Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Palo Alto Networks Platforms and Architecture practice sets

PCNSA Palo Alto Networks Platforms and Architecture • Complete Question Bank

PCNSA Palo Alto Networks Platforms and Architecture — All Questions With Answers

Complete PCNSA Palo Alto Networks Platforms and Architecture question bank — all 0 questions with answers and detailed explanations.

69
Questions
Free
No signup
Certifications/PCNSA/Practice Test/Palo Alto Networks Platforms and Architecture/All Questions
Question 1easymultiple choice
Review the full subnetting walkthrough →

A security team notices that traffic from a specific internal subnet is not being inspected by the firewall. They have configured a security policy rule that matches the subnet and allows the traffic, but the traffic is still not being logged or inspected. What is the most likely cause?

Question 2mediummultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

An organization is deploying a Palo Alto Networks firewall in a data center to segment traffic between three application tiers: web, app, and database. The web servers must be accessible from the internet, the app servers must only be reachable from the web servers, and the database servers must only be reachable from the app servers. Which security policy design best meets these requirements?

Question 3hardmultiple choice
Read the full NAT/PAT explanation →

A network administrator is troubleshooting a connectivity issue where users in the 192.168.1.0/24 subnet cannot reach a server at 10.0.0.10. The firewall has a rule that allows traffic from source zone 'Trust' to destination zone 'DMZ' with source address 192.168.1.0/24 and destination address 10.0.0.10. The traffic is matching the rule, but the packets are being dropped. What is the most likely reason?

Question 4easymultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A company wants to ensure that all traffic from the internet to their internal web server is inspected for threats. Which configuration component is essential to achieve this?

Question 5mediummultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

After upgrading the PAN-OS version on a firewall, the administrator notices that the commit operation takes significantly longer than before. What is the most likely cause?

Question 6hardmultiple choice
Review the full subnetting walkthrough →

A firewall is configured with multiple virtual routers. Traffic from a host in Vsys A needs to reach a server in Vsys B. Both virtual routers have direct routes to their respective subnets. What additional configuration is required?

Question 7easymultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

An administrator needs to provide internet access to employees while blocking access to social media sites. Which feature should be used to identify and block social media traffic?

Question 8mediummultiple choice
Review the full subnetting walkthrough →

A security team is deploying a Palo Alto Networks firewall in an AWS VPC using the VM-Series. They need to ensure that traffic between two subnets within the same VPC is inspected by the firewall. What is the required network configuration?

Question 9hardmultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

An organization uses GlobalProtect for remote access. Users report that they cannot connect to the portal. The firewall's GlobalProtect portal configuration is correct, and the firewall has a valid certificate. What is the most likely cause of the issue?

Question 10mediummultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

An administrator is configuring a new Palo Alto Networks firewall and wants to ensure that management access to the firewall is secure. Which of the following is a best practice for securing management access?

Question 11easymultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A firewall is configured with multiple security zones. Traffic from the 'Untrust' zone to the 'DMZ' zone is allowed for web services. The administrator wants to ensure that the DMZ servers cannot initiate connections to the Untrust zone. What is the correct approach?

Question 12mediummultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A security engineer is troubleshooting a connectivity issue where internal users cannot reach a public web server hosted on the internet. The firewall is configured with a security policy that allows traffic from the internal zone to the external zone on port 80. The engineer notices that traffic is being dropped. Upon checking the session table, the engineer sees that the session is initiated correctly but the return traffic is not matching the existing session. What is the most likely cause?

Question 13hardmultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A network administrator is designing a Palo Alto Networks firewall deployment for a large enterprise with multiple branch offices. The requirement is to ensure that if the primary firewall at headquarters fails, the branch offices can still access the internet via a local breakout using a redundant firewall at the branch. Which architecture best meets this requirement with minimal complexity?

Question 14easymulti select
Study the full virtualization explanation →

Which TWO of the following are valid methods to deploy a Palo Alto Networks firewall in a virtualized environment? (Choose two.)

Question 15mediummultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

Refer to the exhibit. A user from the trust zone (10.0.0.5) is trying to access a web server at 203.0.113.1 on port 80. The firewall shows a session with application 'incomplete'. What is the most likely reason for this?

Exhibit

Refer to the exhibit.

show system info | match model
vm-series

show running security-policy
set rulebase security rules "Allow-Web" from [ trust ] to [ untrust ] source [ 10.0.0.0/24 ] destination [ any ] application [ web-browsing ] service [ application-default ] action allow
set rulebase security rules "Block-All" from [ any ] to [ any ] source [ any ] destination [ any ] application [ any ] service [ any ] action deny

show running nat-policy
set rulebase nat rules "NAT-Internet" from [ trust ] to [ untrust ] source [ 10.0.0.0/24 ] destination [ any ] service [ any ] to-interface [ ethernet1/2 ] snat-interface

show session all filter source 10.0.0.5
session id 12345, application incomplete, source 10.0.0.5:50000, destination 203.0.113.1:80, nat source 10.0.0.5, nat destination 203.0.113.1, rule Allow-Web, nat rule NAT-Internet, state active, type flow
Question 16mediumdrag order
Read the full Palo Alto Networks Platforms and Architecture explanation →

Drag and drop the steps to configure a User-ID agent on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 17mediummatching
Read the full Palo Alto Networks Platforms and Architecture explanation →

Match each Palo Alto Networks service to its typical use.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centralized management of multiple firewalls

Threat intelligence and analysis

SaaS security for cloud applications

Endpoint detection and response

Question 18easymultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A company needs to deploy a firewall for a branch office with 50 users. Which Palo Alto Networks platform is most appropriate for this requirement?

Question 19mediummultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A network administrator notices that the firewall's dataplane CPU is consistently above 80% during peak hours. The administrator wants to reduce CPU load without impacting security. Which action should the administrator take?

Question 20hardmultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

An organization deploys VM-Series firewalls in a public cloud. They need to ensure consistent security policy management across multiple cloud accounts. Which architecture best addresses this requirement?

Question 21mediummultiple choice
Read the full NAT/PAT explanation →

An administrator is configuring Network Address Translation (NAT) on a Palo Alto Networks firewall. Which of the following statements about the order of NAT rule evaluation is correct?

Question 22easymultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

Which of the following is a best practice when creating security policy rules on a Palo Alto Networks firewall?

Question 23hardmultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

Two Palo Alto Networks firewalls are configured in an active/passive high-availability pair. During a failover event, the passive firewall becomes active but the session table is empty. What is the most likely cause?

Question 24mediummultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

An administrator needs to decrypt HTTPS traffic from external users to the company's web servers. Which decryption policy should the administrator configure?

Question 25easymultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

Which Palo Alto Networks subscription service provides real-time threat intelligence about unknown files and links?

Question 26hardmultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A security policy allows traffic from zone 'Trust' to zone 'Untrust' for HTTP and HTTPS. The administrator notices that the traffic is being processed by the firewall but no session is created in the session table for the first packet of a new connection. What is the most likely reason?

Question 27mediummultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

Refer to the exhibit. The firewall is currently running PAN-OS 9.1.4. The administrator wants to upgrade to the latest available version shown. What should the administrator do first?

Exhibit

Refer to the exhibit.

admin@PA-220> show system info
System info:
Hostname: PA-220
Model: PA-220
Serial: 0123456789
Software version: 9.1.4
Operating mode: normal
Uptime: 10 days, 5 hours, 23 mins

admin@PA-220> show system software status
PAN-OS version: 9.1.4
Installed packages: none
Latest available: 9.1.7
Question 28hardmultiple choice
Review the full routing breakdown →

Refer to the exhibit. The firewall cannot reach the Internet. Based on the routing table, what is the most likely cause?

Exhibit

Refer to the exhibit.

admin@PA-3220> show routing route table default

IPv4 Route Table for virtual-router default (0 entries)

No routes

admin@PA-3220> show routing route
destination                                nexthop        metric   flags   interface
0.0.0.0/0                                   10.1.1.1       10       A       ethernet1/1
10.1.1.0/24                                0.0.0.0        0       C       ethernet1/1
192.168.1.0/24                             0.0.0.0        0       C       ethernet1/2
Question 29easymultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

Refer to the exhibit. Which profile group is applied to this security rule?

Exhibit

Refer to the exhibit.

Security rule configuration:

description: 'Allow web traffic'
source-zone: Trust
destination-zone: Untrust
source-address: 192.168.1.0/24
destination-address: any
application: web-browsing, ssl
service: application-default
action: allow
profile-group: strict-profile-group
log-end: yes
Question 30mediummulti select
Read the full Palo Alto Networks Platforms and Architecture explanation →

Which TWO of the following are valid methods to centrally manage multiple Palo Alto Networks firewalls?

Question 31hardmulti select
Read the full Palo Alto Networks Platforms and Architecture explanation →

Which THREE of the following are requirements for configuring High Availability (HA) on Palo Alto Networks firewalls?

Question 32easymulti select
Read the full Palo Alto Networks Platforms and Architecture explanation →

Which TWO of the following are valid log types on a Palo Alto Networks firewall?

Question 33easymultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A company has a PA-5250 firewall with 10 Gbps threat prevention throughput. They are planning to enable SSL decryption for all traffic. What is the most likely impact on the firewall's throughput?

Question 34mediummultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A network administrator is configuring a new PA-220 firewall. The management interface (MGT) must be accessible from the internal network for GUI access. Which IP address should be assigned to the MGT interface?

Question 35hardmultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

Two PA-3220 firewalls are configured in an active/passive HA pair. The passive firewall's configuration becomes out of sync with the active firewall after a software upgrade. What is the most efficient way to resynchronize the configuration?

Question 36mediummultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A company uses Palo Alto Networks firewalls and wants to decrypt inbound traffic to their web server. Which decryption type should be configured?

Question 37easymultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A network engineer needs to apply the same security policy to multiple firewalls. Which tool should be used to centralize policy management?

Question 38hardmultiple choice
Read the full network assurance explanation →

A firewall is configured to send logs to an external syslog server. Some logs are missing, but other logs are arriving. Which step should be taken to troubleshoot this issue?

Question 39easymultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A security administrator wants to block traffic from a specific country using the firewall. How can this be achieved with minimal administrative overhead?

Question 40mediummultiple choice
Review the full routing breakdown →

An organization has multiple virtual routers on a single firewall. Traffic between two virtual routers must be inspected by security policies. How should this be configured?

Question 41hardmultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A PA-5250 firewall is experiencing high CPU usage on the dataplane. Analysis shows that a large amount of traffic is being processed by the application identification engine. What can be done to reduce the CPU load?

Question 42mediummulti select
Read the full Palo Alto Networks Platforms and Architecture explanation →

Which TWO of the following are valid dataplane components in a Palo Alto Networks firewall?

Question 43hardmulti select
Read the full Palo Alto Networks Platforms and Architecture explanation →

Which THREE of the following are valid features of Palo Alto Networks active/passive HA?

Question 44easymulti select
Read the full Palo Alto Networks Platforms and Architecture explanation →

Which TWO of the following are stages in the packet processing flow on a Palo Alto Networks firewall?

Question 45mediummultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

Based on the exhibit, what is the most likely cause if the firewall is dropping new connections but existing sessions continue to work?

Exhibit

Refer to the exhibit.

> show system info

Hardware model: PA-5250
Serial number: 007200000123
Software version: 10.1.3
System uptime: 14 days, 3 hours, 22 minutes
System time: Tue Jul 25 14:35:12 2023

Eth0/0: 192.168.1.1/24
Eth0/1: 10.0.0.1/24

Sessions active: 25000
Devices active: 120
Question 46hardmultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

Based on the exhibit, what will happen when a user in the trust zone attempts to access an HTTPS website (TCP 443)?

Exhibit

Refer to the exhibit.

config

security {
    rules {
        rule allow-http {
            source-zone [ trust ];
            destination-zone [ untrust ];
            source-address [ any ];
            destination-address [ any ];
            application [ web-browsing ];
            service [ application-default ];
            action allow;
            log-start yes;
        }
    }
}
Question 47easymultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

Based on the exhibit, what action did the firewall take on this traffic?

Exhibit

Refer to the exhibit.

2023/07/25 14:35:12,THREAT,url,1,2023/07/25 14:35:12,192.168.1.10,203.0.113.5,192.168.1.10,203.0.113.5,allow,,,web-browsing,vsys1,trust,untrust,ethernet1/1,ethernet1/2,2012,1,1,45,2023/07/25 14:35:12,0,any,0,2621440000,10.0.0.1,0,0,0,0,,PA-5250,from-policy,,,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0

Note: The log entry is truncated for readability.
Question 48easymultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A junior administrator is investigating a network issue where traffic to a critical server is being blocked. To see the specific security rule that matched and the action taken, which log should the administrator review?

Question 49mediummultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A network engineer is configuring a new PA-220 firewall in a small branch office. The firewall must be managed centrally from Panorama. What is the first step after physically installing the firewall?

Question 50hardmultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A security architect is planning a deployment for a multi-tenant data center where each tenant requires isolated security policies and separate administrators. Which Palo Alto Networks architecture best meets these requirements?

Question 51easymultiple choice
Review the full routing breakdown →

An administrator needs to deploy a Palo Alto Networks firewall in a location where the network infrastructure does not support routing. The firewall must be transparent to the existing network. Which deployment mode should be used?

Question 52mediummultiple choice
Read the full VPN explanation →

A company is expanding its network and needs to add a new data center. The two data centers will be connected via a WAN link. To protect the traffic between data centers, the security team wants to use site-to-site VPNs. Which Palo Alto Networks feature is used to route traffic between VPN tunnels and security zones?

Question 53hardmultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

An organization is experiencing performance degradation on their PA-5250 firewall after enabling SSL decryption for all traffic. The firewall's CPU usage is consistently above 80%. The decision is made to offload SSL decryption to a dedicated appliance. Which deployment architecture allows the Palo Alto firewall to inspect decrypted traffic while the decryption occurs elsewhere?

Question 54easymultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A network administrator wants to ensure that if the primary firewall fails, a secondary firewall takes over without any manual intervention. Which high availability feature is essential for this automatic failover?

Question 55mediummultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A company deploys a Palo Alto Networks firewall in a cloud environment using the VM-Series. The firewall must scale to handle traffic spikes. Which architectural approach provides the best elasticity and management simplicity?

Question 56hardmultiple choice
Review the full routing breakdown →

A security engineer must ensure that all traffic from a specific branch office to the internet is inspected by the company's Palo Alto firewall before reaching the internet. However, the branch office has a local router that routes directly to the ISP. What architectural change is required to enforce this?

Question 57easymulti select
Read the full Palo Alto Networks Platforms and Architecture explanation →

Which three components are part of the Palo Alto Networks Next-Generation Firewall architecture? (Choose three.)

Question 58mediummulti select
Read the full Palo Alto Networks Platforms and Architecture explanation →

A company is designing a high availability deployment and wants to minimize downtime. Which two configurations are required for session failover? (Choose two.)

Question 59hardmulti select
Read the full Palo Alto Networks Platforms and Architecture explanation →

A security architect is evaluating the VM-Series firewall for a private cloud deployment. Which three features are specific to the VM-Series that differentiate it from physical Palo Alto firewalls? (Choose three.)

Question 60mediummultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

Refer to the exhibit. A network engineer executes the "show system info" command and sees the above output. Based on the model and PAN-OS version, which of the following is true about this firewall?

Exhibit

show system info
System info:
Hostname: FW-01
Model: PA-5250-5G
PAN-OS version: 10.1.6
Serial number: 0123456789
System uptime: 14 days, 3 hours, 45 minutes
Question 61hardmultiple choice
Review the full routing breakdown →

A large enterprise operates multiple data centers with a Palo Alto Networks firewall pair in each data center in active/passive HA. The firewalls are managed by Panorama. Recently, after a power outage in Data Center A, both firewalls in that data center came back online but are not passing traffic. The network team confirms that the switches and routers are operational. The Panorama administrator sees that both firewalls are connected and show green in the Managed Devices tab. However, the active firewall in Data Center A shows "HA state: passive" and the other firewall also shows "passive". The administrator suspects a configuration issue. What is the most likely cause and corrective action?

Question 62mediummultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A small business uses a single PA-220 firewall for internet access and has three internal zones: Trust, DMZ, and Guest. Users in the Trust zone report intermittent connectivity to a public cloud application. The firewall administrator checks the traffic logs and sees that sessions to the cloud application show "Application: ssl" and "Action: allow". The administrator suspects the issue might be related to decryption. The firewall currently has a decryption policy that decrypts all outbound HTTPS traffic for threat inspection. The cloud application uses certificate pinning and breaks when decrypted. What is the best solution to allow this application to function while still decrypting other traffic?

Question 63easymulti select
Read the full Palo Alto Networks Platforms and Architecture explanation →

A network administrator is configuring a Palo Alto Networks firewall in a datacenter. Which TWO traffic types can be inspected by the firewall's Threat Prevention subscription? (Choose two.)

Question 64mediummultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A medium-sized enterprise recently deployed a pair of PA-5250 firewalls in an active/passive high-availability configuration. The network team notices that after a failover event, the new active firewall does not pass any traffic for about 30 seconds, even though the session table is synchronized. Users report that existing connections break and need to be re-established. The firewall is configured to use session state synchronization and failover triggers based on link state and ping to the next-hop gateway. Which action should the administrator take to minimize traffic disruption during failover?

Question 65hardmultiple choice
Open the full VLAN trunking answer →

A large financial institution runs a PA-5250 firewall in a virtual wire mode between two core switches. The firewall is configured with multiple virtual wire sub-interfaces to segregate traffic for different VLANs. Recently, the security team noticed that multicast traffic from a critical trading application is not being forwarded across the virtual wire link. The firewall has multicast policies enabled, and the trading application uses IGMPv3. The administrator has verified that the firewall's multicast policy allows the traffic and that the IGMP snooping is enabled on the adjacent switches. However, the multicast stream does not reach the receivers on the other side. Which step should the administrator take to resolve this issue?

Question 66easymultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

A company has a single Palo Alto Networks firewall protecting its internet connection. The IT team wants to allow remote employees to access internal resources using GlobalProtect. They have already configured the portal and gateway on the firewall, and users can successfully connect and obtain an IP address from the IP pool assigned to the gateway. However, remote users report that they cannot access any internal servers after connecting. The firewall has security policies that allow traffic from the GlobalProtect gateway's IP pool to the internal servers. Which additional configuration step is most likely required?

Question 67easymulti select
Study the full SD-WAN breakdown →

A small business needs a firewall that supports at least 500 Mbps firewall throughput and includes integrated SD-WAN capabilities. Which TWO Palo Alto Networks platforms meet these requirements? (Choose two.)

Question 68mediummultiple choice
Read the full Palo Alto Networks Platforms and Architecture explanation →

Refer to the exhibit. A network administrator sees this output from a Palo Alto Networks firewall. What does the 'System mode: virtual' indicate about this firewall?

Exhibit

System info:
Model: PA-5250
Software version: 10.0.3
Uptime: 45 days, 12:34:56
System mode: virtual
Question 69hardmultiple choice
Read the full VPN explanation →

A company has deployed PA-220 firewalls at 50 branch offices, each connected to the corporate headquarters via IPSec VPN tunnels. Recently, users have reported slow file transfers across the VPN, especially for large files. The network team has checked link utilization and found that the VPN tunnel bandwidth is under 20% utilized, and CPU on the firewalls is around 40%. The security policies are basic, with no threat prevention profiles applied to the VPN traffic. The team suspects the issue is related to VPN performance. After reviewing the configuration, they notice that the VPN tunnels are configured with default settings. Which of the following actions would most likely improve VPN throughput without requiring hardware upgrades or changing the security level?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCNSA Practice Test 1 — 10 Questions→PCNSA Practice Test 2 — 10 Questions→PCNSA Practice Test 3 — 10 Questions→PCNSA Practice Test 4 — 10 Questions→PCNSA Practice Test 5 — 10 Questions→PCNSA Practice Exam 1 — 20 Questions→PCNSA Practice Exam 2 — 20 Questions→PCNSA Practice Exam 3 — 20 Questions→PCNSA Practice Exam 4 — 20 Questions→Free PCNSA Practice Test 1 — 30 Questions→Free PCNSA Practice Test 2 — 30 Questions→Free PCNSA Practice Test 3 — 30 Questions→PCNSA Practice Questions 1 — 50 Questions→PCNSA Practice Questions 2 — 50 Questions→PCNSA Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Managing ObjectsPolicy Evaluation and ManagementSecuring TrafficCore ConceptsPalo Alto Networks Platforms and ArchitectureDevice Management and ServicesApp-ID and Content-IDDecryption and Monitoring

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Palo Alto Networks Platforms and Architecture setsAll Palo Alto Networks Platforms and Architecture questionsPCNSA Practice Hub