PCNSA · topic practice

Policy Evaluation and Management practice questions

Practise Palo Alto Networks Certified Network Security Administrator PCNSA Policy Evaluation and Management practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Policy Evaluation and Management

What the exam tests

What to know about Policy Evaluation and Management

Policy Evaluation and Management questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Policy Evaluation and Management exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Policy Evaluation and Management questions

20 questions · select your answer, then reveal the explanation

A security administrator is troubleshooting a policy misconfiguration. The firewall is configured with a security rule that allows traffic from the 'Engineering' zone to the 'Servers' zone. However, traffic from an Engineering user to a server in the 'DMZ' zone is being denied. What is the most likely cause?

A network engineer needs to ensure that all traffic from the 'Guest' zone to the 'Internet' zone is inspected for malware, but also wants to allow high-bandwidth video conferencing traffic to bypass threat inspection for performance reasons. Which approach best achieves this?

A firewall administrator notices that a security rule intended to block traffic from a specific IP address is not working. The rule is placed at the bottom of the security rulebase, and the traffic is being allowed by a rule higher in the list. What is the most likely cause?

An organization has a security policy that requires all outbound HTTP traffic from the 'Corporate' zone to the 'Internet' zone to be inspected by the URL Filtering profile. However, the administrator notices that some users can still access blocked categories. What is the most likely cause?

A firewall administrator is tasked with implementing a policy that allows SSH access from the 'Admin' zone to the 'Core' zone only for specific administrators, and all other SSH attempts should be logged and dropped. The company has a large number of administrators. Which method is most efficient and scalable?

Which TWO statements correctly describe best practices for managing security policies in Palo Alto Networks firewalls? (Choose two.)

Which THREE factors should be considered when troubleshooting a 'deny' rule that is unexpectedly blocking traffic? (Choose three.)

A user at 192.168.1.10 attempts to access a social networking site (application: social-networking). Based on the exhibit, what will the firewall do?

Exhibit

Refer to the exhibit.

admin@PA-500> show running security-policy

  name                             from             to              source        destination    application     action
  ------------------------------------------------------------------------------------------------------------------
1  allow-web                       trust            untrust         192.168.1.0/24 any            web-browsing    allow
2  block-social                    trust            untrust         192.168.1.0/24 any            social-networking deny
3  allow-all                       trust            untrust         any            any            any             allow
Question 9hardmultiple choice
Read the full NAT/PAT explanation →

A company has a Palo Alto Networks firewall in production. They recently configured a new security policy rule to allow outbound HTTPS traffic from the internal network (10.0.0.0/8) to the internet. The rule is placed after a block rule that denies all traffic from 10.0.0.0/8 to any external destination. After committing, users report that HTTPS access is still blocked. The administrator checks the firewall logs and sees that the traffic is being denied by the block rule. The administrator verifies the rule order: the new allow rule is at position 5, and the block rule is at position 3. The administrator also checks that the source zone (Trust) and destination zone (Untrust) are correct. What is the most likely cause of the issue?

Question 10mediummulti select
Read the full NAT/PAT explanation →

A security administrator notices that traffic from an internal user to a specific external web application is being blocked unexpectedly. The user's IP is 10.10.1.50 and the destination is 203.0.113.5 on port 443. The administrator has already verified that there is a security rule allowing the traffic. Which two logs should the administrator check first to diagnose the issue?

Question 11hardmulti select
Read the full NAT/PAT explanation →

A firewall administrator is troubleshooting a situation where traffic from the 'Engineering' zone (source zone) to the 'Servers' zone (destination zone) is being allowed, but the desired behavior is to block it. The administrator runs 'show running security-policy' and sees the following rules in order: Rule1: from Engineering to Servers allow; Rule2: from Engineering to Servers deny; Rule3: from any to Servers allow. Which TWO statements are true regarding policy evaluation?

Question 12easymultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A user on the Sales subnet (10.10.1.50) attempts to browse to an external website using HTTP (port 80) to download a legitimate file. The website's IP is 203.0.113.50. Which rule will match this traffic?

Exhibit

Refer to the exhibit.

admin@PA-5020> show running security-policy
Set application-default

rule  id  name                        from         to           source        destination  application  service   action
---  ---  --------------------------- ----------- ------------ ------------- ------------ ------------ ---------- -------
    1    Allow-Sales-to-App           Sales        App-Servers  10.10.1.0/24  10.20.1.100  any           tcp/80    allow
    2    Allow-Any-Web                any          any           any           any          web-browsing  tcp/80    allow
    3    Block-Restricted-Apps        any          any           any           any          bittorrent    any       deny
    4    Allow-DNS                    any          any           any           any          dns           udp/53    allow

Drag and drop the steps to configure Active/Passive High Availability on a Palo Alto Networks firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each security rule type to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Blocks known attack patterns

Controls access to websites

Prevents transfer of specific file types

Prevents sensitive data exfiltration

Question 15mediummultiple choice
Read the full NAT/PAT explanation →

A network administrator notices that traffic from a specific subnet is being denied even though there is a permit rule that matches the source and destination. The rulebase has over 500 rules. What is the most likely cause?

After a policy change, a security administrator commits the candidate configuration, but the changes do not take effect immediately for all users. Some users report connectivity issues while others do not. What should the administrator check first?

A company wants to block file-sharing applications like BitTorrent, but allow HTTP and HTTPS. Which type of policy is most appropriate to achieve this granular control?

Question 18mediummultiple choice
Read the full NAT/PAT explanation →

An administrator is troubleshooting why a rule is not being hit. The rule has source zone Trust, destination zone Untrust, source address 10.0.0.0/8, destination address any, application web-browsing, action allow, and log at session end. The traffic is coming from 10.1.1.1 to 1.2.3.4 on port 80, zone Trust to Untrust. The rule count shows zero hits. What could be the issue?

An administrator wants to use Policy Optimizer to consolidate rules. Which of the following is a prerequisite for using Policy Optimizer on a rule?

Question 20mediummultiple choice
Read the full NAT/PAT explanation →

A security rule is configured with source zone 'Trust', destination zone 'Untrust', source address 'any', destination address '10.10.10.0/24', application 'ssl', service 'https', action 'allow', log at session end. A user from Trust zone tries to access https://10.10.10.5. The traffic is not matching. What is the most likely reason?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Policy Evaluation and Management sessions

Start a Policy Evaluation and Management only practice session

Every question in these sessions is drawn from the Policy Evaluation and Management domain — nothing else.

Related practice questions

Related PCNSA topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PCNSA exam test about Policy Evaluation and Management?
Policy Evaluation and Management questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Policy Evaluation and Management questions in a focused session?
Yes — the session launcher on this page draws every question from the Policy Evaluation and Management domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PCNSA topics?
Use the topic links above to move to related areas, or go back to the PCNSA question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PCNSA exam covers. They are not copied from any real exam or dump site.