20+ practice questions focused on Core Concepts — one of the most tested topics on the Palo Alto Networks Certified Network Security Administrator PCNSA exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Core Concepts PracticeA network administrator notices that traffic from the internal network to a specific external server is being blocked unexpectedly. The firewall policy allows any-to-any outbound traffic. The administrator checks the Unified Policy and sees a Security policy rule that permits the traffic, but the traffic is still blocked. What is the most likely cause?
Explanation: When a Security policy rule permits traffic but it is still blocked, the most likely cause is that a DoS Protection profile is applied to the rule. DoS Protection profiles can drop traffic based on session rate thresholds or other attack signatures, even when the base Security rule allows the session. This is a common misconfiguration because the profile operates as an additional enforcement layer above the permit action.
An organization is deploying a Palo Alto Networks firewall in a data center with multiple virtual routers. The network team wants to ensure that traffic between two different virtual routers can be inspected by the firewall. Which configuration is required?
Explanation: Option D is correct because traffic between virtual routers must be explicitly permitted by a Security policy rule. Even though virtual routers provide separate routing tables, the firewall still enforces policy enforcement points; without a Security rule allowing the traffic, it will be denied by default. This ensures that inter-virtual-router traffic is inspected and controlled by the firewall's security engine.
A security administrator wants to block users from accessing social media websites during business hours. The firewall is connected to the internet and has a Security policy that allows general web browsing. What is the most efficient way to block social media?
Explanation: Option B is correct because URL Filtering profiles are specifically designed to block entire categories of websites (like social media) based on URL categorization, which is the most efficient method for blocking access to social media sites. This approach leverages Palo Alto Networks' URL Filtering database, which categorizes millions of URLs, allowing the administrator to block the entire 'social-media' category with a single policy rule without needing to identify individual applications or destinations.
Refer to the exhibit. A firewall administrator is troubleshooting a performance issue. The number of half-open TCP connections is unusually high. What is a likely cause?
Explanation: A high number of half-open TCP connections indicates that SYN packets are received but the three-way handshake is never completed. Option B is correct because an internal application that fails to send the final ACK (or does not respond to SYN-ACK) leaves connections in a half-open state, consuming firewall resources and degrading performance.
A security engineer is configuring a Palo Alto Networks firewall to protect a web server. The engineer wants to ensure that only HTTP and HTTPS traffic is allowed to the server, and that the traffic is inspected for threats. Which TWO actions should the engineer take?
Explanation: Option A is correct because a Security policy rule explicitly allowing traffic to destination ports 80 and 443 ensures only HTTP and HTTPS traffic reaches the web server, aligning with the requirement to restrict allowed traffic. This rule uses port-based matching to permit only the specified services, which is a foundational step in controlling access.
+15 more Core Concepts questions available
Practice all Core Concepts questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Core Concepts. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Core Concepts questions on the PCNSA frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Core Concepts is tested as part of the Palo Alto Networks Certified Network Security Administrator PCNSA blueprint. Practicing with targeted Core Concepts questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free PCNSA practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Core Concepts is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Core Concepts practice session with instant scoring and detailed explanations.
Start Core Concepts Practice →