Sample questions
Palo Alto Networks Certified Network Security Administrator PCNSA practice questions
A user at 192.168.1.10 attempts to access a social networking site (application: social-networking). Based on the exhibit, what will the firewall do?
Exhibit
Refer to the exhibit. admin@PA-500> show running security-policy name from to source destination application action ------------------------------------------------------------------------------------------------------------------ 1 allow-web trust untrust 192.168.1.0/24 any web-browsing allow 2 block-social trust untrust 192.168.1.0/24 any social-networking deny 3 allow-all trust untrust any any any allow
Trap 1: Allow the traffic because rule 1 matches and allows all web traffic.
Rule 1 only allows web-browsing, not social-networking.
Trap 2: Allow the traffic because rule 3 allows all traffic.
Rule 3 is not reached because rule 2 matches first.
Trap 3: Deny the traffic because no rule allows social-networking.
There is a specific deny rule, so the traffic is denied by that rule, not by default.
- A
Allow the traffic because rule 1 matches and allows all web traffic.
Why wrong: Rule 1 only allows web-browsing, not social-networking.
- B
Allow the traffic because rule 3 allows all traffic.
Why wrong: Rule 3 is not reached because rule 2 matches first.
- C
Deny the traffic because no rule allows social-networking.
Why wrong: There is a specific deny rule, so the traffic is denied by that rule, not by default.
- D
Deny the traffic because rule 2 matches and denies social-networking.
Rule 2 explicitly denies social-networking.
Drag and drop the steps to configure a site-to-site IPsec VPN on a Palo Alto Networks firewall into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to perform a packet capture (tcpdump) on a Palo Alto Networks firewall using the CLI into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to configure a User-ID agent on a Palo Alto Networks firewall into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to configure a VLAN interface on a Palo Alto Networks firewall into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
A network engineer is troubleshooting a drop in traffic from a critical application. The traffic is allowed by the security policy, but the firewall is dropping the packets. The engineer views the session log and sees that the session is being terminated due to 'tcp-non-syn'. What is the most likely cause?
Trap 1: The TCP sequence numbers are out of order, causing the packets to…
Out-of-order sequence numbers cause tcp-out-of-window drops, not tcp-non-syn.
Trap 2: The NAT policy is misconfigured, causing the source IP to not be…
NAT misconfiguration leads to NAT-related drops, not tcp-non-syn.
Trap 3: The security policy uses an incorrect service object that doesn't…
Incorrect service would cause application-mismatch, not tcp-non-syn.
- A
The TCP sequence numbers are out of order, causing the packets to be out of the expected window.
Why wrong: Out-of-order sequence numbers cause tcp-out-of-window drops, not tcp-non-syn.
- B
The NAT policy is misconfigured, causing the source IP to not be translated correctly.
Why wrong: NAT misconfiguration leads to NAT-related drops, not tcp-non-syn.
- C
The security policy uses an incorrect service object that doesn't match the application.
Why wrong: Incorrect service would cause application-mismatch, not tcp-non-syn.
- D
Asymmetric routing is causing packets to arrive at a firewall that did not see the initial SYN.
Asymmetric routing leads to tcp-non-syn drops because the firewall has no session for the non-SYN packet.
A security engineer needs to ensure that all traffic from the internal network to the internet is inspected by the firewall. The firewall is deployed in layer 3 mode with virtual wire subinterfaces. Which configuration is required to achieve this?
Trap 1: Define a NAT policy to translate internal IPs to the external…
NAT does not enable inspection; it translates addresses.
Trap 2: Enable SSL decryption on the firewall
Decryption is for encrypted traffic, not a requirement for general inspection.
Trap 3: Configure a virtual wire between the internal and external…
Virtual wire is for transparent mode, not layer 3.
- A
Create a security policy rule that allows traffic from the internal zone to the external zone
Security policies enforce inspection and control.
- B
Define a NAT policy to translate internal IPs to the external interface
Why wrong: NAT does not enable inspection; it translates addresses.
- C
Enable SSL decryption on the firewall
Why wrong: Decryption is for encrypted traffic, not a requirement for general inspection.
- D
Configure a virtual wire between the internal and external interfaces
Why wrong: Virtual wire is for transparent mode, not layer 3.
A company has a PA-5250 firewall in an active/passive HA pair. During a maintenance window, the administrator upgrades the passive firewall from PAN-OS 10.0 to 10.1. After the upgrade, the passive firewall fails to synchronize with the active firewall. The active firewall remains at 10.0. What is the most likely cause?
Trap 1: The HA2 link is down or misconfigured
HA2 link failure would prevent sync, but version mismatch is more likely.
Trap 2: The HA keepalive timer is misconfigured
Keepalive failure leads to split-brain, not sync failure.
Trap 3: The passive firewall has preemption enabled
Preemption affects failback, not synchronization.
- A
The HA2 link is down or misconfigured
Why wrong: HA2 link failure would prevent sync, but version mismatch is more likely.
- B
The HA keepalive timer is misconfigured
Why wrong: Keepalive failure leads to split-brain, not sync failure.
- C
The passive firewall has preemption enabled
Why wrong: Preemption affects failback, not synchronization.
- D
The PAN-OS versions are different between the HA peers
HA peers must run the same PAN-OS version for sync.
An organization is deploying a firewall in a high-availability (HA) pair. The administrator wants to ensure that session state is synchronized between the firewalls so that active sessions are not dropped during failover. Which configuration is required?
Trap 1: Configure HA1 and HA2 interfaces with appropriate IPs
Interfaces are required for HA communication, but they don't enable session sync.
Trap 2: Enable Config Sync on the HA General tab
Config Sync synchronizes configuration, not active session states.
Trap 3: Configure Path Monitoring to detect link failures
Path monitoring triggers failover but does not synchronize sessions.
- A
Configure HA1 and HA2 interfaces with appropriate IPs
Why wrong: Interfaces are required for HA communication, but they don't enable session sync.
- B
Enable Config Sync on the HA General tab
Why wrong: Config Sync synchronizes configuration, not active session states.
- C
Enable Session Setup and State Synchronization under HA configuration
These settings enable the synchronization of session state information between HA peers.
- D
Configure Path Monitoring to detect link failures
Why wrong: Path monitoring triggers failover but does not synchronize sessions.
A company has a firewall configured with multiple virtual routers. A user on a trusted network can ping the firewall's management IP but cannot reach an external server. The security policy allows the traffic. What is the most likely cause?
Trap 1: A zone protection profile is blocking ICMP packets.
Zone protection would block based on flood protection, not routing.
Trap 2: The decryption policy is blocking the traffic because it is not…
Decryption applies to SSL/TLS, not ICMP.
Trap 3: The NAT policy is missing for the outbound traffic.
NAT is often needed but routing is more fundamental; the question says security policy allows but doesn't mention NAT.
- A
A zone protection profile is blocking ICMP packets.
Why wrong: Zone protection would block based on flood protection, not routing.
- B
The virtual router does not have a default route to the external network.
Without a route, the firewall cannot forward packets to the destination.
- C
The decryption policy is blocking the traffic because it is not decrypted.
Why wrong: Decryption applies to SSL/TLS, not ICMP.
- D
The NAT policy is missing for the outbound traffic.
Why wrong: NAT is often needed but routing is more fundamental; the question says security policy allows but doesn't mention NAT.
Refer to the exhibit. A user on the Sales subnet (10.10.1.50) attempts to browse to an external website using HTTP (port 80) to download a legitimate file. The website's IP is 203.0.113.50. Which rule will match this traffic?
Exhibit
Refer to the exhibit.
admin@PA-5020> show running security-policy
Set application-default
rule id name from to source destination application service action
--- --- --------------------------- ----------- ------------ ------------- ------------ ------------ ---------- -------
1 Allow-Sales-to-App Sales App-Servers 10.10.1.0/24 10.20.1.100 any tcp/80 allow
2 Allow-Any-Web any any any any web-browsing tcp/80 allow
3 Block-Restricted-Apps any any any any bittorrent any deny
4 Allow-DNS any any any any dns udp/53 allowTrap 1: Rule 4 (Allow-DNS)
Rule 4 matches DNS traffic on udp/53, not HTTP on tcp/80.
Trap 2: Rule 3 (Block-Restricted-Apps)
Rule 3 denies bittorrent, which is not the application used.
Trap 3: Rule 1 (Allow-Sales-to-App)
Rule 1's destination is 10.20.1.100, not the external IP 203.0.113.50, so it does not match.
- A
Rule 4 (Allow-DNS)
Why wrong: Rule 4 matches DNS traffic on udp/53, not HTTP on tcp/80.
- B
Rule 3 (Block-Restricted-Apps)
Why wrong: Rule 3 denies bittorrent, which is not the application used.
- C
Rule 2 (Allow-Any-Web)
Rule 2 matches any source and destination, with application web-browsing and service tcp/80, so it matches this HTTP traffic.
- D
Rule 1 (Allow-Sales-to-App)
Why wrong: Rule 1's destination is 10.20.1.100, not the external IP 203.0.113.50, so it does not match.
A security administrator wants to block all traffic using the BitTorrent protocol regardless of port. Which method should they use?
Trap 1: Use URL Filtering to block BitTorrent.
URL filtering is for HTTP/HTTPS, not peer-to-peer.
Trap 2: Use Data Filtering to block BitTorrent traffic.
Data filtering is for file transfers, not protocol blocking.
Trap 3: Block the commonly used ports for BitTorrent.
BitTorrent can use random ports.
- A
Use URL Filtering to block BitTorrent.
Why wrong: URL filtering is for HTTP/HTTPS, not peer-to-peer.
- B
Create a security rule with Application set to 'bittorrent' and Action set to 'Deny'.
App-ID identifies BitTorrent across any port.
- C
Use Data Filtering to block BitTorrent traffic.
Why wrong: Data filtering is for file transfers, not protocol blocking.
- D
Block the commonly used ports for BitTorrent.
Why wrong: BitTorrent can use random ports.
An administrator needs to block traffic from a specific internal IP address to the internet. Which object type should be used in the security policy source field?
Trap 1: Tag
Tags are metadata, not used for source matching in policies.
Trap 2: Address group
Address groups are used for multiple addresses, not a single IP.
Trap 3: Region
Regions are geographical groupings, not for a single IP.
- A
Address object
Address object directly defines a specific IP address.
- B
Tag
Why wrong: Tags are metadata, not used for source matching in policies.
- C
Address group
Why wrong: Address groups are used for multiple addresses, not a single IP.
- D
Region
Why wrong: Regions are geographical groupings, not for a single IP.
A security engineer is configuring a Palo Alto Networks firewall to protect a web server. The engineer wants to ensure that only HTTP and HTTPS traffic is allowed to the server, and that the traffic is inspected for threats. Which TWO actions should the engineer take?
Trap 1: Configure an SSL Forward Proxy decryption policy to decrypt HTTPS…
Decryption is not required for threat inspection on standard ports; the firewall can inspect without decryption.
Trap 2: Create a Security policy rule that allows all traffic to the web…
Allowing all traffic would permit non-HTTP/HTTPS protocols.
Trap 3: Create a Security policy rule that blocks all traffic not matching…
This would block the intended traffic as well.
- A
Create a Security policy rule that allows traffic from any source to the web server on destination ports 80 and 443.
This permits HTTP and HTTPS traffic.
- B
Configure an SSL Forward Proxy decryption policy to decrypt HTTPS traffic.
Why wrong: Decryption is not required for threat inspection on standard ports; the firewall can inspect without decryption.
- C
Create a Security policy rule that allows all traffic to the web server and relies on Application ID to filter.
Why wrong: Allowing all traffic would permit non-HTTP/HTTPS protocols.
- D
Create a Security policy rule that blocks all traffic not matching the web-browsing and ssl applications.
Why wrong: This would block the intended traffic as well.
- E
Attach a Vulnerability Protection profile to the Security policy rule.
This inspects traffic for threats.
Which TWO of the following are best practices for configuring SSL Forward Proxy decryption? (Choose two.)
Trap 1: Use a self-signed certificate for decryption.
Self-signed certs cause trust issues; use CA-signed.
Trap 2: Decrypt all internal traffic including server-to-server.
Internal traffic often has performance and compatibility issues.
Trap 3: Decrypt all outbound traffic regardless of destination.
Not a best practice; selective decryption reduces overhead.
- A
Use a self-signed certificate for decryption.
Why wrong: Self-signed certs cause trust issues; use CA-signed.
- B
Decrypt all internal traffic including server-to-server.
Why wrong: Internal traffic often has performance and compatibility issues.
- C
Exclude traffic to financial and healthcare sites from decryption.
Compliance requirements often prohibit decryption of sensitive sites.
- D
Decrypt all outbound traffic regardless of destination.
Why wrong: Not a best practice; selective decryption reduces overhead.
- E
Install the firewall's CA certificate on all client devices.
Ensures clients trust the decrypted connections.
A security administrator wants to block users from accessing social media websites during business hours. The firewall is connected to the internet and has a Security policy that allows general web browsing. What is the most efficient way to block social media?
Trap 1: Create a new Security policy rule with an Application ID that…
Application ID blocks apps, not necessarily websites; URL Filtering is more appropriate.
Trap 2: Add a Custom Signature to the existing rule to block social media…
Custom Signatures are for detecting specific threats, not for URL filtering.
Trap 3: Modify the existing web browsing rule to deny social media…
This would require maintaining a list of social media IPs, which is inefficient.
- A
Create a new Security policy rule with an Application ID that blocks social-media applications.
Why wrong: Application ID blocks apps, not necessarily websites; URL Filtering is more appropriate.
- B
Create a new Security policy rule with a URL Filtering profile that blocks the social-media category.
URL Filtering directly blocks access by category.
- C
Add a Custom Signature to the existing rule to block social media traffic.
Why wrong: Custom Signatures are for detecting specific threats, not for URL filtering.
- D
Modify the existing web browsing rule to deny social media destinations.
Why wrong: This would require maintaining a list of social media IPs, which is inefficient.
A company has multiple branch offices that use overlapping private IP ranges (192.168.0.0/16). To avoid conflicts when these branches connect to the data center via IPsec, the administrator needs to translate branch source IPs to unique addresses. Which object type is best suited for this task?
Trap 1: External dynamic list
EDLs provide IP feeds, not NAT addresses.
Trap 2: Service group
Service groups define port/protocol sets, not translation addresses.
Trap 3: IPsec Crypto profile
Crypto profiles define encryption settings, not NAT addresses.
- A
NAT address pool
NAT address pool specifies the translated IP addresses.
- B
External dynamic list
Why wrong: EDLs provide IP feeds, not NAT addresses.
- C
Service group
Why wrong: Service groups define port/protocol sets, not translation addresses.
- D
IPsec Crypto profile
Why wrong: Crypto profiles define encryption settings, not NAT addresses.
Refer to the exhibit. A firewall administrator is troubleshooting a performance issue. The number of half-open TCP connections is unusually high. What is a likely cause?
Exhibit
Refer to the exhibit. admin@PA-500> show counter global | match tcp tcp-conn-init 1500 tcp-conn-established 1200 tcp-conn-closed 1400 tcp-conn-failed 200 tcp-conn-reset 100 tcp-conn-half-open 50 tcp-conn-timeout 30
Trap 1: A DDoS attack is flooding the firewall with SYN packets.
SYN flood would show very high tcp-conn-init, not just half-open.
Trap 2: The firewall's TCP timeout setting is too short.
Short timeouts would reduce half-open count, not increase it.
Trap 3: The firewall's hardware is failing.
Hardware failure would show more generic errors, not specific half-open count.
- A
A DDoS attack is flooding the firewall with SYN packets.
Why wrong: SYN flood would show very high tcp-conn-init, not just half-open.
- B
An application on the internal network is not completing TCP handshakes.
Half-open connections indicate incomplete handshakes, likely due to application failure.
- C
The firewall's TCP timeout setting is too short.
Why wrong: Short timeouts would reduce half-open count, not increase it.
- D
The firewall's hardware is failing.
Why wrong: Hardware failure would show more generic errors, not specific half-open count.
A security team is deploying a Palo Alto Networks firewall in an AWS VPC using the VM-Series. They need to ensure that traffic between two subnets within the same VPC is inspected by the firewall. What is the required network configuration?
Trap 1: Create a VPC peering connection between the two subnets and attach…
VPC peering is for different VPCs, not subnets within the same VPC.
Trap 2: Attach the firewall to a single subnet and use it as a default…
A single ENI cannot handle traffic between two subnets; each subnet needs an ENI on the firewall.
Trap 3: Configure AWS security groups to route traffic through the firewall.
Security groups do not route traffic; they act as stateful firewalls.
- A
Deploy the firewall with two elastic network interfaces, one in each subnet, and configure route tables to send inter-subnet traffic through the firewall.
This allows the firewall to inspect traffic between the subnets.
- B
Create a VPC peering connection between the two subnets and attach the firewall.
Why wrong: VPC peering is for different VPCs, not subnets within the same VPC.
- C
Attach the firewall to a single subnet and use it as a default gateway for both subnets.
Why wrong: A single ENI cannot handle traffic between two subnets; each subnet needs an ENI on the firewall.
- D
Configure AWS security groups to route traffic through the firewall.
Why wrong: Security groups do not route traffic; they act as stateful firewalls.
After upgrading the PAN-OS version on a firewall, the administrator notices that the commit operation takes significantly longer than before. What is the most likely cause?
Trap 1: The firewall's CPU and memory are insufficient for the new PAN-OS…
The upgrade does not change hardware; if resources were insufficient, the firewall would have performance issues in general.
Trap 2: The firewall is performing a backup of the configuration.
Backups are not part of the commit process.
Trap 3: The rulebase has grown too large.
That would have caused slow commits before the upgrade as well.
- A
The firewall's CPU and memory are insufficient for the new PAN-OS version.
Why wrong: The upgrade does not change hardware; if resources were insufficient, the firewall would have performance issues in general.
- B
The upgrade triggered a full commit of the entire configuration, which takes longer than a partial commit.
After an upgrade, the system often performs a full commit to apply structural changes, which is slower.
- C
The firewall is performing a backup of the configuration.
Why wrong: Backups are not part of the commit process.
- D
The rulebase has grown too large.
Why wrong: That would have caused slow commits before the upgrade as well.
Which TWO actions can be taken in a security policy rule to allow traffic from the corporate network to the internet while also logging the traffic?
Trap 1: Set the rule action to 'reset-both'.
Reset-both terminates the session and sends TCP resets.
Trap 2: Set the rule action to 'deny'.
Deny blocks traffic.
Trap 3: Enable 'Log at Session Start' in the rule.
Logging at session start is optional and not required for logging; session end provides standard logging.
- A
Set the rule action to 'reset-both'.
Why wrong: Reset-both terminates the session and sends TCP resets.
- B
Set the rule action to 'allow'.
Allow permits traffic through the firewall.
- C
Set the rule action to 'deny'.
Why wrong: Deny blocks traffic.
- D
Enable 'Log at Session Start' in the rule.
Why wrong: Logging at session start is optional and not required for logging; session end provides standard logging.
- E
Enable 'Log at Session End' in the rule.
This logs the session after it completes, providing a record of allowed traffic.
A security team notices that traffic from a specific internal subnet is not being inspected by the firewall. They have configured a security policy rule that matches the subnet and allows the traffic, but the traffic is still not being logged or inspected. What is the most likely cause?
Trap 1: The rule is placed below an earlier rule that also matches the…
This could cause the earlier rule to be matched first, but the question states the traffic is not inspected at all, not that it matches a different rule.
Trap 2: The firewall's license for the threat prevention subscription has…
License expiry would affect inspection capabilities, but the firewall would still apply security rules; it would just not perform threat inspection.
Trap 3: The firewall is in an active/passive HA pair and the passive unit…
HA state does not affect rule evaluation; the active unit handles traffic and applies rules.
- A
The rule is placed below an earlier rule that also matches the traffic.
Why wrong: This could cause the earlier rule to be matched first, but the question states the traffic is not inspected at all, not that it matches a different rule.
- B
The firewall's license for the threat prevention subscription has expired.
Why wrong: License expiry would affect inspection capabilities, but the firewall would still apply security rules; it would just not perform threat inspection.
- C
The firewall is in an active/passive HA pair and the passive unit is handling traffic.
Why wrong: HA state does not affect rule evaluation; the active unit handles traffic and applies rules.
- D
The rule is disabled in the rulebase.
A disabled rule is not evaluated, so traffic matching that rule will not be inspected.
A firewall is configured with multiple security zones. Traffic from the 'Untrust' zone to the 'DMZ' zone is allowed for web services. The administrator wants to ensure that the DMZ servers cannot initiate connections to the Untrust zone. What is the correct approach?
Trap 1: Configure a zone protection profile on the DMZ zone.
Zone protection profiles prevent attacks, not outbound connections.
Trap 2: Create a rule allowing traffic from Untrust to DMZ and another rule…
This would allow DMZ to initiate connections, which is not desired.
Trap 3: Create a rule allowing traffic from DMZ to Untrust with a deny…
This would create an explicit deny, but the default already blocks; this adds unnecessary complexity.
- A
Configure a zone protection profile on the DMZ zone.
Why wrong: Zone protection profiles prevent attacks, not outbound connections.
- B
Create a rule allowing traffic from Untrust to DMZ and another rule allowing DMZ to Untrust.
Why wrong: This would allow DMZ to initiate connections, which is not desired.
- C
Create a rule allowing traffic from DMZ to Untrust with a deny action.
Why wrong: This would create an explicit deny, but the default already blocks; this adds unnecessary complexity.
- D
Do nothing; by default, inter-zone traffic from DMZ to Untrust is blocked.
The default inter-zone rule blocks all traffic that is not explicitly allowed.
An organization is deploying a Palo Alto Networks firewall in a data center to segment traffic between three application tiers: web, app, and database. The web servers must be accessible from the internet, the app servers must only be reachable from the web servers, and the database servers must only be reachable from the app servers. Which security policy design best meets these requirements?
Trap 1: Create three zones: Web, App, DB
This does not restrict which specific services are allowed; it allows all traffic between the tiers, which may be too permissive.
Trap 2: Place web servers in an untrust zone and app/database in a trust…
This would allow database servers to initiate connections to the internet, which is not required.
Trap 3: Place all servers in the same zone and use rules to allow traffic…
This would not provide segmentation because intra-zone traffic is allowed by default unless explicitly blocked.
- A
Create three zones: Web, App, DB. Create rules that allow only necessary protocols (e.g., HTTP/HTTPS from internet to Web, specific ports from Web to App, and specific ports from App to DB).
This follows least-privilege principles by allowing only required traffic between specific zones and ports.
- B
Create three zones: Web, App, DB. Allow all traffic from Web to App and App to DB, and block all other inter-zone traffic.
Why wrong: This does not restrict which specific services are allowed; it allows all traffic between the tiers, which may be too permissive.
- C
Place web servers in an untrust zone and app/database in a trust zone, then allow all traffic from trust to untrust.
Why wrong: This would allow database servers to initiate connections to the internet, which is not required.
- D
Place all servers in the same zone and use rules to allow traffic between them.
Why wrong: This would not provide segmentation because intra-zone traffic is allowed by default unless explicitly blocked.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.