy change to firewall-01 and firewall-02. Both firewalls have different interface configurations but should share the same security rules. What is the best way to achieve this using Panorama?

Question 31mediummultiple choice
Read the full Device Management and Services explanation →

A company has two PA-220 firewalls in active/passive HA. They want to ensure that if the active firewall loses internet connectivity but its management interface remains up, a failover occurs. Which monitoring method should be configured?

Question 32hardmultiple choice
Read the full network assurance explanation →

An organization needs to send threat logs to two different syslog servers: one for real-time alerts and one for long-term storage. They also need to send traffic logs to the long-term storage syslog only. They have configured two syslog server profiles. What is the correct approach?

Question 33easymultiple choice
Read the full Device Management and Services explanation →

A security admin wants to allow network engineers to log in to the firewall using their existing Active Directory credentials while maintaining a local admin account for emergency access. What should be configured?

Question 34mediummultiple choice
Read the full NAT/PAT explanation →

After a new zero-day exploit is discovered, a firewall must receive the latest threat prevention signature immediately. What is the most effective method to ensure the firewall gets the update as soon as it is released?

Question 35hardmultiple choice
Read the full Device Management and Services explanation →

An administrator makes several changes to the firewall configuration and commits. However, after the commit, users report connectivity issues. The administrator wants to revert to the previous configuration quickly without losing the changes that were made earlier in the day but not yet committed. What should the administrator do?

Question 36easymultiple choice
Read the full NAT/PAT explanation →

A firewall uses an external SMTP server for email alerts. The SMTP server is reachable via a specific virtual router and interface. What must be configured to ensure the firewall uses the correct path to reach the SMTP server?

Question 37mediummultiple choice
Read the full network assurance explanation →

An enterprise wants to receive SNMP traps from their firewalls for critical events such as HA state changes and high CPU usage. They have an SNMP trap receiver at 10.1.1.100. What configuration steps are required?

Question 38hardmultiple choice
Read the full Device Management and Services explanation →

A distributed enterprise has multiple firewalls at different sites. They want to map user IP addresses to usernames using the User-ID agent. The agent must be deployed in a way that minimizes unnecessary traffic and provides redundant coverage. What is the recommended deployment?

Question 39easymulti select
Read the full network assurance explanation →

An administrator wants to configure SNMP traps to send critical events from a firewall to a receiver at 192.168.1.100. Which TWO configuration objects must be created? (Choose two.)

Question 40hardmulti select
Read the full Device Management and Services explanation →

An administrator is configuring active/passive HA for two PA-3020 firewalls. Which TWO conditions would trigger a failover? (Choose two.)

Question 41hardmulti select
Read the full Device Management and Services explanation →

An administrator wants to schedule regular configuration backups to an external server. Which THREE methods are valid ways to achieve this? (Choose three.)

Question 42hardmultiple choice
Read the full Device Management and Services explanation →

Refer to the exhibit. An administrator runs 'show system resources' on a PA-500 firewall experiencing performance issues. Based on the output, what is the most likely cause?

Exhibit

show system resources
CPU:   user 10% system 5% idle 85%
Memory: 4096MB total, 4000MB used
Disk /dev/sda1: 20GB, 19GB used
Logging partition: 100% used
Question 43easymultiple choice
Read the full Device Management and Services explanation →

Refer to the exhibit. A firewall administrator is reviewing a Panorama template configuration. What is the purpose of the 'profile' statement under the interface?

Exhibit

template {
  name "Chicago-FW-Config"
  config {
    deviceconfig {
      system {
        hostname "CHI-FW-01"
        domain "example.com"
        ip-address 192.168.1.1
        netmask 255.255.255.0
        default-gateway 192.168.1.254
      }
    }
    network {
      interface ethernet1/1 {
        layer3 {
          ip 10.0.0.1/24
        }
        profile "protect"
      }
    }
  }
}
Question 44mediummultiple choice
Read the full Device Management and Services explanation →

Refer to the exhibit. A security analyst reviews a traffic log entry in JSON format. Which firewall feature is responsible for including the 'user' field in the log?

Exhibit

{"type":"traffic","subtype":"end","from":"trust","to":"untrust","sourceip":"10.1.1.100","destip":"203.0.113.50","user":"jdoe","action":"allow","bytes_sent":1024,"bytes_received":2048}
Question 45mediummultiple choice
Read the full Device Management and Services explanation →

A network administrator needs to restrict which source IP addresses can access the firewall's web management interface. Which feature should be configured?

Question 46easymultiple choice
Read the full Device Management and Services explanation →

An administrator wants to synchronize the firewall's clock with a central NTP server. Where is this configured?

Question 47hardmultiple choice
Read the full network assurance explanation →

A syslog server is only reachable through a specific interface on the firewall. To ensure syslog logs are sent via that interface, which configuration is required?

Question 48mediummultiple choice
Read the full Device Management and Services explanation →

After making configuration changes, an administrator clicks 'Commit' but the changes are not applied. What is the most likely cause?

Question 49easymultiple choice
Read the full Device Management and Services explanation →

For a firewall to communicate with Panorama for centralized management, which requirement must be met?

Question 50mediummultiple choice
Read the full Device Management and Services explanation →

A company requires automatic daily backups of the firewall configuration. Which method should be used?

Question 51hardmultiple choice
Read the full Device Management and Services explanation →

An administrator wants to allow ping (ICMP) and SSH access on a data interface (e.g., ethernet1/1) for troubleshooting. Which configuration is required?

Question 52easymultiple choice
Read the full Device Management and Services explanation →

During troubleshooting, an administrator needs to review firewall system events such as user logins, configuration changes, and commit failures. Which log type should be examined?

Question 53easymultiple choice
Read the full network assurance explanation →

What is the purpose of the 'Telemetry' feature in PAN-OS?

Question 54mediummultiple choice
Read the full Device Management and Services explanation →

Refer to the exhibit. What is the PAN-OS version running on the firewall?

Exhibit

admin@PA-5000> show system info | include sw-version
sw-version: 10.2.0
Question 55hardmultiple choice
Read the full Device Management and Services explanation →

Refer to the exhibit. What is the default gateway of the firewall?

Exhibit

admin@PA-5000> show routing route

-----------------------------------------
Flags: A: Active, C: Candidate, S: Static, D: Dynamic, R: RIP, O: OSPF

---[Virtual Router default]---

Destination   Next Hop    Interface   Flags
0.0.0.0/0     10.0.0.1    ethernet1/1  A S
10.0.0.0/24   0.0.0.0     ethernet1/1  A C
Question 56mediummultiple choice
Read the full Device Management and Services explanation →

Refer to the exhibit. What is the status of the commit job?

Exhibit

admin@PA-5000> show jobs all

Job ID: 12345
Type: Commit
Status: Pending
Submitted by: admin
Question 57mediummulti select
Read the full Device Management and Services explanation →

Which two authentication methods can be used for administrative access to the firewall's web interface? (Choose two.)

Question 58hardmulti select
Read the full Device Management and Services explanation →

Which three of the following are valid commit options in the PAN-OS GUI? (Choose three.)

Question 59easymulti select
Read the full Device Management and Services explanation →

Which three of the following services are commonly permitted on the management interface? (Choose three.)

Question 60mediummultiple choice
Read the full Device Management and Services explanation →

A company uses Panorama to manage multiple firewalls. The administrator wants changes made in Panorama to be automatically pushed to managed firewalls without manual intervention. Which setting should be enabled?

Question 61easymultiple choice
Read the full Device Management and Services explanation →

An administrator needs to access the firewall's CLI via SSH, but the default SSH port (22) is blocked by the corporate firewall. Which configuration allows SSH on a non-standard port?

Question 62hardmultiple choice
Read the full Device Management and Services explanation →

A firewall's management interface is configured with a public IP for remote management. After a firmware upgrade, HTTP access returns a 403 Forbidden error, but HTTPS works. What is the most likely cause?

Question 63hardmultiple choice
Read the full Device Management and Services explanation →

An administrator notices repeated login failures from external IP 10.0.0.1 in the system logs. The admin wants to permanently block all traffic from that IP. Which approach is best practice?

Question 64hardmultiple choice
Read the full NAT/PAT explanation →

A company uses Panorama to manage multiple firewalls. After pushing a template change, one firewall fails to commit with error 'invalid certificate path'. What is the most likely cause?

Question 65easymultiple choice
Read the full Device Management and Services explanation →

An administrator wants to configure the firewall to automatically synchronize its clock with an external NTP server. Which device management section is used?

Question 66mediummultiple choice
Read the full network assurance explanation →

An administrator configured SNMP community and trap destination under Device > Setup > Services, but no traps are received. What additional configuration is needed?

Question 67mediummultiple choice
Read the full Device Management and Services explanation →

A firewall is configured with multiple Virtual Systems (vsys). An admin wants to assign a custom admin role that can manage only specific vsys. Which role type supports this?

Question 68easymultiple choice
Read the full Device Management and Services explanation →

Which license is required for the firewall to use URL filtering?

Question 69mediummulti select
Read the full Device Management and Services explanation →

Which TWO conditions must be true for intra-zone traffic to be allowed between two interfaces in the same zone?

Question 70hardmulti select
Read the full network assurance explanation →

Which THREE log types can be forwarded to a syslog server?

Question 71easymulti select
Read the full Device Management and Services explanation →

Which TWO management methods allow CLI access to a Palo Alto Networks firewall?

Question 72easymultiple choice
Read the full Device Management and Services explanation →

An administrator configured NTP servers as shown. After committing, the firewall's time is not synchronized. Which additional configuration is required?

Exhibit

Refer to the exhibit.
```
set deviceconfig setting ntp server "pool.ntp.org"
set deviceconfig setting ntp server "time.google.com"
set deviceconfig setting ntp sync-interval 30
```
Question 73mediummultiple choice
Read the full Device Management and Services explanation →

An administrator notices that the firewall's time is incorrect. Based on the exhibit, what is the most likely cause?

Exhibit

Refer to the exhibit.
```
> show system services status
Service          Status
DNS proxy        running
NTP              stopped
SNMP             running
Syslog           running
```
Question 74hardmultiple choice
Read the full Device Management and Services explanation →

An administrator sees this log repeatedly. Which configuration change will allow 10.0.0.1 to access the management interface?

Exhibit

Refer to the exhibit.
```
2023/11/12 10:00:00,error,general,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, "Management policy check failed: login from 10.0.0.1 denied because host is not allowed"
```
Question 75easymultiple choice
Read the full Device Management and Services explanation →

An administrator modifies a security policy but the change does not take effect. What must the administrator do?

Question 76mediummultiple choice
Read the full Device Management and Services explanation →

A Panorama-managed firewall currently allows SSH access from any IP. The security policy requires that administrative access to the firewall be possible only from Panorama. What should be configured?

Question 77hardmultiple choice
Read the full Device Management and Services explanation →

A company is deploying a Palo Alto firewall in a high-availability (HA) pair. They want to ensure that when a failover occurs, session information is preserved to maintain active connections. Which feature must be enabled?

Question 78easymultiple choice
Read the full Device Management and Services explanation →

Which of the following is NOT a valid method for upgrading PAN-OS software on a Palo Alto firewall?

Question 79mediummultiple choice
Read the full Device Management and Services explanation →

An administrator wants to ensure that a specific security policy rule is applied before all other rules. What should be configured?

Question 80hardmultiple choice
Read the full DNS explanation →

A company uses Panorama to manage multiple firewalls. They have configured a template to push NTP settings, DNS, and authentication profiles. However, one firewall is not receiving the template settings. Which of the following is the most likely cause?

Question 81easymultiple choice
Read the full Device Management and Services explanation →

An administrator needs to check the system uptime of the firewall. Which CLI command should be used?

Question 82mediummultiple choice
Read the full Device Management and Services explanation →

A firewall administrator notices that after a power outage, the firewall boots up but fails to load the last committed configuration. What should the administrator do to recover the configuration?

Question 83hardmultiple choice
Read the full Device Management and Services explanation →

A company is deploying multiple Palo Alto firewalls and wants to manage them centrally. Which method should be used?

Question 84mediummulti select
Read the full Device Management and Services explanation →

A security administrator is configuring Panorama to manage multiple firewalls. Which two actions are required to ensure that a firewall receives its configuration from Panorama? (Choose two.)

Question 85mediummulti select
Read the full Device Management and Services explanation →

An organization is implementing a high availability pair of Palo Alto firewalls in active/passive mode. Which three actions are necessary for proper failover functionality? (Choose three.)

Question 86easymulti select
Read the full Device Management and Services explanation →

A network administrator wants to collect and analyze traffic logs from a Palo Alto firewall. Which two methods can be used? (Choose two.)

Question 87mediummultiple choice
Read the full Device Management and Services explanation →

Refer to the exhibit. The administrator notices that traffic from 192.168.1.100 to 10.1.1.1 using HTTPS is being blocked. What is the most likely cause?

Exhibit

rulebase security rules
{
  "rule1" : {
    "action" : "allow",
    "source" : [ "192.168.1.0/24" ],
    "destination" : [ "10.0.0.0/8" ],
    "application" : [ "web-browsing" ],
    "service" : [ "application-default" ]
  }
}
Question 88hardmultiple choice
Read the full Device Management and Services explanation →

Refer to the exhibit. What does this log indicate?

Exhibit

<log>
  <type>threat</type>
  <subtype>intrusion</subtype>
  <severity>critical</severity>
  <action>drop</action>
  <src>192.168.10.5</src>
  <dst>10.10.10.1</dst>
  <app>ssl</app>
  <threatid>40000</threatid>
</log>
Question 89easymultiple choice
Read the full Device Management and Services explanation →

Refer to the exhibit. What is the effect of this configuration?

Exhibit

<devices>
  <name>PA-220</name>
  <vlan>none</vlan>
  <ip>10.0.0.1/24</ip>
  <management-profile>allow-ping</management-profile>
</devices>
Question 90easymultiple choice
Read the full Device Management and Services explanation →

A company needs to receive email alerts for critical system events. What is the recommended method to configure email notifications on a Palo Alto Networks firewall?

Question 91easymultiple choice
Read the full Device Management and Services explanation →

An administrator upgrades a firewall from PAN-OS 9.1 to 10.0, but a subsequent commit fails. Which log should the administrator examine first to find the cause of the failure?

Question 92mediummultiple choice
Read the full Device Management and Services explanation →

A company wants to centrally manage multiple firewalls using Panorama. They need to reduce management IP usage on the firewalls. Which Panorama deployment model best achieves this?

Question 93easymultiple choice
Read the full Device Management and Services explanation →

An administrator needs to quickly back up the device configuration to facilitate restoration after a hardware failure. Which method ensures the most reliable restoration?

Question 94mediummultiple choice
Read the full Device Management and Services explanation →

A company deploys a pair of firewalls in Active/Passive HA. To ensure that active sessions are preserved during failover, which interface must be configured for state synchronization?

Question 95hardmultiple choice
Read the full Device Management and Services explanation →

After enabling password complexity on a Palo Alto firewall, an administrator is unable to access the management web interface remotely. The administrator can still access the console locally. What is the most likely cause?

Question 96easymultiple choice
Read the full Device Management and Services explanation →

An administrator needs to perform a scheduled reboot of the firewall for maintenance. Which method provides the most control over the reboot timing?

Question 97mediummultiple choice
Read the full network assurance explanation →

An administrator configures SNMP monitoring on a firewall but receives no data from the SNMP manager. Which check should be performed first?

Question 98hardmultiple choice
Read the full Device Management and Services explanation →

A company uses Panorama to manage multiple device groups. They want to push a set of global security policies to all firewalls. Where should the administrator configure these policies in Panorama?

Question 99mediummulti select
Read the full Device Management and Services explanation →

Which TWO methods are valid for managing a Palo Alto Networks firewall? (Select two)

Question 100hardmulti select
Read the full Device Management and Services explanation →

Which THREE are required for Panorama to manage a firewall? (Select three)

Question 101easymulti select
Read the full Device Management and Services explanation →

Which TWO are best practices for securing management access to a Palo Alto firewall? (Select two)

Question 102mediummultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. An administrator attempts to ping the firewall's management IP (192.168.1.1) from a host on the same subnet (192.168.1.0/24) but receives no response. What is the most likely cause?

Exhibit

admin@PA-500> show system info
System info:
Hostname: PA-500
Model: PA-500
- - -
Time since last reboot: 120 days
Free disk space: 70%
Management IP: 192.168.1.1/24
Management gateway: 192.168.1.254
Management interface: ethernet1/0
DNS settings:
- Primary: 8.8.8.8
- Secondary: 8.8.4.4
Question 103hardmultiple choice
Review the full subnetting walkthrough →

A company has deployed a pair of PA-5250 firewalls in an Active/Passive HA configuration. The management network uses a separate subnet with addresses 10.0.0.0/24. The active firewall's management IP is 10.0.0.1, passive is 10.0.0.2. They have a virtual router configured with static routes. The HA configuration uses HA1 (backplane) for heartbeat and HA2 for session sync. After a power failure, both firewalls reboot. The active firewall comes up first and becomes active. The passive firewall later joins, but fails to become passive; it remains in 'non-functional' state. The administrator observes the following: - HA1 link is up on both firewalls. - HA2 link shows 'waiting for HA2 link' on the active. - The passive firewall's management IP is reachable. - The active firewall shows 'peer unreachable' in HA status. What is the most likely cause?

Question 104hardmultiple choice
Read the full Device Management and Services explanation →

An administrator is tasked with centralizing the management of 50 Palo Alto firewalls spread across four geographical regions. The company has a Panorama VM deployed in the data center. Each firewall must receive a common set of security policies and URL filtering profiles, but regional administrators need the ability to add locally required policies. The administrator configures Panorama with device groups: 'Shared' device group for global policies, and four regional device groups (Americas, EMEA, APAC, Oceania). They create a template for basic network settings and use template stacks. After pushing the Device Group and Template configuration, some regional firewalls report that they are not receiving the shared policies. What is the most likely cause?

Question 105mediummultiple choice
Read the full Device Management and Services explanation →

A company has two Palo Alto Networks firewalls in active/passive HA. The passive firewall failed and was replaced with a new unit. The network administrator initiates a configuration sync from the active to the new passive. After the sync, the passive unit shows as 'Active' instead of 'Passive'. What is the most likely cause?

Question 106easymulti select
Read the full Device Management and Services explanation →

A network administrator needs to configure certificate-based authentication for administrative access to the firewall's web interface. Which two actions are required?

Question 107mediummulti select
Read the full network assurance explanation →

A security analyst wants to send firewall logs to an external syslog server for long-term storage. Which three configuration steps are necessary?

Question 108easymultiple choice
Read the full Device Management and Services explanation →

A company runs a pair of PA-5250 firewalls in active/passive HA controlling the production data center (10 Gbps traffic). The security team needs to upgrade from PAN-OS 10.0 to 10.2 to fix several critical CVEs. The team has a maintenance window of four hours. The lead engineer suggests performing the upgrade in the following order: 1. Download and install the upgrade on the passive firewall, 2. Commit after install, 3. Perform a non-disruptive failover to make the passive active, 4. Upgrade the new passive (former active), 5. Fail back to the original active. A junior engineer points out that the passive firewall takes 30 minutes to boot and join the HA pair after upgrade. The maintenance window is only four hours. What should the team do to ensure the upgrade completes within the window?

Question 109easymultiple choice
Read the full network assurance explanation →

An administrator configures log forwarding to send traffic logs to a syslog server. After applying the log forwarding profile to the security policy, logs are not appearing at the syslog server. The administrator verifies that the syslog server is reachable from the firewall's management IP by using ping, and that the syslog service is running on the server. What is the most likely cause?

Question 110mediummultiple choice
Read the full Device Management and Services explanation →

A network administrator recently changed the admin password on a Palo Alto Networks firewall and logged out. The next day, the administrator attempts to log in via SSH but receives 'access denied' after three attempts. The administrator typically uses SSH from a management workstation. The firewall's management interface is still reachable via ping. The administrator suspects the account may be locked due to failed attempts. Since the administrator is not currently logged in, there is no way to unlock the account remotely. The administrator has physical access to the data center and can connect a laptop to the console port. What is the most efficient way to regain administrative access to the firewall?

Question 111hardmultiple choice
Read the full Device Management and Services explanation →

A security analyst uses Panorama to generate a custom report on all traffic using the application 'facebook-base' across the enterprise. The analyst creates a new report template in Panorama with the filter '(app eq facebook-base)' and runs the report for the past 30 days. The report returns zero results. However, when the analyst logs into a specific firewall and queries the traffic logs using the same filter, results appear. The analyst confirms that the firewall is configured to forward logs to Panorama and that Panorama receives logs from all firewalls. What is the most likely reason the Panorama report fails to return data?

Question 112hardmultiple choice
Read the full DNS explanation →

A company purchases a new PA-410 firewall and installs it in a branch office. After configuring basic network settings, the administrator attempts to install the threat prevention license. The firewall is connected to the internet via a NAT device. The administrator registers the firewall with the Palo Alto Networks support portal using the serial number. The license is successfully added to the account. However, when checking the firewall's license status via the web interface, it shows 'Authentication Failed' for the license. The administrator can ping a well-known DNS server from the firewall's management IP. What is the most likely cause?

Question 113hardmultiple choice
Read the full Device Management and Services explanation →

An administrator notices that the firewall's web interface is accessible via HTTPS but shows an expired certificate warning. The firewall's management certificate was issued by an internal CA and has a validity of two years. The administrator checks the certificate and sees it expired yesterday. The administrator generates a new self-signed certificate through the firewall's GUI. After generating, the administrator assigns the new certificate to the HTTPS management interface. Despite this, the firewall still presents the old expired certificate when accessed. What is the most likely cause?

Question 114mediummulti select
Read the full DNS explanation →

A network administrator needs to ensure that firewall-generated traffic (e.g., NTP queries, DNS lookups, Panorama communications) uses a specific source IP address from a loopback interface. Which two configuration steps are required? (Choose two.)

Question 115hardmultiple choice
Read the full Device Management and Services explanation →

After a firewall upgrade, the system clock shows a time that is five minutes behind the actual time, even though NTP is synchronized. What is the most likely cause?

Exhibit

Refer to the exhibit.
admin@PA-500> show system state | match "ntp|time"
ntp-config:
  ntp-servers {
    primary-ntp-server {
      address: pool.ntp.org;
    }
    secondary-ntp-server {
      address: time.google.com;
    }
  }
  ntp-admin-state: enabled;
  ntp-sync-state: sync;
time-config:
  timezone: America/New_York;
  current-time: 2025-03-15 14:30:22;
Question 116easymultiple choice
Read the full Device Management and Services explanation →

A company has a pair of PA-5220 firewalls configured in an active/passive high-availability (HA) cluster. The devices are managed via Panorama, which also manages other firewalls. The security team reports that after a recent commit on Panorama, the passive firewall in the HA pair stops responding to management pings. The active firewall continues to pass traffic and is manageable. Upon investigation, the passive firewall shows the following on its console: 'Management plane is down.' The administrator suspects the passive firewall might have received a configuration that disables the management interface. What should the administrator do to restore management access to the passive firewall without affecting production traffic?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCNSA Practice Test 1 — 10 Questions→PCNSA Practice Test 2 — 10 Questions→PCNSA Practice Test 3 — 10 Questions→PCNSA Practice Test 4 — 10 Questions→PCNSA Practice Test 5 — 10 Questions→PCNSA Practice Exam 1 — 20 Questions→PCNSA Practice Exam 2 — 20 Questions→PCNSA Practice Exam 3 — 20 Questions→PCNSA Practice Exam 4 — 20 Questions→Free PCNSA Practice Test 1 — 30 Questions→Free PCNSA Practice Test 2 — 30 Questions→Free PCNSA Practice Test 3 — 30 Questions→PCNSA Practice Questions 1 — 50 Questions→PCNSA Practice Questions 2 — 50 Questions→PCNSA Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Managing ObjectsPolicy Evaluation and ManagementSecuring TrafficCore ConceptsPalo Alto Networks Platforms and ArchitectureDevice Management and ServicesApp-ID and Content-IDDecryption and Monitoring

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Device Management and Services setsAll Device Management and Services questionsPCNSA Practice Hub