PCNSA · topic practice

Device Management and Services practice questions

Practise Palo Alto Networks Certified Network Security Administrator PCNSA Device Management and Services practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Device Management and Services

What the exam tests

What to know about Device Management and Services

Device Management and Services questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Device Management and Services exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Device Management and Services questions

20 questions · select your answer, then reveal the explanation

A security administrator notices that a user's traffic is being blocked unexpectedly. The user's IP is 10.1.1.100, and the traffic is destined to a web server at 192.168.2.10. The administrator has already verified that there are no security rules explicitly denying the traffic. Which Log Viewer query should the administrator use to quickly identify the cause?

Question 2easymultiple choice
Open the full VLAN trunking answer →

A company wants to deploy a new firewall with a management interface on a separate VLAN to ensure management traffic is isolated from production traffic. Which interface type should be used for management access?

During a firewall upgrade from PAN-OS 9.1 to 10.0, the administrator receives an error that the upgrade cannot proceed because there is a pending commit. The administrator checks the commit status and sees that a commit was initiated but has not completed. What is the best course of action?

An administrator needs to generate a report showing all applications used by a specific user group over the past week. Which method is most efficient?

Question 5easymultiple choice
Open the full VLAN trunking answer →

A network engineer wants to configure a new VLAN interface on a Palo Alto Networks firewall. After creating the VLAN object and assigning it to an Ethernet interface, the VLAN interface remains down. What is the most likely cause?

An organization is deploying a firewall in a high-availability (HA) pair. The administrator wants to ensure that session state is synchronized between the firewalls so that active sessions are not dropped during failover. Which configuration is required?

A security analyst notices that a legitimate application is being incorrectly identified as a different application by the firewall. What is the best first step to resolve this issue?

An administrator needs to back up the firewall configuration before making changes. Which method creates a complete backup that can be restored to the same or a different firewall?

Which TWO of the following are valid methods to upgrade the PAN-OS version on a Palo Alto Networks firewall?

Which THREE of the following are valid steps when configuring a new virtual wire (vwire) on a Palo Alto Networks firewall?

Which TWO of the following are valid methods to collect a technical support file from a Palo Alto Networks firewall?

Refer to the exhibit. The firewall is experiencing performance issues and dropping sessions. Based on the exhibit, what is the most likely cause?

Exhibit

Refer to the exhibit.

admin@PA-500> show system info | match uptime
System time: Fri Aug 23 14:22:10 2024
Uptime: 0 days, 2:15:33

admin@PA-500> show system resources
CPU: 45%  Memory: 78%

admin@PA-500> show session info
Total active sessions: 85000
Max sessions: 100000

admin@PA-500> show running resource-monitor
Resource: dataplane
CPU: 89%  Memory: 92%

Refer to the exhibit. A user at 10.1.1.50 is unable to connect to 192.168.1.100 on TCP port 443. The traffic log shows no entries for that source IP. Which security rule is expected to match this traffic?

Exhibit

Refer to the exhibit.

admin@PA-3020> show running security-policy

rulebase security rules
  rule 1 name "Allow-Sales"
    source [ 10.1.1.0/24 ]
    destination [ 192.168.1.0/24 ]
    application [ ms-sql ]
    service [ tcp-1433 ]
    action allow
    log-start no
  rule 2 name "Allow-HR"
    source [ 10.1.2.0/24 ]
    destination [ 192.168.2.0/24 ]
    application [ web-browsing ]
    service [ application-default ]
    action allow
    log-start yes

admin@PA-3020> show session id 12345
Source IP: 10.1.1.50
Destination IP: 192.168.1.100
Application: ssl
Service: tcp-443

admin@PA-3020> show log traffic | match 10.1.1.50
... no results ...

A company has two Palo Alto Networks firewalls in an active/passive HA pair (PA-5250) running PAN-OS 10.1. The HA configuration uses dedicated HA1 (control link) and HA2 (data link) interfaces. The network team recently replaced a failed switch that connected the HA1 interfaces. After the switch replacement, the HA pair is not forming. The administrator logs into the active firewall and runs 'show high-availability state' which shows the local state as 'active' and the peer state as 'unknown'. The HA1 interface status shows 'link down'. The administrator checks the physical connections and confirms the cables are connected and the switch ports are up. What is the most likely cause and the best course of action?

A network administrator notices that a specific user behind a PA-820 firewall is unable to reach a critical SaaS application, while other users can access it without issues. The administrator checks the traffic logs and sees the session is being denied. Which step should the administrator take next to identify the root cause?

A security engineer needs to ensure that all traffic from the internal network to the internet is inspected by the firewall. The firewall is deployed in layer 3 mode with virtual wire subinterfaces. Which configuration is required to achieve this?

A company has a PA-5250 firewall in an active/passive HA pair. During a maintenance window, the administrator upgrades the passive firewall from PAN-OS 10.0 to 10.1. After the upgrade, the passive firewall fails to synchronize with the active firewall. The active firewall remains at 10.0. What is the most likely cause?

Question 18easymultiple choice
Read the full NAT/PAT explanation →

A network administrator wants to allow FTP traffic from the internal network to a specific external server. The administrator creates a security policy rule with source zone 'internal', destination zone 'external', destination IP of the server, and application 'ftp'. However, the traffic is still blocked. What is the most likely reason?

Question 19mediummultiple choice
Read the full NAT/PAT explanation →

A security administrator notices that a security policy rule is not matching traffic that should be allowed. The rule specifies source address as 10.0.1.0/24, destination address as 192.168.2.0/24, and application 'web-browsing'. The traffic originates from 10.0.1.5 to 192.168.2.10 using HTTPS. The traffic log shows that another rule with higher priority is matching and denying the traffic. What should the administrator check first?

Question 20mediummulti select
Review the full routing breakdown →

Which TWO of the following are required when configuring a new virtual router on a Palo Alto Networks firewall?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Device Management and Services sessions

Start a Device Management and Services only practice session

Every question in these sessions is drawn from the Device Management and Services domain — nothing else.

Related practice questions

Related PCNSA topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PCNSA exam test about Device Management and Services?
Device Management and Services questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Device Management and Services questions in a focused session?
Yes — the session launcher on this page draws every question from the Device Management and Services domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PCNSA topics?
Use the topic links above to move to related areas, or go back to the PCNSA question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PCNSA exam covers. They are not copied from any real exam or dump site.