Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Managing Objects practice sets

PCNSA Managing Objects • Complete Question Bank

PCNSA Managing Objects — All Questions With Answers

Complete PCNSA Managing Objects question bank — all 0 questions with answers and detailed explanations.

53
Questions
Free
No signup
Certifications/PCNSA/Practice Test/Managing Objects/All Questions
Question 1easymultiple choice
Read the full Managing Objects explanation →

An administrator needs to block traffic from a specific internal IP address to the internet. Which object type should be used in the security policy source field?

Question 2mediummultiple choice
Read the full VPN explanation →

A company has multiple branch offices that use overlapping private IP ranges (192.168.0.0/16). To avoid conflicts when these branches connect to the data center via IPsec, the administrator needs to translate branch source IPs to unique addresses. Which object type is best suited for this task?

Question 3hardmultiple choice
Read the full Managing Objects explanation →

During a security audit, an administrator notices that a security policy rule uses an address group that includes an FQDN object. The FQDN resolves to multiple IP addresses that change frequently. What is the best practice for ensuring the firewall uses the current resolved IPs without manual intervention?

Question 4mediummultiple choice
Read the full Managing Objects explanation →

An administrator wants to allow only specific applications (e.g., web-browsing, ssl) from the internal network to the internet. Which object type should be used in the security policy application field?

Question 5mediummulti select
Read the full Managing Objects explanation →

Which TWO statements about External Dynamic Lists (EDLs) are true?

Question 6hardmultiple choice
Read the full DNS explanation →

An organization has a data center with servers in the 10.10.0.0/16 subnet and remote users who connect via GlobalProtect. The security team wants to ensure that only approved applications (web-browsing, ssl, dns) are allowed from the remote user subnet (172.16.0.0/24) to the data center. They create a security rule with source zone 'GP' (GlobalProtect), destination zone 'DC', source address '172.16.0.0/24', destination address '10.10.0.0/16', application 'web-browsing', 'ssl', 'dns', action 'allow'. After deployment, users complain that they cannot access a custom web application on port 8080, which uses HTTP but the application is identified as 'web-browsing'. The administrator checks the traffic logs and sees that the traffic is being denied by an implicit deny rule. What is the most likely cause?

Question 7mediummultiple choice
Read the full Managing Objects explanation →

Refer to the exhibit. An administrator configured a dynamic address group named 'WebServers-Group' with filter 'WebServer-*'. However, the group does not include the address objects 'WebServer-1' and 'WebServer-2'. What is the most likely reason?

Exhibit

Refer to the exhibit.

deviceconfig {
    devices {
        localhost.localdomain {
            vsys {
                vsys1 {
                    address {
                        entry {
                            @name = "WebServer-1";
                            ip-netmask = "10.0.1.10/32";
                        }
                        entry {
                            @name = "WebServer-2";
                            ip-range = "10.0.1.20-10.0.1.25";
                        }
                        entry {
                            @name = "WebServers-Group";
                            dynamic {
                                filter = "'WebServer-*'";
                            }
                        }
                    }
                }
            }
        }
    }
}
Question 8hardmulti select
Read the full Managing Objects explanation →

Which TWO of the following are valid methods to add an IP address to a pre-existing address group in PAN-OS? (Select two.)

Question 9hardmultiple choice
Read the full VPN explanation →

A security administrator manages a Palo Alto Networks firewall in a large enterprise. The company has multiple remote sites connected via IPSec VPNs. Each site has its own subnet (e.g., Site A: 10.10.1.0/24, Site B: 10.10.2.0/24). The administrator needs to create a security policy that allows all inter-site traffic but blocks all traffic to and from the internet except for specific services. The administrator wants to use address groups to simplify management. Currently, there are address groups for each site (e.g., 'Site-A-Networks', 'Site-B-Networks') containing the respective subnets. The administrator also has an address group 'Internet-Allow' for allowed external IPs. The policy should have a rule that permits traffic from any site to any other site, and a rule that permits traffic from internal networks to the 'Internet-Allow' group for destination ports 80 and 443. Which of the following approaches best achieves this with minimal administrative overhead?

Question 10mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to configure a site-to-site IPsec VPN on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 11mediumdrag order
Open the full VLAN trunking answer →

Drag and drop the steps to configure a VLAN interface on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 12mediummatching
Read the full Managing Objects explanation →

Match each firewall deployment mode to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Passively monitors traffic without blocking

Transparent layer 2 deployment

Routable mode with IP addresses

Failover configuration with one standby unit

Question 13mediummatching
Read the full Managing Objects explanation →

Match each PAN-OS CLI command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Displays firewall version and uptime

Lists all interfaces and their status

Displays active security rules

Reboots the firewall

Question 14easymultiple choice
Read the full NAT/PAT explanation →

A network administrator needs to block traffic to a specific external website. Which object type should be used in the security policy to define the destination?

Question 15mediummultiple choice
Read the full Managing Objects explanation →

An administrator has created an address group that includes an FQDN address object. When the FQDN's IP address changes, how does the firewall update the group?

Question 16hardmultiple choice
Read the full Managing Objects explanation →

An organization uses multiple firewalls and wants to share dynamic address groups across them. Which feature should be used?

Question 17easymultiple choice
Read the full Managing Objects explanation →

A security policy rule references a service object "HTTP" which is pre-defined. What is the default port for the HTTP service object?

Question 18mediummultiple choice
Review the full subnetting walkthrough →

An administrator needs to allow traffic from multiple subnets to a specific internal server. The subnets are all part of the same address group. Which object would simplify the security policy rule?

Question 19hardmultiple choice
Read the full Managing Objects explanation →

A company uses dynamic address groups based on tags. A virtual machine receives the tag "WebServer". After the VM is decommissioned, the tag is removed. What happens to the dynamic address group?

Question 20easymultiple choice
Read the full Managing Objects explanation →

Which object type is used to group multiple service objects together for use in a security policy?

Question 21mediummultiple choice
Read the full Managing Objects explanation →

An administrator creates a custom service object for TCP port 3389. What is the standard name for this service?

Question 22hardmultiple choice
Read the full Managing Objects explanation →

A firewall administrator needs to allow traffic based on the application, not just port. Which type of object should be used in the security policy?

Question 23easymulti select
Read the full Managing Objects explanation →

Which TWO types of address objects can be used in a security policy? (Choose two.)

Question 24mediummulti select
Read the full Managing Objects explanation →

Which THREE are valid object types in Palo Alto Networks NGFW? (Choose three.)

Question 25hardmulti select
Read the full Managing Objects explanation →

A security policy rule has an action of "allow". Which TWO objects are mandatory for the rule to be valid? (Choose two.)

Question 26easymultiple choice
Read the full Managing Objects explanation →

How many address objects are members of the 'web-servers' address group?

Exhibit

Refer to the exhibit.
config shared object address-group 'web-servers'
   type static
   member [ 'server1' 'server2' ]
end
Question 27mediummultiple choice
Read the full NAT/PAT explanation →

Based on the log excerpt, which object is used for the destination address?

Exhibit

Refer to the exhibit.
debug log message: 'rule 'Allow-Web', source zone 'trust', destination zone 'untrust', source user 'any', source address '10.0.0.0/8', destination address 'any', application 'web-browsing', service 'service-http', action 'allow'.'
Question 28hardmultiple choice
Read the full NAT/PAT explanation →

A security policy rule uses 'MyService' and 'ServerGroup'. What is the destination port of the allowed traffic?

Exhibit

Refer to the exhibit.
show running config | match object
set service 'MyService' protocol tcp port 443
set address 'MyServer' ip-netmask 192.168.1.10/32
set address-group 'ServerGroup' static [ MyServer ]
Question 29easymultiple choice
Read the full Managing Objects explanation →

A security administrator needs to create an address object for a single host with IP address 192.168.1.100. Which address type should the administrator choose?

Question 30easymultiple choice
Read the full Managing Objects explanation →

An administrator wants to group multiple servers with different IP addresses that all use the same port 443. What is the most efficient way to create a security policy rule for this traffic?

Question 31mediummultiple choice
Read the full Managing Objects explanation →

A company needs to block a list of known malicious domains that is updated daily by a threat intelligence vendor. Which Palo Alto Networks object should be used?

Question 32mediummultiple choice
Read the full Managing Objects explanation →

An administrator creates a dynamic address group named 'prod-servers' configured to match any tag with the value 'production'. After tagging address objects with 'Production' (capital P), the group does not include them. What is the most likely cause?

Question 33mediummultiple choice
Read the full Managing Objects explanation →

An administrator wants to create a service object for TCP port 8080 and call it 'web-proxy'. Which properties must be specified?

Question 34hardmultiple choice
Read the full Managing Objects explanation →

A large enterprise uses dynamic address groups based on tags to manage firewall policies. The administrator notices that a specific address object is being incorrectly included in a dynamic address group that should only contain servers from a different region. What could be the reason?

Question 35hardmultiple choice
Read the full DNS explanation →

An administrator is troubleshooting a security policy that uses a service group containing both TCP and UDP service objects. The policy is intended to allow DNS traffic (UDP 53 and TCP 53). The rule is not allowing TCP DNS. What is the most likely issue?

Question 36hardmultiple choice
Read the full Managing Objects explanation →

An organization uses an External Dynamic List (EDL) to block IP addresses. The EDL is updated every 5 minutes on the server, but the firewall still uses the old list even after the refresh interval. What is the most likely cause?

Question 37mediummultiple choice
Read the full Managing Objects explanation →

An admin creates an application group named 'web-apps' that includes 'web-browsing' and 'ssl'. They apply it to a security rule. However, traffic from a client accessing Facebook is being blocked. What is a likely reason?

Question 38mediummulti select
Read the full Managing Objects explanation →

An administrator needs to create a service group for a custom application that uses TCP ports 1000 and 2000. Which two methods will successfully create a service group that can be used in a single security rule? (Choose two.)

Question 39mediummulti select
Read the full Managing Objects explanation →

Which three of the following are valid types of address objects in Palo Alto Networks? (Choose three.)

Question 40mediummulti select
Read the full Managing Objects explanation →

Which three of the following are true about tag-based dynamic address groups? (Choose three.)

Question 41mediummultiple choice
Read the full Managing Objects explanation →

Refer to the exhibit. An admin adds a new address object 'web-04' with IP 10.0.0.4 and applies it to a security policy that references the address group 'web-servers'. However, traffic to 10.0.0.4 is not allowed. What is the most likely cause?

Exhibit

> show address-group "web-servers"
Address group name: web-servers
Type: static
Members:
  web-01
  web-02
  web-03
Question 42hardmultiple choice
Read the full Managing Objects explanation →

Refer to the exhibit. An admin adds a new address object 'db-03' with IP 10.0.0.3 and tags it with 'database'. However, 'db-03' does not appear in the group. What could be the reason?

Exhibit

> show address-group "db-servers"
Address group name: db-servers
Type: dynamic
Match tags: any
Tags: database
Members:
  db-01 (tag: database)
  db-02 (tag: database)
Question 43easymultiple choice
Read the full Managing Objects explanation →

Refer to the exhibit. An admin reviews the traffic log and sees that traffic from 192.168.1.100 to 10.0.0.50 is allowed by rule 'rule1'. The rule uses a service group 'web-services' which includes 'service-http' and 'service-https'. However, the admin intended to block HTTPS traffic. What is the misconfiguration?

Exhibit

TRAFFIC log:
  time: 2024/01/01 10:00
  src: 192.168.1.100
  dst: 10.0.0.50
  rule: rule1
  action: allow
  application: web-browsing
  service: service-https
Question 44mediummultiple choice
Read the full NAT/PAT explanation →

A security administrator is configuring an address object for a web server accessible from the internet. The server has a public IP of 203.0.113.10/32 and a private IP of 10.0.1.10/32. The administrator needs to create a security policy that allows inbound HTTPS traffic to the server. Which address object type should be used for the destination?

Question 45hardmultiple choice
Read the full Managing Objects explanation →

An organization has deployed Palo Alto Networks firewalls in a multi-tenant environment. Each tenant has its own set of address objects and address groups. The firewall administrator wants to ensure that address objects from one tenant cannot be used in security policies of another tenant. What is the best practice to achieve this?

Question 46easymulti select
Read the full Managing Objects explanation →

Which TWO of the following are valid types of address objects in Palo Alto Networks? (Choose two.)

Question 47mediummultiple choice
Read the full Managing Objects explanation →

A company uses a Palo Alto Networks firewall to control outbound access. They have created custom application filters to block social media and streaming. However, they need to allow a specific corporate YouTube channel for training videos. The administrator creates an application group "Corporate-YouTube" containing the "youtube-base" application, and adds a security rule to allow traffic from internal users to the application group. Despite this, users still cannot access the corporate YouTube channel. What is the most likely reason?

Question 48hardmultiple choice
Read the full Managing Objects explanation →

A network administrator manages a Palo Alto Networks firewall in a datacenter. They have configured dynamic address groups (DAGs) to automatically include servers based on tags. The tags are assigned via User-ID from Active Directory. The administrator notices that some servers that should be in the DAG are not appearing, while others are correctly added. The firewall is configured to receive User-ID information from a domain controller via the PAN-OS Agent. The tags are correctly assigned in Active Directory. What should the administrator verify first?

Question 49easymultiple choice
Read the full VPN explanation →

A small business uses a Palo Alto Networks PA-220 firewall. The administrator needs to create a security policy to allow inbound VPN connections from remote employees using IPsec. The remote employees connect using dynamic IP addresses. The administrator creates an address object "Remote-VPN-Users" of type "IP Range" but that doesn't work because the IPs are not known. What address object type should be used instead?

Question 50mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization uses Palo Alto Networks firewalls to secure patient data. They have strict compliance requirements to log all access to medical records servers. The servers are grouped in an address group "Medical-Servers". The administrator wants to ensure that any security policy that uses this address group as destination also logs the session end. They also want to reduce administrative overhead. What is the best way to enforce logging for all policies referencing this group?

Question 51mediummulti select
Review the full subnetting walkthrough →

A security administrator needs to create address objects for a group of servers that share the same subnet 192.168.10.0/24. Which TWO methods can be used to efficiently manage these objects in Palo Alto Networks firewall configuration?

Question 52hardmultiple choice
Read the full Managing Objects explanation →

Refer to the exhibit. A newly deployed web server has an address object with tags 'Production' and 'Web'. However, the 'Allow SSL to Internet' security rule using the dynamic address group 'MyServers' as source is not matching traffic destined to the internet. What is the most likely cause?

Exhibit

admin@PA-5050> show running address-group MyServers
  name: MyServers
  type: dynamic
  filter: "'Production' andd 'Web'"
Question 53easymultiple choice
Read the full Managing Objects explanation →

A company with a Palo Alto Networks firewall operating in Layer 2 transparent mode wants to control access to an internal ERP system. The ERP system uses a non-standard TCP port 4444. The security administrator creates a custom application object named 'ERP' with protocol set to 'tcp' and port range 4444-4444. Then, a security policy is configured allowing application 'ERP' from the internal zone to the ERP server zone. Users report they cannot connect to the ERP system. Firewall logs show no traffic matching the application 'ERP'. What should the administrator do to resolve the issue?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCNSA Practice Test 1 — 10 Questions→PCNSA Practice Test 2 — 10 Questions→PCNSA Practice Test 3 — 10 Questions→PCNSA Practice Test 4 — 10 Questions→PCNSA Practice Test 5 — 10 Questions→PCNSA Practice Exam 1 — 20 Questions→PCNSA Practice Exam 2 — 20 Questions→PCNSA Practice Exam 3 — 20 Questions→PCNSA Practice Exam 4 — 20 Questions→Free PCNSA Practice Test 1 — 30 Questions→Free PCNSA Practice Test 2 — 30 Questions→Free PCNSA Practice Test 3 — 30 Questions→PCNSA Practice Questions 1 — 50 Questions→PCNSA Practice Questions 2 — 50 Questions→PCNSA Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Managing ObjectsPolicy Evaluation and ManagementSecuring TrafficCore ConceptsPalo Alto Networks Platforms and ArchitectureDevice Management and ServicesApp-ID and Content-IDDecryption and Monitoring

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Managing Objects setsAll Managing Objects questionsPCNSA Practice Hub