Back to Palo Alto Networks Certified Network Security Administrator PCNSA

Palo Alto Networks exam questions

Palo Alto Networks Certified Network Security Administrator PCNSA practice test

Practise IP addressing questions covering IPv4/IPv6 configuration, subnetting, default gateways, and APIPA troubleshooting for the PCNSA exam.

524
practice questions
8
topics covered
PCNSA
exam code
Palo Alto Networks
vendor

Study modes

Three ways to study

Start with the Study Sheet to learn the material, switch to Practice Tests for active recall, then take a Mock Exam to simulate the real thing.

Study Sheet

All 524 questions with correct answers and explanations already visible. Read at your own pace — no time pressure.

Start reading →

Practice Test

Answer first, then see feedback and explanation. Tracks your score per session. Best for active recall and identifying weak areas.

Mock Exam

Full timed simulation with countdown. Answers hidden until the end. Includes all question types just like the real exam.

Start mock exam →

Study Sheet

All 524 PCNSA questions with answers

Every question in the bank, paginated 75 per page. Correct answers and full explanations are revealed upfront — ideal for first-pass learning and pre-exam review.

7 pages · 75 questions per page · 524 total

Related practice questions

Study PCNSA by topic

Topic pages go deep on individual concepts — each one covers a specific exam topic with questions, explanations, and study notes.

Courseiva uses original exam-style practice questions created for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps. Learn the difference →

Sample questions

Palo Alto Networks Certified Network Security Administrator PCNSA practice questions

Start practice test

A user at 192.168.1.10 attempts to access a social networking site (application: social-networking). Based on the exhibit, what will the firewall do?

Exhibit

Refer to the exhibit.

admin@PA-500> show running security-policy

  name                             from             to              source        destination    application     action
  ------------------------------------------------------------------------------------------------------------------
1  allow-web                       trust            untrust         192.168.1.0/24 any            web-browsing    allow
2  block-social                    trust            untrust         192.168.1.0/24 any            social-networking deny
3  allow-all                       trust            untrust         any            any            any             allow
Question 2mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to configure a site-to-site IPsec VPN on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps to perform a packet capture (tcpdump) on a Palo Alto Networks firewall using the CLI into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps to configure a User-ID agent on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 5mediumdrag order
Open the full VLAN trunking answer →

Drag and drop the steps to configure a VLAN interface on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 6mediummultiple choice
Read the full NAT/PAT explanation →

A network engineer is troubleshooting a drop in traffic from a critical application. The traffic is allowed by the security policy, but the firewall is dropping the packets. The engineer views the session log and sees that the session is being terminated due to 'tcp-non-syn'. What is the most likely cause?

A security engineer needs to ensure that all traffic from the internal network to the internet is inspected by the firewall. The firewall is deployed in layer 3 mode with virtual wire subinterfaces. Which configuration is required to achieve this?

A company has a PA-5250 firewall in an active/passive HA pair. During a maintenance window, the administrator upgrades the passive firewall from PAN-OS 10.0 to 10.1. After the upgrade, the passive firewall fails to synchronize with the active firewall. The active firewall remains at 10.0. What is the most likely cause?

An organization is deploying a firewall in a high-availability (HA) pair. The administrator wants to ensure that session state is synchronized between the firewalls so that active sessions are not dropped during failover. Which configuration is required?

Question 10hardmultiple choice
Review the full routing breakdown →

A company has a firewall configured with multiple virtual routers. A user on a trusted network can ping the firewall's management IP but cannot reach an external server. The security policy allows the traffic. What is the most likely cause?

Question 11easymultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A user on the Sales subnet (10.10.1.50) attempts to browse to an external website using HTTP (port 80) to download a legitimate file. The website's IP is 203.0.113.50. Which rule will match this traffic?

Exhibit

Refer to the exhibit.

admin@PA-5020> show running security-policy
Set application-default

rule  id  name                        from         to           source        destination  application  service   action
---  ---  --------------------------- ----------- ------------ ------------- ------------ ------------ ---------- -------
    1    Allow-Sales-to-App           Sales        App-Servers  10.10.1.0/24  10.20.1.100  any           tcp/80    allow
    2    Allow-Any-Web                any          any           any           any          web-browsing  tcp/80    allow
    3    Block-Restricted-Apps        any          any           any           any          bittorrent    any       deny
    4    Allow-DNS                    any          any           any           any          dns           udp/53    allow

A security administrator wants to block all traffic using the BitTorrent protocol regardless of port. Which method should they use?

An administrator needs to block traffic from a specific internal IP address to the internet. Which object type should be used in the security policy source field?

A security engineer is configuring a Palo Alto Networks firewall to protect a web server. The engineer wants to ensure that only HTTP and HTTPS traffic is allowed to the server, and that the traffic is inspected for threats. Which TWO actions should the engineer take?

Which TWO of the following are best practices for configuring SSL Forward Proxy decryption? (Choose two.)

Question 16easymultiple choice
Read the full Core Concepts explanation →

A security administrator wants to block users from accessing social media websites during business hours. The firewall is connected to the internet and has a Security policy that allows general web browsing. What is the most efficient way to block social media?

Question 17mediummultiple choice
Read the full VPN explanation →

A company has multiple branch offices that use overlapping private IP ranges (192.168.0.0/16). To avoid conflicts when these branches connect to the data center via IPsec, the administrator needs to translate branch source IPs to unique addresses. Which object type is best suited for this task?

Question 18mediummultiple choice
Read the full Core Concepts explanation →

Refer to the exhibit. A firewall administrator is troubleshooting a performance issue. The number of half-open TCP connections is unusually high. What is a likely cause?

Exhibit

Refer to the exhibit.

admin@PA-500> show counter global | match tcp

tcp-conn-init           1500
tcp-conn-established    1200
tcp-conn-closed         1400
tcp-conn-failed         200
tcp-conn-reset          100
tcp-conn-half-open      50
tcp-conn-timeout        30
Question 19mediummultiple choice
Review the full subnetting walkthrough →

A security team is deploying a Palo Alto Networks firewall in an AWS VPC using the VM-Series. They need to ensure that traffic between two subnets within the same VPC is inspected by the firewall. What is the required network configuration?

After upgrading the PAN-OS version on a firewall, the administrator notices that the commit operation takes significantly longer than before. What is the most likely cause?

Which TWO actions can be taken in a security policy rule to allow traffic from the corporate network to the internet while also logging the traffic?

Question 22easymultiple choice
Review the full subnetting walkthrough →

A security team notices that traffic from a specific internal subnet is not being inspected by the firewall. They have configured a security policy rule that matches the subnet and allows the traffic, but the traffic is still not being logged or inspected. What is the most likely cause?

A firewall is configured with multiple security zones. Traffic from the 'Untrust' zone to the 'DMZ' zone is allowed for web services. The administrator wants to ensure that the DMZ servers cannot initiate connections to the Untrust zone. What is the correct approach?

An organization is deploying a Palo Alto Networks firewall in a data center to segment traffic between three application tiers: web, app, and database. The web servers must be accessible from the internet, the app servers must only be reachable from the web servers, and the database servers must only be reachable from the app servers. Which security policy design best meets these requirements?

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

Exam question guide

How to use these PCNSA questions

Use these questions as active recall, not passive reading. Try the question first, review the answer choices, then open the explanation and connect the result back to the exam topic.

Quick answer

Tests understanding of IPv4/IPv6 addressing, subnetting, default gateways, and APIPA configurations for network connectivity.

Identifying IPv4 address classes and private ranges

Configuring IPv6 addresses and link-local vs global unicast

Calculating subnet masks and network IDs

Troubleshooting APIPA addresses (169.254.x.x)

These PCNSA practice questions are part of Courseiva's free Palo Alto Networks certification practice question bank. Courseiva provides original exam-style PCNSA questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.