Back to Palo Alto Networks Certified Network Security Administrator PCNSA questions

Scenario-based practice

Select Two (Multi-Select) Questions

Practise Palo Alto Networks Certified Network Security Administrator PCNSA practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
PCNSA
exam code
Palo Alto Networks
vendor

Scenario guide

How to approach select two (multi-select) questions

Multi-select questions tell you to 'Choose TWO' or 'Choose THREE'. Getting partial credit is not a thing — you must select all correct answers with no incorrect ones. The stem always states how many to choose, so trust it. These questions require precision, not best-guess elimination.

Quick answer

Select Two (Multi-Select) Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related PCNSA topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmulti select
Full question →

A security engineer is configuring a Palo Alto Networks firewall to protect a web server. The engineer wants to ensure that only HTTP and HTTPS traffic is allowed to the server, and that the traffic is inspected for threats. Which TWO actions should the engineer take?

Question 2hardmulti select
Full question →

Which TWO of the following are best practices for configuring SSL Forward Proxy decryption? (Choose two.)

Question 3mediummulti select
Full question →

Which TWO actions can be taken in a security policy rule to allow traffic from the corporate network to the internet while also logging the traffic?

Question 4hardmulti select
Read the full DNS explanation →

Which TWO actions should be taken to protect against DNS tunneling? (Choose two.)

Question 5mediummulti select
Full question →

Which TWO statements correctly describe best practices for managing security policies in Palo Alto Networks firewalls? (Choose two.)

Question 6hardmulti select
Full question →

Which THREE factors should be considered when troubleshooting a 'deny' rule that is unexpectedly blocking traffic? (Choose three.)

Question 7hardmulti select
Full question →

Which THREE of the following are valid steps when configuring a new virtual wire (vwire) on a Palo Alto Networks firewall?

Question 8mediummulti select
Full question →

Which TWO of the following are valid methods to collect a technical support file from a Palo Alto Networks firewall?

Question 9mediummulti select
Full question →

Which TWO of the following are valid methods to upgrade the PAN-OS version on a Palo Alto Networks firewall?

Question 10easymulti select
Full question →

Which two components are part of Content-ID? (Choose two.)

Question 11mediummulti select
Full question →

Which TWO of the following are true about App-ID? (Choose two.)

Question 12hardmulti select
Full question →

Which THREE factors should be considered when troubleshooting App-ID misidentification? (Choose three.)

Question 13easymulti select
Full question →

Which TWO are capabilities of Content-ID? (Choose two.)

Question 14mediummulti select
Full question →

Which THREE of the following are valid actions for a decryption policy rule? (Choose three.)

Question 15easymulti select
Full question →

Which TWO of the following are types of decryption supported by Palo Alto Networks firewalls? (Choose two.)

Question 16hardmulti select
Full question →

Which TWO of the following are valid methods to add an IP address to a pre-existing address group in PAN-OS? (Select two.)

Question 17easymulti select
Full question →

A network administrator is configuring a new Palo Alto Networks firewall for the first time. Which THREE initial configuration steps are required to allow basic outbound internet access from the internal network?

Which TWO of the following are valid methods to deploy a Palo Alto Networks firewall in a virtualized environment? (Choose two.)

Question 19mediummulti select
Full question →

Which THREE are valid methods to decrypt SSL/TLS traffic on a Palo Alto Networks firewall? (Choose three.)

Question 20hardmulti select
Full question →

Which THREE actions can a Security policy rule perform on traffic?

These PCNSA practice questions are part of Courseiva's free Palo Alto Networks certification practice question bank. Courseiva provides original exam-style PCNSA questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.