Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Policy Evaluation and Management practice sets

PCNSA Policy Evaluation and Management • Complete Question Bank

PCNSA Policy Evaluation and Management — All Questions With Answers

Complete PCNSA Policy Evaluation and Management question bank — all 0 questions with answers and detailed explanations.

57
Questions
Free
No signup
Certifications/PCNSA/Practice Test/Policy Evaluation and Management/All Questions
Question 1mediummultiple choice
Read the full Policy Evaluation and Management explanation →

A security administrator is troubleshooting a policy misconfiguration. The firewall is configured with a security rule that allows traffic from the 'Engineering' zone to the 'Servers' zone. However, traffic from an Engineering user to a server in the 'DMZ' zone is being denied. What is the most likely cause?

Question 2hardmultiple choice
Read the full Policy Evaluation and Management explanation →

A network engineer needs to ensure that all traffic from the 'Guest' zone to the 'Internet' zone is inspected for malware, but also wants to allow high-bandwidth video conferencing traffic to bypass threat inspection for performance reasons. Which approach best achieves this?

Question 3easymultiple choice
Read the full Policy Evaluation and Management explanation →

A firewall administrator notices that a security rule intended to block traffic from a specific IP address is not working. The rule is placed at the bottom of the security rulebase, and the traffic is being allowed by a rule higher in the list. What is the most likely cause?

Question 4mediummultiple choice
Read the full Policy Evaluation and Management explanation →

An organization has a security policy that requires all outbound HTTP traffic from the 'Corporate' zone to the 'Internet' zone to be inspected by the URL Filtering profile. However, the administrator notices that some users can still access blocked categories. What is the most likely cause?

Question 5hardmultiple choice
Read the full Policy Evaluation and Management explanation →

A firewall administrator is tasked with implementing a policy that allows SSH access from the 'Admin' zone to the 'Core' zone only for specific administrators, and all other SSH attempts should be logged and dropped. The company has a large number of administrators. Which method is most efficient and scalable?

Question 6mediummulti select
Read the full Policy Evaluation and Management explanation →

Which TWO statements correctly describe best practices for managing security policies in Palo Alto Networks firewalls? (Choose two.)

Question 7hardmulti select
Read the full Policy Evaluation and Management explanation →

Which THREE factors should be considered when troubleshooting a 'deny' rule that is unexpectedly blocking traffic? (Choose three.)

Question 8easymultiple choice
Read the full Policy Evaluation and Management explanation →

A user at 192.168.1.10 attempts to access a social networking site (application: social-networking). Based on the exhibit, what will the firewall do?

Exhibit

Refer to the exhibit.

admin@PA-500> show running security-policy

  name                             from             to              source        destination    application     action
  ------------------------------------------------------------------------------------------------------------------
1  allow-web                       trust            untrust         192.168.1.0/24 any            web-browsing    allow
2  block-social                    trust            untrust         192.168.1.0/24 any            social-networking deny
3  allow-all                       trust            untrust         any            any            any             allow
Question 9hardmultiple choice
Read the full NAT/PAT explanation →

A company has a Palo Alto Networks firewall in production. They recently configured a new security policy rule to allow outbound HTTPS traffic from the internal network (10.0.0.0/8) to the internet. The rule is placed after a block rule that denies all traffic from 10.0.0.0/8 to any external destination. After committing, users report that HTTPS access is still blocked. The administrator checks the firewall logs and sees that the traffic is being denied by the block rule. The administrator verifies the rule order: the new allow rule is at position 5, and the block rule is at position 3. The administrator also checks that the source zone (Trust) and destination zone (Untrust) are correct. What is the most likely cause of the issue?

Question 10mediummulti select
Read the full NAT/PAT explanation →

A security administrator notices that traffic from an internal user to a specific external web application is being blocked unexpectedly. The user's IP is 10.10.1.50 and the destination is 203.0.113.5 on port 443. The administrator has already verified that there is a security rule allowing the traffic. Which two logs should the administrator check first to diagnose the issue?

Question 11hardmulti select
Read the full NAT/PAT explanation →

A firewall administrator is troubleshooting a situation where traffic from the 'Engineering' zone (source zone) to the 'Servers' zone (destination zone) is being allowed, but the desired behavior is to block it. The administrator runs 'show running security-policy' and sees the following rules in order: Rule1: from Engineering to Servers allow; Rule2: from Engineering to Servers deny; Rule3: from any to Servers allow. Which TWO statements are true regarding policy evaluation?

Question 12easymultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A user on the Sales subnet (10.10.1.50) attempts to browse to an external website using HTTP (port 80) to download a legitimate file. The website's IP is 203.0.113.50. Which rule will match this traffic?

Exhibit

Refer to the exhibit.

admin@PA-5020> show running security-policy
Set application-default

rule  id  name                        from         to           source        destination  application  service   action
---  ---  --------------------------- ----------- ------------ ------------- ------------ ------------ ---------- -------
    1    Allow-Sales-to-App           Sales        App-Servers  10.10.1.0/24  10.20.1.100  any           tcp/80    allow
    2    Allow-Any-Web                any          any           any           any          web-browsing  tcp/80    allow
    3    Block-Restricted-Apps        any          any           any           any          bittorrent    any       deny
    4    Allow-DNS                    any          any           any           any          dns           udp/53    allow
Question 13mediumdrag order
Read the full Policy Evaluation and Management explanation →

Drag and drop the steps to configure Active/Passive High Availability on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 14mediummatching
Read the full Policy Evaluation and Management explanation →

Match each security rule type to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Blocks known attack patterns

Controls access to websites

Prevents transfer of specific file types

Prevents sensitive data exfiltration

Question 15mediummultiple choice
Read the full NAT/PAT explanation →

A network administrator notices that traffic from a specific subnet is being denied even though there is a permit rule that matches the source and destination. The rulebase has over 500 rules. What is the most likely cause?

Question 16hardmultiple choice
Read the full Policy Evaluation and Management explanation →

After a policy change, a security administrator commits the candidate configuration, but the changes do not take effect immediately for all users. Some users report connectivity issues while others do not. What should the administrator check first?

Question 17easymultiple choice
Read the full Policy Evaluation and Management explanation →

A company wants to block file-sharing applications like BitTorrent, but allow HTTP and HTTPS. Which type of policy is most appropriate to achieve this granular control?

Question 18mediummultiple choice
Read the full NAT/PAT explanation →

An administrator is troubleshooting why a rule is not being hit. The rule has source zone Trust, destination zone Untrust, source address 10.0.0.0/8, destination address any, application web-browsing, action allow, and log at session end. The traffic is coming from 10.1.1.1 to 1.2.3.4 on port 80, zone Trust to Untrust. The rule count shows zero hits. What could be the issue?

Question 19hardmultiple choice
Read the full Policy Evaluation and Management explanation →

An administrator wants to use Policy Optimizer to consolidate rules. Which of the following is a prerequisite for using Policy Optimizer on a rule?

Question 20mediummultiple choice
Read the full NAT/PAT explanation →

A security rule is configured with source zone 'Trust', destination zone 'Untrust', source address 'any', destination address '10.10.10.0/24', application 'ssl', service 'https', action 'allow', log at session end. A user from Trust zone tries to access https://10.10.10.5. The traffic is not matching. What is the most likely reason?

Question 21easymultiple choice
Read the full Policy Evaluation and Management explanation →

What does a 'shadowed' rule mean in the context of policy evaluation?

Question 22easymultiple choice
Read the full Policy Evaluation and Management explanation →

How can an administrator quickly identify which security rules are not being used in order to clean up the rulebase?

Question 23mediummultiple choice
Read the full Policy Evaluation and Management explanation →

An administrator needs to apply a security profile that includes anti-malware and vulnerability protection to all traffic from the internal network to the internet. However, there is already a rule that allows this traffic without any profiles. What is the most efficient way to apply the profiles?

Question 24mediummulti select
Read the full Policy Evaluation and Management explanation →

A security administrator is analyzing the rulebase for best practices. Which TWO of the following are recommended practices for security policy management? (Choose two.)

Question 25hardmulti select
Read the full Policy Evaluation and Management explanation →

An administrator is troubleshooting why a policy is not being matched. Which THREE of the following are valid reasons a security rule might not be hit? (Choose three.)

Question 26easymulti select
Read the full Policy Evaluation and Management explanation →

An administrator wants to ensure that traffic from the corporate network to the internet is inspected by the firewall's threat prevention features. Which TWO of the following are required to achieve this? (Choose two.)

Question 27mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An administrator is analyzing the rulebase. Traffic from source 10.1.1.5 to destination 8.8.8.8 using web-browsing application (HTTP TCP/80). Which rule will match?

Exhibit

admin@PA-500> show running security-policy
rulebase security {
    rules {
        rule1 {
            source-zone trust
            destination-zone untrust
            source [ 10.0.0.0/8 ]
            destination any
            application [ ssl ]
            service application-default
            action allow
            log-start no
            log-end yes
        }
        rule2 {
            source-zone trust
            destination-zone untrust
            source [ 10.1.0.0/24 ]
            destination any
            application [ web-browsing ]
            service application-default
            action allow
            log-start no
            log-end yes
        }
        rule3 {
            source-zone trust
            destination-zone untrust
            source [ 10.1.1.0/24 ]
            destination any
            application any
            service application-default
            action deny
            log-start no
            log-end yes
        }
    }
}
Question 28hardmultiple choice
Read the full Policy Evaluation and Management explanation →

Refer to the exhibit. The administrator sees that traffic from 10.10.1.12 is being denied by rule2. Which action should the administrator take to allow this traffic while maintaining security?

Exhibit

admin@PA-500> show log traffic | match allow | head -10
1: 2019-05-15 10:00:00, allow, trust, untrust, 10.10.1.10, 8.8.8.8, web-browsing, http, rule1, ...
2: 2019-05-15 10:00:01, allow, trust, untrust, 10.10.1.11, 8.8.8.8, web-browsing, http, rule1, ...
3: 2019-05-15 10:00:02, deny, trust, untrust, 10.10.1.12, 8.8.8.8, web-browsing, http, rule2, ...
4: 2019-05-15 10:00:03, allow, dmz, untrust, 10.20.1.1, 8.8.8.8, web-browsing, http, rule3, ...
Question 29easymultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A security rule is configured with destination address group 'internal-servers'. A packet with destination IP 10.10.20.5 arrives. Will the rule match?

Exhibit

admin@PA-500> show object address-group "internal-servers"
group {
    members [ server1 server2 ]
}

admin@PA-500> show object address "server1"
address {
    ip-netmask 10.10.10.0/24
}

admin@PA-500> show object address "server2"
address {
    ip-range 10.10.20.1-10.10.20.10
}
Question 30easymultiple choice
Read the full Policy Evaluation and Management explanation →

A security administrator notices that a newly added security rule, designed to allow SSH traffic from the engineering department to a Linux server, is not being matched. The rule is placed above an existing 'deny all' rule. What is the most likely cause?

Question 31mediummultiple choice
Read the full NAT/PAT explanation →

A company is migrating from a legacy firewall to a Palo Alto Networks firewall. The legacy policy has many rules with overlapping source and destination objects. Which feature should the administrator use to simplify the policy before migration?

Question 32hardmultiple choice
Read the full Policy Evaluation and Management explanation →

An administrator configures a security policy with three rules in order: Rule1 allows any to any with log at session start, Rule2 allows HTTP from trust to untrust, Rule3 denies any. Traffic from an internal user to an external web server is logged as allowed. Which rule processed the traffic?

Question 33easymultiple choice
Read the full Policy Evaluation and Management explanation →

An administrator wants to ensure that all traffic from the engineering zone to the server zone is logged, but only when a session is established. Which log setting should be configured in the security rule?

Question 34mediummultiple choice
Read the full NAT/PAT explanation →

A security administrator is troubleshooting a rule that appears to be matching correctly but is not allowing traffic. The rule uses source zone 'Trust' and destination zone 'Untrust', and the action is 'allow'. The traffic source is in the 'DMZ' zone. What is the most likely reason the traffic is denied?

Question 35hardmultiple choice
Read the full Policy Evaluation and Management explanation →

An administrator needs to implement a policy where traffic from the 'Sales' zone to the 'Finance' zone is allowed only for the 'ms-office365' application, but traffic from 'Sales' to 'Finance' using any other application must be denied. Which rule design meets this requirement efficiently?

Question 36easymultiple choice
Read the full Policy Evaluation and Management explanation →

An administrator is reviewing the rulebase and finds a rule with a hit count of 0 over the past 30 days. What action should the administrator consider?

Question 37mediummultiple choice
Read the full Policy Evaluation and Management explanation →

A company needs to restrict access to a critical server from external IP addresses, but internal users should have full access. Which rule structure should be used?

Question 38hardmultiple choice
Read the full Policy Evaluation and Management explanation →

An administrator is using Policy Tester to validate a rule before deployment. The rule allows HTTP and HTTPS from user 'John' (IP 10.1.1.10) to server 192.168.1.100. The tester shows 'No match' for traffic from John's IP to the server on port 80. What could be the reason?

Question 39mediummulti select
Read the full Policy Evaluation and Management explanation →

Which TWO are best practices for managing security policies in a Palo Alto Networks firewall?

Question 40hardmulti select
Read the full Policy Evaluation and Management explanation →

Which TWO factors affect the order in which security rules are evaluated?

Question 41mediummulti select
Read the full Policy Evaluation and Management explanation →

Which THREE are valid methods to test security policy effectiveness before deployment?

Question 42mediummultiple choice
Read the full Policy Evaluation and Management explanation →

Refer to the exhibit. The administrator wants to remove unused rules to improve performance. Which rule should be removed?

Exhibit

user@fw> show security-rule hit-count
rule_id: 1, name: allow-dns, hit_count: 14527
rule_id: 2, name: allow-web, hit_count: 8923
rule_id: 3, name: deny-ssh, hit_count: 0
rule_id: 4, name: allow-mail, hit_count: 2104
rule_id: 5, name: deny-all, hit_count: 73
Question 43hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. Traffic from Sales zone to Finance zone reaches destination 10.10.10.10 using application 'ssl'. What action does the firewall take?

Exhibit

set security policies policy-name Allow-Sales-to-Finance
  from Sales
  to Finance
  source any
  destination 10.10.10.0/24
  application ms-office365
  action allow
  log-start yes
set security policies policy-name Deny-Other
  from Sales
  to Finance
  source any
  destination any
  application any
  action deny
  log-end yes
Question 44easymultiple choice
Read the full DNS explanation →

Refer to the exhibit. An internal DNS server in the trust zone communicates with an external DNS server in the untrust zone. Which rule will match the DNS traffic?

Exhibit

> show running security-policy

rule 1: name: allow-http, source: trust, dest: untrust, application: web-browsing, action: allow
rule 2: name: allow-dns, source: trust, dest: untrust, application: dns, action: allow
rule 3: name: deny-all, source: any, dest: any, application: any, action: deny
Question 45easymultiple choice
Read the full Policy Evaluation and Management explanation →

A network administrator adds a new security rule allowing HTTP from the Trust zone to the Untrust zone. After committing, traffic from the Trust zone to the Untrust zone is still blocked. What is the most likely cause?

Question 46mediummultiple choice
Read the full DNS explanation →

A company wants to block all traffic from the Guest zone to the Corporate zone except DNS. What is the best practice for configuring the security policy?

Question 47hardmultiple choice
Read the full Policy Evaluation and Management explanation →

An administrator notices that traffic from a specific IP 10.10.10.5 is not matching the expected security rule that should allow HTTP traffic. The rule uses a source address object defined as '10.10.10.0/24'. Upon investigation, the administrator finds that the traffic is from IP 10.10.10.5, but the rule still does not match. What is the most likely cause?

Question 48mediummultiple choice
Read the full Policy Evaluation and Management explanation →

An administrator wants to require users in the Internal zone to authenticate via User-ID before accessing the Internet. Which policy configuration is necessary to enforce this requirement?

Question 49mediummulti select
Read the full Policy Evaluation and Management explanation →

Which THREE actions can be taken based on hit counts in security rules? (Select three.)

Question 50easymulti select
Read the full Policy Evaluation and Management explanation →

Which TWO methods can be used to help prevent rule shadowing? (Select two.)

Question 51hardmultiple choice
Read the full NAT/PAT explanation →

A company has a Palo Alto Networks firewall with multiple virtual routers. The security policy has a rule that allows SSH from the 'Internal' zone to the 'DMZ' zone. Recently, a new subnet 10.10.20.0/24 was added to the Internal zone. Users in that subnet report they cannot SSH to a server at 192.168.1.10 in the DMZ, while users from other subnets in Internal can. The rule has source address object '10.0.0.0/8' which includes the new subnet. The rule's source zone is Internal, destination zone is DMZ, and application is SSH. The administrator confirms the new subnet's IPs are within 10.0.0.0/8. What is the most likely cause of the problem?

Question 52mediummultiple choice
Read the full NAT/PAT explanation →

A network administrator is tasked with implementing a policy that allows traffic from the 'Sales' zone to the 'Internet' zone only for web-browsing (application: web-browsing) and blocks all other traffic. The administrator creates a rule at the top of the security policy with source zone Sales, destination zone Internet, application web-browsing, action allow. Below that, a rule with source zone Sales, destination zone Internet, application any, action deny. After committing, users in Sales can browse the web normally. However, the administrator discovers that some users are able to use applications like YouTube and Facebook which use web-browsing as part of their app-id. The administrator wants to ensure that only HTTP/HTTPS traffic for general web browsing is allowed, not other web-based applications. What should the administrator do?

Question 53easymultiple choice
Read the full NAT/PAT explanation →

A small business has a Palo Alto Networks firewall with a single security policy rule that allows all traffic from the 'Trust' zone to the 'Untrust' zone. The business recently experienced a malware infection originating from an internal host that communicated with known malicious IP addresses. The administrator wants to implement a security policy to block traffic to these malicious IP destinations. The administrator has a list of 500 malicious IP addresses that may change frequently. What is the most efficient way to create a policy to block traffic to these IPs?

Question 54mediummultiple choice
Read the full Policy Evaluation and Management explanation →

An administrator has configured multiple security rules for a data center. There is a rule that allows SSH from the 'Management' zone to the 'Server' zone. Recently, the administrator added a new rule allowing SSH from a new 'Admin' zone to the 'Server' zone. The Admin rule is placed above the Management rule. Both rules specify the correct zones, application SSH, and action allow. After committing, SSH traffic from the Admin zone is being denied. What is the most likely issue?

Question 55easymulti select
Read the full Policy Evaluation and Management explanation →

Which TWO are required to configure a Forward Proxy Decryption rule?

Question 56mediummultiple choice
Read the full Policy Evaluation and Management explanation →

A user from 10.0.0.5 tries to access 8.8.8.8 on TCP 443. The traffic is matched to the above rule. Which additional configuration is required for the traffic to be decrypted?

Exhibit

Refer to the exhibit.

admin@PA-3060> show running security-policy
Total rules: 1
    1:  Name: Allow-Outbound, Zone: trust->untrust, Source: 10.0.0.0/24, Dest: any, Application: any, Service: any, Action: allow
Question 57hardmultiple choice
Read the full VPN explanation →

A company has multiple branch offices connected via IPsec tunnels to a central datacenter. The central datacenter has a PA-5250 running PAN-OS 10.1. The security team wants to enforce that traffic between branches is inspected by the central firewall, not directly between branches. They configure security policies to allow inter-branch traffic through the central firewall. However, they notice that traffic between two branches (Branch A and Branch B) is not traversing the central firewall and is instead going directly between the branches via the IPsec tunnels which are configured as route-based VPNs. The security team has verified that the security policies are correctly configured to require the traffic to go through the central datacenter. What is the most likely cause?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCNSA Practice Test 1 — 10 Questions→PCNSA Practice Test 2 — 10 Questions→PCNSA Practice Test 3 — 10 Questions→PCNSA Practice Test 4 — 10 Questions→PCNSA Practice Test 5 — 10 Questions→PCNSA Practice Exam 1 — 20 Questions→PCNSA Practice Exam 2 — 20 Questions→PCNSA Practice Exam 3 — 20 Questions→PCNSA Practice Exam 4 — 20 Questions→Free PCNSA Practice Test 1 — 30 Questions→Free PCNSA Practice Test 2 — 30 Questions→Free PCNSA Practice Test 3 — 30 Questions→PCNSA Practice Questions 1 — 50 Questions→PCNSA Practice Questions 2 — 50 Questions→PCNSA Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Managing ObjectsPolicy Evaluation and ManagementSecuring TrafficCore ConceptsPalo Alto Networks Platforms and ArchitectureDevice Management and ServicesApp-ID and Content-IDDecryption and Monitoring

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Policy Evaluation and Management setsAll Policy Evaluation and Management questionsPCNSA Practice Hub