Free · No account needed · No credit card

Palo Alto Networks Certified Network Security Administrator PCNSA Practice Test

524 questions with instant explanations, domain breakdown, and wrong-answer analysis. Built for the real exam.

Instant feedback after each answer
Full explanations included
Domain score breakdown
Real exam: 80 min
Pass mark: 700%

Sample questions with explanations

This is exactly what you see during practice — question, options, and a full explanation after you answer.

Q1Palo Alto Networks Platforms and Architectureeasy
Full explanation →

A security team notices that traffic from a specific internal subnet is not being inspected by the firewall. They have configured a security policy rule that matches the subnet and allows the traffic, but the traffic is still not being logged or inspected. What is the most likely cause?

AThe rule is placed below an earlier rule that also matches the traffic.
BThe firewall's license for the threat prevention subscription has expired.
CThe firewall is in an active/passive HA pair and the passive unit is handling traffic.
The rule is disabled in the rulebase.Correct

Option D is correct because if a security policy rule is disabled in the rulebase, it will not be evaluated or enforced, even if it matches the traffic. The firewall will skip the rule entirely, meaning no logging or inspection occurs for traffic that would have matched it. This …Read full explanation

Q2Palo Alto Networks Platforms and Architecturemedium
Full explanation →

An organization is deploying a Palo Alto Networks firewall in a data center to segment traffic between three application tiers: web, app, and database. The web servers must be accessible from the internet, the app servers must only be reachable from the web servers, and the database servers must only be reachable from the app servers. Which security policy design best meets these requirements?

Create three zones: Web, App, DB. Create rules that allow only necessary protocols (e.g., HTTP/HTTPS from internet to Web, specific ports from Web to App, and specific ports from App to DB).Correct
BCreate three zones: Web, App, DB. Allow all traffic from Web to App and App to DB, and block all other inter-zone traffic.
CPlace web servers in an untrust zone and app/database in a trust zone, then allow all traffic from trust to untrust.
DPlace all servers in the same zone and use rules to allow traffic between them.

Option A is correct because it implements a least-privilege security model using Palo Alto Networks zones and granular application- and port-based rules. By creating separate zones (Web, App, DB) and explicitly allowing only the necessary protocols (e.g., HTTP/HTTPS from the inte…Read full explanation

Q3Palo Alto Networks Platforms and Architecturehard
Full explanation →

A network administrator is troubleshooting a connectivity issue where users in the 192.168.1.0/24 subnet cannot reach a server at 10.0.0.10. The firewall has a rule that allows traffic from source zone 'Trust' to destination zone 'DMZ' with source address 192.168.1.0/24 and destination address 10.0.0.10. The traffic is matching the rule, but the packets are being dropped. What is the most likely reason?

The firewall does not have a route to the 10.0.0.0/24 network.Correct
BThe security rule is not placed at the top of the rulebase.
CA zone protection profile is blocking the traffic.
DThe destination server does not have a route back to the 192.168.1.0/24 subnet.

The traffic matches the security rule, but the firewall drops the packet because it cannot find a route to the destination network 10.0.0.0/24. In Palo Alto Networks firewalls, even if a security rule permits traffic, the firewall must have a valid route in its routing table to f…Read full explanation

Untimed Practice

Answer at your own pace. Explanation and domain tag shown immediately after each answer.

Timed Practice

Countdown timer starts immediately. Results and domain scores shown at the end — just like the real exam.

Why practice here?

Full explanations on every question

Not just the right answer — you get exactly why each wrong option is wrong, so you learn the concept, not the answer.

Domain score breakdown

After each session see your score by exam domain so you know exactly where to focus study time.

100% free, forever

No subscription, no trial, no email wall. Start a session in under 10 seconds.

Exam-style questions

Scenario-based, precise wording, realistic distractors — written to match what you actually see on exam day.

← All PCNSA questionsPCNSA exam guideStudy guidePractice by domain