Question 11 - Palo Alto Networks PCNSA Real Exam Questions [Jan 2026 Update]

Q: 11

Which feature enables an administrator to review the Security policy rule base for unused rules?

Options

Correct Answer:

Explanation

Policy Optimizer is a feature within PAN-OS specifically designed to help administrators maintain a clean and effective Security policy rulebase. It analyzes traffic logs against the configured rules to identify several types of inefficiencies. One of its primary functions is to highlight rules that have not been matched by any traffic over a specified time period (the default is 30 days), marking them as "unused." This allows administrators to safely review and remove unnecessary rules, thereby reducing the firewall's attack surface and simplifying management.

Why Incorrect

A. Test Policy Match is a troubleshooting tool used to simulate a traffic flow and determine which Security policy rule it would match. It does not analyze historical rule usage.

C. View Rulebase as Groups is a display option that organizes the rulebase visually based on tags, making it easier to navigate, but it does not analyze rule hit counts.

D. Security policy tags are labels used to organize, filter, and group rules for administrative purposes. They do not provide any analytical function regarding rule usage.

References

1. Palo Alto Networks. (2023). PAN-OS® Administrator’s Guide

Version 11.0.

Section: Policy Optimizer > Use Policy Optimizer > Identify Unused Rules.

Content: "Policy Optimizer helps you identify and remove unused Security policy rules to reduce the attack surface. A rule is unused if it has not matched traffic for a specified number of days (the default is 30 days

but you can configure the number of days)." This directly confirms that Policy Optimizer is the feature for identifying unused rules.

2. Palo Alto Networks. (2023). PAN-OS® Administrator’s Guide

Version 11.0.

Section: Objects > Tags.

Content: "Tags are text-based labels that you can apply to objects

policies

and network zones to group

organize

and identify them." This clarifies that tags are for organization

not analysis.

3. Palo Alto Networks. (2023). PAN-OS® Administrator’s Guide

Version 11.0.

Section: Monitor > Manage Custom Reports > Use the Test Policy Match Tool.

Content: "Use the test policy match tool to determine which Security policy rule

if any

will match the specified traffic." This confirms the tool's purpose is for simulation

not historical analysis of rule usage.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE