PCNSA · topic practice

Managing Objects practice questions

Practise Palo Alto Networks Certified Network Security Administrator PCNSA Managing Objects practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Managing Objects

What the exam tests

What to know about Managing Objects

Managing Objects questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Managing Objects exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Managing Objects questions

20 questions · select your answer, then reveal the explanation

An administrator needs to block traffic from a specific internal IP address to the internet. Which object type should be used in the security policy source field?

Question 2mediummultiple choice
Read the full VPN explanation →

A company has multiple branch offices that use overlapping private IP ranges (192.168.0.0/16). To avoid conflicts when these branches connect to the data center via IPsec, the administrator needs to translate branch source IPs to unique addresses. Which object type is best suited for this task?

During a security audit, an administrator notices that a security policy rule uses an address group that includes an FQDN object. The FQDN resolves to multiple IP addresses that change frequently. What is the best practice for ensuring the firewall uses the current resolved IPs without manual intervention?

Question 4mediummultiple choice
Read the full Managing Objects explanation →

An administrator wants to allow only specific applications (e.g., web-browsing, ssl) from the internal network to the internet. Which object type should be used in the security policy application field?

Which TWO statements about External Dynamic Lists (EDLs) are true?

Question 6hardmultiple choice
Read the full DNS explanation →

An organization has a data center with servers in the 10.10.0.0/16 subnet and remote users who connect via GlobalProtect. The security team wants to ensure that only approved applications (web-browsing, ssl, dns) are allowed from the remote user subnet (172.16.0.0/24) to the data center. They create a security rule with source zone 'GP' (GlobalProtect), destination zone 'DC', source address '172.16.0.0/24', destination address '10.10.0.0/16', application 'web-browsing', 'ssl', 'dns', action 'allow'. After deployment, users complain that they cannot access a custom web application on port 8080, which uses HTTP but the application is identified as 'web-browsing'. The administrator checks the traffic logs and sees that the traffic is being denied by an implicit deny rule. What is the most likely cause?

Question 7mediummultiple choice
Read the full Managing Objects explanation →

Refer to the exhibit. An administrator configured a dynamic address group named 'WebServers-Group' with filter 'WebServer-*'. However, the group does not include the address objects 'WebServer-1' and 'WebServer-2'. What is the most likely reason?

Exhibit

Refer to the exhibit.

deviceconfig {
    devices {
        localhost.localdomain {
            vsys {
                vsys1 {
                    address {
                        entry {
                            @name = "WebServer-1";
                            ip-netmask = "10.0.1.10/32";
                        }
                        entry {
                            @name = "WebServer-2";
                            ip-range = "10.0.1.20-10.0.1.25";
                        }
                        entry {
                            @name = "WebServers-Group";
                            dynamic {
                                filter = "'WebServer-*'";
                            }
                        }
                    }
                }
            }
        }
    }
}

Which TWO of the following are valid methods to add an IP address to a pre-existing address group in PAN-OS? (Select two.)

Question 9hardmultiple choice
Read the full VPN explanation →

A security administrator manages a Palo Alto Networks firewall in a large enterprise. The company has multiple remote sites connected via IPSec VPNs. Each site has its own subnet (e.g., Site A: 10.10.1.0/24, Site B: 10.10.2.0/24). The administrator needs to create a security policy that allows all inter-site traffic but blocks all traffic to and from the internet except for specific services. The administrator wants to use address groups to simplify management. Currently, there are address groups for each site (e.g., 'Site-A-Networks', 'Site-B-Networks') containing the respective subnets. The administrator also has an address group 'Internet-Allow' for allowed external IPs. The policy should have a rule that permits traffic from any site to any other site, and a rule that permits traffic from internal networks to the 'Internet-Allow' group for destination ports 80 and 443. Which of the following approaches best achieves this with minimal administrative overhead?

Question 10mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to configure a site-to-site IPsec VPN on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 11mediumdrag order
Open the full VLAN trunking answer →

Drag and drop the steps to configure a VLAN interface on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each firewall deployment mode to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Passively monitors traffic without blocking

Transparent layer 2 deployment

Routable mode with IP addresses

Failover configuration with one standby unit

Match each PAN-OS CLI command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Displays firewall version and uptime

Lists all interfaces and their status

Displays active security rules

Reboots the firewall

Question 14easymultiple choice
Read the full NAT/PAT explanation →

A network administrator needs to block traffic to a specific external website. Which object type should be used in the security policy to define the destination?

Question 15mediummultiple choice
Read the full Managing Objects explanation →

An administrator has created an address group that includes an FQDN address object. When the FQDN's IP address changes, how does the firewall update the group?

An organization uses multiple firewalls and wants to share dynamic address groups across them. Which feature should be used?

A security policy rule references a service object "HTTP" which is pre-defined. What is the default port for the HTTP service object?

Question 18mediummultiple choice
Review the full subnetting walkthrough →

An administrator needs to allow traffic from multiple subnets to a specific internal server. The subnets are all part of the same address group. Which object would simplify the security policy rule?

A company uses dynamic address groups based on tags. A virtual machine receives the tag "WebServer". After the VM is decommissioned, the tag is removed. What happens to the dynamic address group?

Which object type is used to group multiple service objects together for use in a security policy?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Managing Objects sessions

Start a Managing Objects only practice session

Every question in these sessions is drawn from the Managing Objects domain — nothing else.

Related practice questions

Related PCNSA topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PCNSA exam test about Managing Objects?
Managing Objects questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Managing Objects questions in a focused session?
Yes — the session launcher on this page draws every question from the Managing Objects domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PCNSA topics?
Use the topic links above to move to related areas, or go back to the PCNSA question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PCNSA exam covers. They are not copied from any real exam or dump site.