Question 28 of 524
Securing TraffichardMultiple ChoiceObjective-mapped

Quick Answer

The answer is that a rule with a broader match exists above the blocking rule in the rulebase. This occurs because Palo Alto Networks firewalls enforce security policy rule order precedence from top to bottom, meaning the first matching rule is applied and subsequent rules are skipped. If a broader allow rule, such as one permitting all traffic from a specific zone or application, is positioned above the specific deny rule for the malicious IP, traffic will match the allow rule first and be permitted, effectively overriding the intended block. On the PCNSA exam, this scenario tests your understanding of rule evaluation order and how rule order can override specific deny rules, a common trap where candidates assume a correctly configured object guarantees enforcement. Remember the memory tip: "First match wins, so watch where your deny sits."

PCNSA Securing Traffic Practice Question

This PCNSA practice question tests your understanding of securing traffic. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A security administrator notices traffic from an internal user to a known malicious IP address in the corporate network. The traffic is allowed despite a security rule that blocks traffic to that IP. The rule is in a rulebase with multiple rules, and the administrator verifies that the malicious IP is correctly listed in a custom object used by the rule. What is the most likely cause of this issue?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1hardmultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

A rule with a broader match exists above the blocking rule in the rulebase.

In Palo Alto Networks firewalls, rules are evaluated from top to bottom in the rulebase. If a rule with a broader match (e.g., allowing all traffic from a specific zone or application) is placed above the specific blocking rule, traffic matching the broader rule will be permitted before reaching the block rule. This is the most likely cause because the administrator confirmed the custom object is correct and committed, ruling out configuration errors.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The security profile group applied to the rule is blocking the traffic before the rule is evaluated.

    Why it's wrong here

    Security profiles are applied after rule matching; they do not prevent the rule from matching.

  • The custom object containing the malicious IP was not committed.

    Why it's wrong here

    The administrator verified the custom object is correct; if it were not committed, the rule would not match but the traffic would still be allowed by a different rule.

  • A rule with a broader match exists above the blocking rule in the rulebase.

    Why this is correct

    Rules are evaluated from top to bottom; a rule above that matches the traffic will apply, bypassing the blocking rule.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • The device clock is out of sync, causing time-based rules to fail.

    Why it's wrong here

    Time synchronization does not affect rule matching for static IP addresses.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates may assume a correctly configured object guarantees enforcement, overlooking the fundamental rulebase ordering principle where a higher-priority allow rule can override a lower-priority block rule.

Detailed technical explanation

How to think about this question

Palo Alto firewalls use a first-match model in the rulebase: traffic is evaluated against rules in order, and the first rule that matches (based on source, destination, application, user, etc.) is applied. A common misconfiguration is placing a broad allow rule (e.g., any-any) above a specific block rule, causing the block rule to never be reached. This is often seen in environments where administrators add new rules without considering rule order.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related PCNSA practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free PCNSA practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this PCNSA question test?

Securing Traffic — This question tests Securing Traffic — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: A rule with a broader match exists above the blocking rule in the rulebase. — In Palo Alto Networks firewalls, rules are evaluated from top to bottom in the rulebase. If a rule with a broader match (e.g., allowing all traffic from a specific zone or application) is placed above the specific blocking rule, traffic matching the broader rule will be permitted before reaching the block rule. This is the most likely cause because the administrator confirmed the custom object is correct and committed, ruling out configuration errors.

What should I do if I get this PCNSA question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

2 more ways this is tested on PCNSA

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A network administrator is troubleshooting a connectivity issue. The firewall has a security rule that allows traffic from the Trust zone to the Untrust zone for the subnet 192.168.1.0/24 with application 'web-browsing'. However, users in that subnet cannot access any external websites. The administrator checks the logs and sees that the traffic is being blocked by a rule named 'Deny All' that is listed before the allow rule in the policy order. What is the most likely cause of the problem? The rule order is incorrect; the allow rule is below the 'Deny All' rule. The source address object for the allow rule is misconfigured with a wrong subnet mask. The application 'web-browsing' is not being properly identified by App-ID. The User-ID agent is overriding the allow rule and triggering a block action.

easy
  • A.The rule order is incorrect; the allow rule is below the 'Deny All' rule.
  • B.The application 'web-browsing' is not being properly identified by App-ID.
  • C.The source address object for the allow rule is misconfigured with a wrong subnet mask.
  • D.The User-ID agent is overriding the allow rule and triggering a block action.

Why A: Option A is correct because in Palo Alto Networks firewalls, rules are evaluated in top-down order. If the 'Deny All' rule is above the allow rule, it will match first and block traffic. Options B, C, and D are plausible but less likely given the log evidence.

Variation 2. A security administrator notices that traffic from the internal trust zone to the external untrust zone is being allowed despite a security policy rule explicitly denying that traffic. The rule is present in the policy list and the match conditions seem correct. What is the most likely cause of this issue?

medium
  • A.The security policy is not enabled on the firewall.
  • B.The deny rule was removed from the configuration.
  • C.The traffic is matching the implicit deny rule at the end.
  • D.There is an allow rule above the deny rule that matches the traffic first.

Why D: Option D is correct because any deny rule placed after a matching allow rule will not be evaluated if the allow rule is hit first. Rule order is critical in PAN-OS. Option A is wrong because removing the rule is not the cause. Option B is wrong because policy is not optional. Option C is wrong because implicit deny exists but only if no rule matches.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This PCNSA practice question is part of Courseiva's free Palo Alto Networks certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PCNSA exam.