Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Core Concepts practice sets

PCNSA Core Concepts • Complete Question Bank

PCNSA Core Concepts — All Questions With Answers

Complete PCNSA Core Concepts question bank — all 0 questions with answers and detailed explanations.

50
Questions
Free
No signup
Certifications/PCNSA/Practice Test/Core Concepts/All Questions
Question 1mediummultiple choice
Read the full Core Concepts explanation →

A network administrator notices that traffic from the internal network to a specific external server is being blocked unexpectedly. The firewall policy allows any-to-any outbound traffic. The administrator checks the Unified Policy and sees a Security policy rule that permits the traffic, but the traffic is still blocked. What is the most likely cause?

Question 2hardmultiple choice
Review the full routing breakdown →

An organization is deploying a Palo Alto Networks firewall in a data center with multiple virtual routers. The network team wants to ensure that traffic between two different virtual routers can be inspected by the firewall. Which configuration is required?

Question 3easymultiple choice
Read the full Core Concepts explanation →

A security administrator wants to block users from accessing social media websites during business hours. The firewall is connected to the internet and has a Security policy that allows general web browsing. What is the most efficient way to block social media?

Question 4mediummultiple choice
Read the full Core Concepts explanation →

Refer to the exhibit. A firewall administrator is troubleshooting a performance issue. The number of half-open TCP connections is unusually high. What is a likely cause?

Exhibit

Refer to the exhibit.

admin@PA-500> show counter global | match tcp

tcp-conn-init           1500
tcp-conn-established    1200
tcp-conn-closed         1400
tcp-conn-failed         200
tcp-conn-reset          100
tcp-conn-half-open      50
tcp-conn-timeout        30
Question 5hardmulti select
Read the full Core Concepts explanation →

A security engineer is configuring a Palo Alto Networks firewall to protect a web server. The engineer wants to ensure that only HTTP and HTTPS traffic is allowed to the server, and that the traffic is inspected for threats. Which TWO actions should the engineer take?

Question 6easymulti select
Read the full Core Concepts explanation →

A network administrator is configuring a new Palo Alto Networks firewall for the first time. Which THREE initial configuration steps are required to allow basic outbound internet access from the internal network?

Question 7hardmultiple choice
Review the full OSPF breakdown →

Your organization has deployed a Palo Alto Networks PA-5250 firewall in a high-availability active/passive configuration. The firewall is connected to two ISPs for redundancy. The internal network uses OSPF with the firewall as an ASBR redistributing a default route. Recently, users reported intermittent connectivity to external resources. During troubleshooting, you notice that the active firewall's management interface has high CPU usage, and the show session all command displays many sessions in the 'active' state but with minimal data transfer. The passive firewall shows no such issues. The OSPF neighbor relationships are stable. What is the most likely cause of the intermittent connectivity?

Question 8mediummultiple choice
Review the full routing breakdown →

Refer to the exhibit. A firewall has learned three routes for the 10.0.1.0/24 network. Which route will be used for forwarding traffic destined to 10.0.1.1?

Exhibit

Refer to the exhibit.

show routing route 10.0.1.0/24

vr: default
10.0.1.0/24
  via 10.0.0.2, interface ethernet1/3, metric 10, preference 10, route-type static
  via 10.0.0.3, interface ethernet1/4, metric 20, preference 10, route-type static
  via 10.0.0.4, interface ethernet1/5, metric 10, preference 30, route-type ospf
Question 9hardmulti select
Read the full Core Concepts explanation →

Which THREE actions can a Security policy rule perform on traffic?

Question 10hardmultiple choice
Read the full VPN explanation →

A security administrator is troubleshooting a site-to-site IPsec VPN between two Palo Alto Networks firewalls. The Phase 1 proposal includes AES-256, SHA-256, and DH Group 14 with a lifetime of 28800 seconds. The Phase 2 proposal includes AES-256, SHA-256, and PFS with DH Group 14. The tunnel is established and traffic is flowing, but intermittently the tunnel drops and re-establishes. The logs show the following error: 'Phase 2 negotiation failed because no suitable proposal found.' Both firewalls have identical IKE gateway and IPsec crypto profile configurations. Which option is the most likely cause of this issue?

Question 11mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the steps to configure a NAT policy on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 12mediummatching
Read the full Core Concepts explanation →

Match each log type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Records session information

Records blocked attacks

Records web browsing activity

Records files sent for analysis

Question 13mediummultiple choice
Review the full subnetting walkthrough →

A security administrator notices that traffic from a specific subnet is not being logged in the Traffic logs, although the traffic is allowed by a security policy rule. Which configuration setting should be verified?

Question 14easymultiple choice
Read the full Core Concepts explanation →

A company wants to ensure that all internet-bound HTTP traffic is decrypted for inspection before being forwarded to the next-generation firewall for policy enforcement. Which deployment method should be used?

Question 15hardmultiple choice
Read the full Core Concepts explanation →

An organization is experiencing high CPU utilization on the firewall dataplane, causing latency in packet processing. The administrator notices that a large number of small packets are being processed by a specific security rule that allows any service. What is the best first step to reduce CPU load without impacting legitimate traffic?

Question 16easymultiple choice
Read the full Core Concepts explanation →

A network administrator wants to allow FTP traffic from the internal network (zone: trust) to an external server (zone: untrust) while ensuring that the firewall can inspect the FTP control and data channels. Which security rule configuration is required?

Question 17mediummultiple choice
Read the full Core Concepts explanation →

An administrator configures a security policy rule to block traffic from IP address 10.1.1.1 to 10.2.2.2 on any service. However, traffic from 10.1.1.1 to 10.2.2.2 is still passing through the firewall. After checking all rules, what is the most likely cause?

Question 18hardmultiple choice
Read the full NAT/PAT explanation →

A firewall administrator is troubleshooting a scenario where outbound HTTPS traffic to a specific website is being blocked. The security rule allows application 'ssl' and service 'application-default'. The URL Filtering profile blocks the category 'hacking'. The administrator confirms the destination URL falls under 'hacking' category. Which action should be taken to allow the traffic while maintaining security?

Question 19easymultiple choice
Read the full Core Concepts explanation →

Which of the following is a best practice when configuring an HA (High Availability) pair of Palo Alto Networks firewalls?

Question 20mediummultiple choice
Read the full Core Concepts explanation →

An administrator needs to create a rule that allows internal users to access a public web server hosted in the DMZ. The firewall is in layer 3 mode. Which rule configuration is correct for this scenario?

Question 21hardmultiple choice
Read the full Core Concepts explanation →

During a security audit, it is discovered that some traffic from the 'guest' zone to the 'untrust' zone is not being inspected by Threat Prevention profiles. The security rule that matches this traffic has a Threat Prevention profile applied. What is a likely reason for the lack of inspection?

Question 22mediummulti select
Read the full Core Concepts explanation →

Which TWO of the following are key benefits of using an Application-Based Security Policy compared to a Port-Based Security Policy? (Choose TWO.)

Question 23hardmulti select
Read the full Core Concepts explanation →

Which THREE of the following actions are valid actions for a security policy rule on a Palo Alto Networks firewall? (Choose THREE.)

Question 24easymulti select
Read the full VPN explanation →

Which TWO of the following are required to configure a site-to-site VPN using IKEv2 on Palo Alto Networks firewalls? (Choose TWO.)

Question 25mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. Based on the session information, which type of NAT is being performed?

Exhibit

Refer to the exhibit.

```
admin@PA-220> show session id 12345
Session ID: 12345
Application: ssl
Source IP: 10.1.1.100
Destination IP: 172.16.1.10
Source Port: 45012
Destination Port: 443
Source Zone: trust
Destination Zone: dmz
Ingress Interface: ethernet1/1
Egress Interface: ethernet1/2
NAT: source (10.1.1.100 -> 192.168.1.100)
State: active
--------------------------------------------------------------------------
```
Question 26hardmultiple choice
Read the full Core Concepts explanation →

Refer to the exhibit. An administrator observes that HTTP requests from the 10.0.0.0/24 network to the 172.16.1.0/24 network are being logged but the logs show that the action taken is 'deny'. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
! Firewall configuration snippet
security-rule {
    name Allow-Web;
    source-zone trust;
    destination-zone dmz;
    source-address 10.0.0.0/24;
    destination-address 172.16.1.0/24;
    application web-browsing;
    service application-default;
    action allow;
    log-start;
    log-end;
}
```
Question 27easymultiple choice
Read the full Core Concepts explanation →

Refer to the exhibit. An administrator notices that SSH traffic from the trust zone to the untrust zone is being blocked. The administrator expected it to be allowed by rule 2. What is the most likely reason?

Exhibit

Refer to the exhibit.

```
> show running security-policy

Rule Name          Source Zone   Dest Zone   App         Action
----------------------------------------------------------------
1: Block-SSH        any           any         ssh          deny
2: Allow-SSH-Admin  trust         untrust     ssh          allow
3: Allow-Web        trust         untrust     web-browsing allow
```
Question 28mediummultiple choice
Read the full Core Concepts explanation →

A network administrator notices that traffic from the internal zone to the external zone is being denied, even though a security policy allowing all outbound traffic exists. The internal zone is configured with a zone protection profile that has Flood Protection enabled. What is the most likely cause of the denial?

Question 29easymultiple choice
Read the full NAT/PAT explanation →

A company uses destination NAT to translate a public IP to an internal server. They need to ensure that traffic sourced from the internal network to the public IP is also translated correctly. What is the best practice to achieve this?

Question 30hardmultiple choice
Read the full Core Concepts explanation →

An organization is planning to deploy SSL decryption for outbound traffic. They want to inspect all traffic from internal users to the internet, but they need to exclude traffic to financial sites for compliance reasons. Which approach should be taken?

Question 31mediummultiple choice
Read the full Core Concepts explanation →

A security engineer is creating a security policy that should allow access to Salesforce.com for the sales team. The engineer configures the policy to allow application 'ssl' with no restriction on URL category. How can the engineer ensure that only traffic to Salesforce.com is allowed and not all SSL traffic?

Question 32easymultiple choice
Read the full Core Concepts explanation →

A company uses Active Directory for user authentication. They want to enforce security policies based on user identity. What is the required first step to enable User-ID on the Palo Alto Networks firewall?

Question 33hardmultiple choice
Read the full Core Concepts explanation →

An administrator wants to protect the firewall management interface from unauthorized access. The management interface is on a separate management network. Which of the following is the best security practice to restrict access?

Question 34mediummultiple choice
Read the full Core Concepts explanation →

A firewall administrator needs to generate a report that shows the top applications consuming bandwidth over the last week. Which Palo Alto Networks tool should be used?

Question 35easymultiple choice
Read the full Core Concepts explanation →

Two Palo Alto Networks firewalls are deployed in an active/passive high availability pair. The passive firewall does not synchronize configuration changes. What is the most likely cause?

Question 36mediummultiple choice
Read the full VPN explanation →

Users report that some internal services are not accessible when connected via VPN, but they work when on the local network. The firewall has a policy allowing all traffic from the VPN zone to the internal zone. What should the administrator check first?

Question 37mediummulti select
Read the full Core Concepts explanation →

Which TWO are valid methods for authenticating administrative users on Palo Alto Networks firewalls? (Choose two.)

Question 38hardmulti select
Read the full Core Concepts explanation →

Which THREE actions can improve firewall performance by reducing CPU load? (Choose three.)

Question 39easymulti select
Read the full Core Concepts explanation →

Which THREE are default security profile groups in PAN-OS? (Choose three.)

Question 40mediummultiple choice
Read the full Core Concepts explanation →

Refer to the exhibit. A user in the trust zone attempts to access https://www.example.com. The traffic matches rule 2 first. What is the expected behavior?

Exhibit

Refer to the exhibit.

show security-policy

1.  From trust -> untrust, source any, destination any, application any, service any, action allow, schedule none, log start none, log end yes
2.  From trust -> untrust, source any, destination any, application ssl, service application-default, action deny, schedule none, log start no, log end yes
3.  From trust -> untrust, source any, destination any, application web-browsing, service application-default, action allow, schedule none, log start no, log end yes
Question 41hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A packet arrives with source IP 192.168.1.10, destination IP 203.0.113.10, destination port 80, from zone trust. After this NAT rule is applied, what will be the destination IP and port of the packet?

Exhibit

Refer to the exhibit.

configure
edit vsys1
set rulebase nat rules mynat
set destination nat
set original-packet source-zone trust
set original-packet destination-address 203.0.113.10
set original-packet destination-port 80
set translated-packet source-zone trust
set translated-packet destination-address 10.0.0.5
set translated-packet destination-port 80
Question 42hardmultiple choice
Read the full DNS explanation →

A multinational company has deployed a Palo Alto Networks firewall in a datacenter to provide internet access to employees in the corporate office and remote branches via IPsec VPN. The firewall is configured with multiple virtual routers, security zones (trust, untrust, dmz, vpn), and policies for application and URL filtering. Recently, users in the corporate office report that they cannot access a critical cloud-based CRM application (https://crm.company.com) from their workstations, while access from remote VPN users works fine. Other websites are accessible from the corporate office. The IT team has verified that DNS resolution is correct and that the CRM server responds to pings from the firewall's management IP. The security policy includes a rule from trust to untrust that allows application 'crm-base' and 'ssl' with URL category 'crm-sites'. The administrator has checked the traffic logs and sees that sessions are being denied with the reason 'application mismatch'. Which of the following is the most likely cause and correct course of action?

Question 43mediummultiple choice
Read the full Core Concepts explanation →

A network administrator is configuring a new security policy to allow specific inbound traffic to a web server. The policy must be as specific as possible to minimize risk. Which configuration approach is correct?

Question 44easymulti select
Read the full Core Concepts explanation →

A security administrator is troubleshooting an issue where users cannot access a specific website. The security policy allows web-browsing from the internal zone to the external zone. Which TWO actions should the administrator take to verify the traffic is being matched and allowed?

Question 45hardmultiple choice
Read the full Core Concepts explanation →

A company has a Palo Alto Networks firewall in a data center, connecting internal users (zone: Internal) to the internet (zone: Untrust). Recently, users report that they cannot access the corporate HR portal hosted on a server in the DMZ (zone: DMZ, IP 10.10.10.10) using HTTPS. The firewall has a security policy that allows traffic from Internal to DMZ with application web-browsing and service https-ssl. The policy is in place and committed. The administrator verifies that the web server is running and reachable from within the DMZ. From the firewall, a ping from the management interface to the server is successful. However, when a user tries to access https://10.10.10.10, the connection times out. Traffic logs show no sessions logged for that traffic. What is the most likely cause?

Question 46mediummultiple choice
Read the full Core Concepts explanation →

An organization uses a Palo Alto Networks firewall to segment its network into three zones: Corp (10.0.1.0/24), Guest (10.0.2.0/24), and Mgmt (10.0.3.0/24). The firewall is running PAN-OS 10.0. The administrator wants to ensure that only devices from the Corp zone can access the management interface of the firewall via SSH from the internal network. The management interface is physically connected to the Mgmt network, and its IP is 10.0.3.1/24. A security policy must be configured to permit this access. Which approach should the administrator take?

Question 47easymultiple choice
Study the full ACL explanation →

A network administrator is migrating from a legacy firewall to a new Palo Alto Networks firewall. The current firewall has a large number of ACL rules that allow traffic based on source/destination IP and port. The administrator wants to convert these rules to App-ID based policies on the Palo Alto firewall. What is the recommended best practice to ensure a smooth migration while maintaining security?

Question 48mediummulti select
Read the full Core Concepts explanation →

A security administrator is reviewing best practices for creating security policies on a Palo Alto Networks firewall. Which two of the following are recommended practices?

Question 49hardmultiple choice
Read the full Core Concepts explanation →

Refer to the exhibit. A user at IP 10.1.1.5 on the untrust zone is trying to access a server on the trust zone. The traffic is being blocked by a default deny rule instead of being allowed by rule1. What is the most likely reason?

Exhibit

Refer to the exhibit.
```
> show security-rule rule1
rule "rule1" {
  from untrust;
  to trust;
  source [10.1.1.0/24];
  negate-source yes;
  destination any;
  application any;
  service any;
  action allow;
}
```
Question 50easymultiple choice
Read the full NAT/PAT explanation →

A small company runs a Palo Alto Networks PA-220 firewall with three zones: trust (internal users), untrust (internet), and dmz (public-facing services). They host a web server on IP 10.0.1.10 in the dmz zone, serving HTTPS content. The administrator created a security policy rule that allows traffic from untrust to dmz with source 'any', destination 10.0.1.10, service HTTPS, and action allow. No security profiles are applied to this rule. Users outside the company can access the web server successfully. However, the administrator notices from log reports that certain application-based attacks, such as SQL injection and cross-site scripting, are reaching the web server undetected. The firewall has the required threat prevention licenses installed. What is the best course of action to improve security posture?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCNSA Practice Test 1 — 10 Questions→PCNSA Practice Test 2 — 10 Questions→PCNSA Practice Test 3 — 10 Questions→PCNSA Practice Test 4 — 10 Questions→PCNSA Practice Test 5 — 10 Questions→PCNSA Practice Exam 1 — 20 Questions→PCNSA Practice Exam 2 — 20 Questions→PCNSA Practice Exam 3 — 20 Questions→PCNSA Practice Exam 4 — 20 Questions→Free PCNSA Practice Test 1 — 30 Questions→Free PCNSA Practice Test 2 — 30 Questions→Free PCNSA Practice Test 3 — 30 Questions→PCNSA Practice Questions 1 — 50 Questions→PCNSA Practice Questions 2 — 50 Questions→PCNSA Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Managing ObjectsPolicy Evaluation and ManagementSecuring TrafficCore ConceptsPalo Alto Networks Platforms and ArchitectureDevice Management and ServicesApp-ID and Content-IDDecryption and Monitoring

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Core Concepts setsAll Core Concepts questionsPCNSA Practice Hub