Back to Palo Alto Networks Certified Network Security Administrator PCNSA questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Palo Alto Networks Certified Network Security Administrator PCNSA practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
PCNSA
exam code
Palo Alto Networks
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related PCNSA topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1easymultiple choice
Full question →

A user at 192.168.1.10 attempts to access a social networking site (application: social-networking). Based on the exhibit, what will the firewall do?

Exhibit

Refer to the exhibit.

admin@PA-500> show running security-policy

  name                             from             to              source        destination    application     action
  ------------------------------------------------------------------------------------------------------------------
1  allow-web                       trust            untrust         192.168.1.0/24 any            web-browsing    allow
2  block-social                    trust            untrust         192.168.1.0/24 any            social-networking deny
3  allow-all                       trust            untrust         any            any            any             allow
Question 2easymultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A user on the Sales subnet (10.10.1.50) attempts to browse to an external website using HTTP (port 80) to download a legitimate file. The website's IP is 203.0.113.50. Which rule will match this traffic?

Exhibit

Refer to the exhibit.

admin@PA-5020> show running security-policy
Set application-default

rule  id  name                        from         to           source        destination  application  service   action
---  ---  --------------------------- ----------- ------------ ------------- ------------ ------------ ---------- -------
    1    Allow-Sales-to-App           Sales        App-Servers  10.10.1.0/24  10.20.1.100  any           tcp/80    allow
    2    Allow-Any-Web                any          any           any           any          web-browsing  tcp/80    allow
    3    Block-Restricted-Apps        any          any           any           any          bittorrent    any       deny
    4    Allow-DNS                    any          any           any           any          dns           udp/53    allow
Question 3mediummultiple choice
Full question →

Refer to the exhibit. A firewall administrator is troubleshooting a performance issue. The number of half-open TCP connections is unusually high. What is a likely cause?

Exhibit

Refer to the exhibit.

admin@PA-500> show counter global | match tcp

tcp-conn-init           1500
tcp-conn-established    1200
tcp-conn-closed         1400
tcp-conn-failed         200
tcp-conn-reset          100
tcp-conn-half-open      50
tcp-conn-timeout        30
Question 4mediummultiple choice
Full question →

Refer to the exhibit. A user from the trust zone (10.0.0.5) is trying to access a web server at 203.0.113.1 on port 80. The firewall shows a session with application 'incomplete'. What is the most likely reason for this?

Exhibit

Refer to the exhibit.

show system info | match model
vm-series

show running security-policy
set rulebase security rules "Allow-Web" from [ trust ] to [ untrust ] source [ 10.0.0.0/24 ] destination [ any ] application [ web-browsing ] service [ application-default ] action allow
set rulebase security rules "Block-All" from [ any ] to [ any ] source [ any ] destination [ any ] application [ any ] service [ any ] action deny

show running nat-policy
set rulebase nat rules "NAT-Internet" from [ trust ] to [ untrust ] source [ 10.0.0.0/24 ] destination [ any ] service [ any ] to-interface [ ethernet1/2 ] snat-interface

show session all filter source 10.0.0.5
session id 12345, application incomplete, source 10.0.0.5:50000, destination 203.0.113.1:80, nat source 10.0.0.5, nat destination 203.0.113.1, rule Allow-Web, nat rule NAT-Internet, state active, type flow
Question 5mediummultiple choice
Full question →

Refer to the exhibit. An administrator configured a dynamic address group named 'WebServers-Group' with filter 'WebServer-*'. However, the group does not include the address objects 'WebServer-1' and 'WebServer-2'. What is the most likely reason?

Exhibit

Refer to the exhibit.

deviceconfig {
    devices {
        localhost.localdomain {
            vsys {
                vsys1 {
                    address {
                        entry {
                            @name = "WebServer-1";
                            ip-netmask = "10.0.1.10/32";
                        }
                        entry {
                            @name = "WebServer-2";
                            ip-range = "10.0.1.20-10.0.1.25";
                        }
                        entry {
                            @name = "WebServers-Group";
                            dynamic {
                                filter = "'WebServer-*'";
                            }
                        }
                    }
                }
            }
        }
    }
}
Question 6hardmultiple choice
Full question →

Refer to the exhibit. An administrator notices a large number of decryption sessions. What is a valid conclusion based on the output?

Exhibit

Refer to the exhibit.

# show system info | match decrypt
Decryption status: enabled
Decryption sessions: 523 (current), 1024 (peak)
Certificate errors: 12 (since last hour)

# show decryption statistics
Policy hits: Decrypt: 1500, No Decrypt: 300
TLS version failures: 5 (TLS 1.0: 3, TLS 1.1: 2)
Question 7mediummultiple choice
Full question →

Refer to the exhibit. A user in the trust zone accesses a banking site (category: financial-services). What action will the firewall take on this HTTPS session?

Exhibit

Refer to the exhibit.

{
  "decryption_rules": [
    {
      "name": "rule1",
      "source_zone": ["trust"],
      "destination_zone": ["untrust"],
      "source_address": ["any"],
      "destination_address": ["any"],
      "category": ["financial-services"],
      "action": "no-decrypt",
      "description": "Skip decryption for finance sites"
    },
    {
      "name": "rule2",
      "source_zone": ["trust"],
      "destination_zone": ["untrust"],
      "source_address": ["any"],
      "destination_address": ["any"],
      "category": ["any"],
      "action": "decrypt",
      "description": "Decrypt all other traffic"
    }
  ]
}
Question 8mediummultiple choice
Review the full routing breakdown →

Refer to the exhibit. A firewall has learned three routes for the 10.0.1.0/24 network. Which route will be used for forwarding traffic destined to 10.0.1.1?

Exhibit

Refer to the exhibit.

show routing route 10.0.1.0/24

vr: default
10.0.1.0/24
  via 10.0.0.2, interface ethernet1/3, metric 10, preference 10, route-type static
  via 10.0.0.3, interface ethernet1/4, metric 20, preference 10, route-type static
  via 10.0.0.4, interface ethernet1/5, metric 10, preference 30, route-type ospf
Question 9mediummultiple choice
Full question →

Refer to the exhibit. A firewall has the configuration shown. A security policy allows traffic from the internal zone to the external zone. However, users on the internal network (192.168.1.0/24) cannot reach the internet. What is the most likely cause?

Exhibit

> show system info

hostname: PA-5250
model: PA-5250
sw-version: 10.1.3
app-version: 8340-5987
threat-version: 8340-5987

> show running ip-route

destination: 0.0.0.0/0
nexthop: 10.0.0.1
interface: ethernet1/1

> show interface ethernet1/1

interface: ethernet1/1
state: up
ip address: 10.0.0.2/24
zone: external

> show interface ethernet1/2

interface: ethernet1/2
state: down
ip address: 192.168.1.1/24
zone: internal
Question 10hardmultiple choice
Full question →

Refer to the exhibit. A user at 10.1.1.50 is unable to connect to 192.168.1.100 on TCP port 443. The traffic log shows no entries for that source IP. Which security rule is expected to match this traffic?

Exhibit

Refer to the exhibit.

admin@PA-3020> show running security-policy

rulebase security rules
  rule 1 name "Allow-Sales"
    source [ 10.1.1.0/24 ]
    destination [ 192.168.1.0/24 ]
    application [ ms-sql ]
    service [ tcp-1433 ]
    action allow
    log-start no
  rule 2 name "Allow-HR"
    source [ 10.1.2.0/24 ]
    destination [ 192.168.2.0/24 ]
    application [ web-browsing ]
    service [ application-default ]
    action allow
    log-start yes

admin@PA-3020> show session id 12345
Source IP: 10.1.1.50
Destination IP: 192.168.1.100
Application: ssl
Service: tcp-443

admin@PA-3020> show log traffic | match 10.1.1.50
... no results ...
Question 11mediummultiple choice
Full question →

Refer to the exhibit. The firewall is experiencing performance issues and dropping sessions. Based on the exhibit, what is the most likely cause?

Exhibit

Refer to the exhibit.

admin@PA-500> show system info | match uptime
System time: Fri Aug 23 14:22:10 2024
Uptime: 0 days, 2:15:33

admin@PA-500> show system resources
CPU: 45%  Memory: 78%

admin@PA-500> show session info
Total active sessions: 85000
Max sessions: 100000

admin@PA-500> show running resource-monitor
Resource: dataplane
CPU: 89%  Memory: 92%
Question 12easymultiple choice
Full question →

Refer to the exhibit. A user at IP 10.10.10.10 tries to browse to http://192.0.2.50. Which rule matches this traffic?

Exhibit

Refer to the exhibit.

admin@PA-5050> show running security-policy

  name                      from     to       source          destination  application  service    action
  ------------------------  -------  -------  --------------  -----------  ------------  ---------  -------
  1 allow-web               trust    untrust  10.0.0.0/8      192.0.2.0/24 web-browsing  http       allow
  2 block-malware           trust    untrust  any             any          any           any        deny
  3 allow-dns               trust    untrust  any             any          dns           udp/53     allow

  Total rules: 3
Question 13mediummultiple choice
Full question →

Refer to the exhibit. An administrator notices a high number of decryption failures. What is the most likely cause?

Exhibit

# show decryption statistics
Decryption failures: 120
  SSL handshake failures: 80
  Certificate validation failures: 40
  Decryption successful: 980
Question 14hardmultiple choice
Full question →

Refer to the exhibit. What does this log indicate?

Exhibit

<log>
  <type>threat</type>
  <subtype>intrusion</subtype>
  <severity>critical</severity>
  <action>drop</action>
  <src>192.168.10.5</src>
  <dst>10.10.10.1</dst>
  <app>ssl</app>
  <threatid>40000</threatid>
</log>
Question 15mediummultiple choice
Full question →

Refer to the exhibit. An admin adds a new address object 'web-04' with IP 10.0.0.4 and applies it to a security policy that references the address group 'web-servers'. However, traffic to 10.0.0.4 is not allowed. What is the most likely cause?

Exhibit

> show address-group "web-servers"
Address group name: web-servers
Type: static
Members:
  web-01
  web-02
  web-03

These PCNSA practice questions are part of Courseiva's free Palo Alto Networks certification practice question bank. Courseiva provides original exam-style PCNSA questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.