- A
The security profile group applied to the rule is blocking the traffic before the rule is evaluated.
Why wrong: Security profiles are applied after rule matching; they do not prevent the rule from matching.
- B
The custom object containing the malicious IP was not committed.
Why wrong: The administrator verified the custom object is correct; if it were not committed, the rule would not match but the traffic would still be allowed by a different rule.
- C
A rule with a broader match exists above the blocking rule in the rulebase.
Rules are evaluated from top to bottom; a rule above that matches the traffic will apply, bypassing the blocking rule.
- D
The device clock is out of sync, causing time-based rules to fail.
Why wrong: Time synchronization does not affect rule matching for static IP addresses.
Quick Answer
The answer is that a rule with a broader match exists above the blocking rule in the rulebase. This occurs because Palo Alto Networks firewalls enforce security policy rule order precedence from top to bottom, meaning the first matching rule is applied and subsequent rules are skipped. If a broader allow rule, such as one permitting all traffic from a specific zone or application, is positioned above the specific deny rule for the malicious IP, traffic will match the allow rule first and be permitted, effectively overriding the intended block. On the PCNSA exam, this scenario tests your understanding of rule evaluation order and how rule order can override specific deny rules, a common trap where candidates assume a correctly configured object guarantees enforcement. Remember the memory tip: "First match wins, so watch where your deny sits."
PCNSA Securing Traffic Practice Question
This PCNSA practice question tests your understanding of securing traffic. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A security administrator notices traffic from an internal user to a known malicious IP address in the corporate network. The traffic is allowed despite a security rule that blocks traffic to that IP. The rule is in a rulebase with multiple rules, and the administrator verifies that the malicious IP is correctly listed in a custom object used by the rule. What is the most likely cause of this issue?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"most likely"Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
A rule with a broader match exists above the blocking rule in the rulebase.
In Palo Alto Networks firewalls, rules are evaluated from top to bottom in the rulebase. If a rule with a broader match (e.g., allowing all traffic from a specific zone or application) is placed above the specific blocking rule, traffic matching the broader rule will be permitted before reaching the block rule. This is the most likely cause because the administrator confirmed the custom object is correct and committed, ruling out configuration errors.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
The security profile group applied to the rule is blocking the traffic before the rule is evaluated.
Why it's wrong here
Security profiles are applied after rule matching; they do not prevent the rule from matching.
- ✗
The custom object containing the malicious IP was not committed.
Why it's wrong here
The administrator verified the custom object is correct; if it were not committed, the rule would not match but the traffic would still be allowed by a different rule.
- ✓
A rule with a broader match exists above the blocking rule in the rulebase.
Why this is correct
Rules are evaluated from top to bottom; a rule above that matches the traffic will apply, bypassing the blocking rule.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
The device clock is out of sync, causing time-based rules to fail.
Why it's wrong here
Time synchronization does not affect rule matching for static IP addresses.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates may assume a correctly configured object guarantees enforcement, overlooking the fundamental rulebase ordering principle where a higher-priority allow rule can override a lower-priority block rule.
Detailed technical explanation
How to think about this question
Palo Alto firewalls use a first-match model in the rulebase: traffic is evaluated against rules in order, and the first rule that matches (based on source, destination, application, user, etc.) is applied. A common misconfiguration is placing a broad allow rule (e.g., any-any) above a specific block rule, causing the block rule to never be reached. This is often seen in environments where administrators add new rules without considering rule order.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Securing Traffic — study guide chapter
Learn the concepts, then practise the questions
- →
Securing Traffic practice questions
Targeted practice on this topic area only
- →
All PCNSA questions
524 questions across all exam domains
- →
Palo Alto Networks Certified Network Security Administrator PCNSA study guide
Full concept coverage aligned to exam objectives
- →
PCNSA practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related PCNSA practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Managing Objects practice questions
Practise PCNSA questions linked to Managing Objects.
Policy Evaluation and Management practice questions
Practise PCNSA questions linked to Policy Evaluation and Management.
Securing Traffic practice questions
Practise PCNSA questions linked to Securing Traffic.
Core Concepts practice questions
Practise PCNSA questions linked to Core Concepts.
Palo Alto Networks Platforms and Architecture practice questions
Practise PCNSA questions linked to Palo Alto Networks Platforms and Architecture.
Device Management and Services practice questions
Practise PCNSA questions linked to Device Management and Services.
App-ID and Content-ID practice questions
Practise PCNSA questions linked to App-ID and Content-ID.
Decryption and Monitoring practice questions
Practise PCNSA questions linked to Decryption and Monitoring.
PCNSA fundamentals practice questions
Practise PCNSA questions linked to PCNSA fundamentals.
PCNSA scenario practice questions
Practise PCNSA questions linked to PCNSA scenario.
PCNSA troubleshooting practice questions
Practise PCNSA questions linked to PCNSA troubleshooting.
Practice this exam
Start a free PCNSA practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this PCNSA question test?
Securing Traffic — This question tests Securing Traffic — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: A rule with a broader match exists above the blocking rule in the rulebase. — In Palo Alto Networks firewalls, rules are evaluated from top to bottom in the rulebase. If a rule with a broader match (e.g., allowing all traffic from a specific zone or application) is placed above the specific blocking rule, traffic matching the broader rule will be permitted before reaching the block rule. This is the most likely cause because the administrator confirmed the custom object is correct and committed, ruling out configuration errors.
What should I do if I get this PCNSA question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
2 more ways this is tested on PCNSA
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A network administrator is troubleshooting a connectivity issue. The firewall has a security rule that allows traffic from the Trust zone to the Untrust zone for the subnet 192.168.1.0/24 with application 'web-browsing'. However, users in that subnet cannot access any external websites. The administrator checks the logs and sees that the traffic is being blocked by a rule named 'Deny All' that is listed before the allow rule in the policy order. What is the most likely cause of the problem? The rule order is incorrect; the allow rule is below the 'Deny All' rule. The source address object for the allow rule is misconfigured with a wrong subnet mask. The application 'web-browsing' is not being properly identified by App-ID. The User-ID agent is overriding the allow rule and triggering a block action.
easy- ✓ A.The rule order is incorrect; the allow rule is below the 'Deny All' rule.
- B.The application 'web-browsing' is not being properly identified by App-ID.
- C.The source address object for the allow rule is misconfigured with a wrong subnet mask.
- D.The User-ID agent is overriding the allow rule and triggering a block action.
Why A: Option A is correct because in Palo Alto Networks firewalls, rules are evaluated in top-down order. If the 'Deny All' rule is above the allow rule, it will match first and block traffic. Options B, C, and D are plausible but less likely given the log evidence.
Variation 2. A security administrator notices that traffic from the internal trust zone to the external untrust zone is being allowed despite a security policy rule explicitly denying that traffic. The rule is present in the policy list and the match conditions seem correct. What is the most likely cause of this issue?
medium- A.The security policy is not enabled on the firewall.
- B.The deny rule was removed from the configuration.
- C.The traffic is matching the implicit deny rule at the end.
- ✓ D.There is an allow rule above the deny rule that matches the traffic first.
Why D: Option D is correct because any deny rule placed after a matching allow rule will not be evaluated if the allow rule is hit first. Rule order is critical in PAN-OS. Option A is wrong because removing the rule is not the cause. Option B is wrong because policy is not optional. Option C is wrong because implicit deny exists but only if no rule matches.
Last reviewed: Jun 11, 2026
This PCNSA practice question is part of Courseiva's free Palo Alto Networks certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PCNSA exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.