Troubleshoot questions on this certification test your ability to deploy and manage troubleshoot concepts in scenario-based situations.
Start practicing
Troubleshoot — choose a session length
Free · No account required
Domain overview
Use this page to practise Troubleshoot questions for this certification. Focus on how the exam tests troubleshoot in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.
Exam objectives
Core Troubleshoot concepts and how they apply in real-world cloud scenarios.
How to deploy troubleshoot correctly and verify the outcome.
Troubleshooting troubleshoot issues by interpreting error output and system state.
Cloud best practices and Troubleshoot design trade-offs tested by this certification.
Selecting the most expensive service when a simpler managed option meets the requirement.
Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
Choosing a global service fix when the issue is region-specific.
Overlooking cost implications of cross-region data transfer in architecture questions.
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company is experiencing intermittent connectivity issues between two branch offices connected via an IPSec tunnel. Users report that they can access resources for a few minutes, then lose connectivity, and after a short time it comes back. Which troubleshooting step should be taken first?
2An engineer is troubleshooting a case where users on a specific subnet cannot reach a web server behind a Palo Alto Networks firewall. The security policy allows the traffic, and the firewall sees the session hit the rule. However, the server does not receive the request. What is the most likely cause?
3A network administrator notices that traffic from a specific user to the internet is being blocked by the firewall. The user's IP is 10.1.1.100, and the destination is a public website. The security policy has a rule that allows traffic from subnet 10.1.1.0/24 to any. What is the first thing the administrator should verify?
4A company deploys a new application that uses UDP on port 12345. The security policy is configured to allow UDP traffic from the internal network to the application server. However, users report that the application does not work. The firewall logs show that the traffic is allowed. What is the most likely cause?
5An engineer is troubleshooting an issue where GlobalProtect users are unable to connect to the portal. The portal is configured with a certificate signed by an internal CA. Users can reach the portal's IP address from the internet, but the connection fails. The firewall log shows 'TLS handshake failed'. What is the most likely cause?
6After upgrading a Palo Alto Networks firewall, the administrator notices that some URL filtering categories are not being blocked as configured. The URL filtering profile is applied to the security rule. What should the administrator verify first?
7A user reports that they cannot access a specific website. The firewall security policy allows web traffic. The administrator checks the traffic log and sees that the session is being denied due to a 'URL Filtering' block. What should the administrator do to allow access?
8An administrator is troubleshooting a situation where traffic from a specific application is being dropped by the firewall. The security policy allows the application. The firewall logs show the session is denied, and the reason is 'application mismatch'. What does this indicate?
9Which TWO troubleshooting steps should be performed when a user cannot access an internal server through a Palo Alto Networks firewall, and the traffic log shows that the session was dropped by a security rule?
10Which THREE components should be verified when troubleshooting a site-to-site IPSec VPN that is not coming up?
11Which TWO commands can be used to check the status of an IPSec tunnel on a Palo Alto Networks firewall?
12Refer to the exhibit. A user at 10.1.1.100 is browsing the internet. The session is established. However, the user reports that the page is not loading completely. What could be the issue?
13Refer to the exhibit. The traffic log shows a drop event from source IP 203.0.113.10 to destination 10.1.1.200 on port 443. The rule matched is 'deny-rule'. What is the most likely reason for this drop?
14A company has two Palo Alto Networks firewalls in an active/passive high availability pair. The firewalls are configured with a virtual IP (VIP) for the internal network. Recently, the passive firewall was upgraded to a new PAN-OS version. After the upgrade, the active firewall is still running the old version. The administrator wants to perform a failover to make the upgraded firewall active. However, when the administrator attempts to manually failover, the new passive firewall does not become active. The HA synchronization status shows 'synchronized' but the preemption is disabled. The administrator checks the HA configuration and finds that the peer's version is not compatible. What should the administrator do to successfully failover to the upgraded firewall?
15A large organization uses GlobalProtect for remote access. Users report that they can connect to the portal and download the client, but the client fails to establish a tunnel after connecting. The firewall's GlobalProtect gateway is configured with an authentication profile that uses LDAP. The gateway is configured to use an internal IP pool. The administrator checks the GlobalProtect logs and sees that the user authenticates successfully, but the gateway fails to assign an IP address. The IP pool is configured with a range of 10.10.10.100-10.10.10.200. The administrator verifies that there are no other devices using those IPs. The gateway is on a different subnet than the IP pool. What is the most likely cause?
16A user reports intermittent connectivity to a database server through the firewall. The session table shows active sessions, but the user experiences timeouts. What is the most likely cause?
17A security administrator notices that traffic logs are not being generated for allowed traffic from a specific subnet. The security policy rule for that subnet has 'Log at Session End' enabled. What should the engineer check?
18In an active/passive HA pair, the passive firewall shows state 'non-functioning'. Both firewalls are running PAN-OS 10.1.5. What is the most likely cause?
19A firewall administrator is troubleshooting a scenario where users cannot reach an internal web server. The security policy allows the traffic, and the server is reachable from other networks. What should the administrator check first?
20A company is using GlobalProtect for remote access. Users report that they can connect but cannot access internal resources. The firewall logs show successful GlobalProtect tunnel establishment. What is the most likely issue?
21A firewall is experiencing high CPU utilization. The engineer suspects a denial-of-service attack. Which command should be used to identify the source of the attack?
22A network engineer needs to verify that a specific security rule is being hit by traffic. Which firewall log should be examined?
23A user reports that they cannot access a website. The firewall logs show the session was denied with 'No rule matched'. The security policy has a rule that should match the traffic. What is the most likely cause?
24A firewall has a security policy that includes a rule with a 'Schedule' object. During the scheduled time, traffic should be allowed, but it is being blocked. The schedule is configured correctly. What could be the issue?
25Which TWO are valid methods to troubleshoot a firewall not passing traffic? (Choose two.)
26Which TWO are common causes of session drops after the initial handshake? (Choose two.)
27Which THREE are required for a successful firewall-to-firewall IPSec VPN tunnel? (Choose three.)
28Refer to the exhibit. The session is in FIN_WAIT state. What does this indicate about the TCP connection?
29A user reports that they cannot access a specific website. Traffic matches a security policy rule that allows the application 'web-browsing' but the session is being dropped. Which of the following is the most likely cause?
30After upgrading Panorama to a newer version, a configuration push to a managed firewall fails with the error 'Commit failed: template validation error.' Which of the following should be checked first?
31An organization uses SSL Forward Proxy decryption for all web traffic. A user reports intermittent connectivity issues to a SaaS application. The firewall shows no drops or errors. Which of the following is the most likely cause?
32A security policy rule is configured to deny traffic, but no logs are generated when the traffic is denied. Which of the following is the most likely reason?
33A network administrator wants to verify if a specific internal IP address (10.1.1.100) is being translated to a public IP when accessing the internet. Which CLI command should be used?
34A Panorama-managed firewall is not sending logs to Panorama. The firewall is operational and policies are being pushed successfully. Which of the following is the most likely cause?
35A remote user is unable to connect to the GlobalProtect gateway. The user's client shows 'Connecting' but never establishes a tunnel. The firewall shows no drops in the GlobalProtect logs. Which of the following should be checked first?
36A new application is not being identified by the firewall. Traffic for the application is being treated as 'unknown-tcp'. Which action should be taken to resolve this?
37A Palo Alto Networks firewall experiences high CPU utilization consistently above 90%. Which of the following is the most effective first step to identify the cause?
38Which TWO CLI commands can be used to check whether a specific security policy rule is being matched by traffic? (Choose two.)
39Which TWO methods can be used to export logs from Panorama to an external system? (Choose two.)
40Which THREE factors can cause a session to be terminated abnormally with a 'tcp-rst-from-server' or 'tcp-rst-from-client' flag in the session end reason? (Choose three.)
41Refer to the exhibit. A user at 10.1.1.10 is trying to connect to a web server at 203.0.113.5 on port 443. The session shows 'State: DROP' with reason 'policy-deny'. However, the administrator has a security policy rule that allows SSL traffic from the source zone to the destination zone. What is the most likely cause of the drop?
42Refer to the exhibit. A user at 10.1.1.10 attempts to access https://www.example.com (port 443). The firewall correctly identifies the application as 'ssl' and matches the rule 'Allow-SSL'. However, the session is still being denied. What is the most likely reason?
43Refer to the exhibit. A firewall system log contains a critical license expiration entry for URL Filtering. What will happen to URL Filtering functionality?
44A network engineer notices that traffic from a specific subnet is being dropped by the firewall. The traffic log shows 'drop' with reason 'policy deny'. The engineer checks the security policy and confirms there is an allow rule for that subnet. What should be checked next?
45During a troubleshooting session, a user reports that they cannot access an internal web server through the firewall's public IP. The firewall is configured with destination NAT. The engineer checks the NAT policy and sees the rule is active. What should be the next step to verify the NAT is functioning correctly?
46An administrator is troubleshooting VPN tunnel flapping. The logs show multiple Phase 2 rekeys. The tunnel uses IKEv2 with pre-shared key. What is the most likely cause?
47After upgrading a PA-5250, the firewall is not passing traffic. The administrator checks the dataplane CPU utilization and sees it is at 100%. Which command should be run to identify the cause?
48A firewall is configured with User-ID mapping via domain controller polling. Some users are not being mapped correctly. What is the most likely cause?
49A security administrator is trying to isolate a performance issue on a PA-3220. Which two commands provide real-time information about the dataplane performance? (Choose two.)
50An engineer is troubleshooting a scenario where traffic from a specific source IP is not being logged although the security policy log setting is set to 'log at session end'. Which three conditions could prevent logging for that traffic? (Choose three.)
51A healthcare organization recently replaced their primary internet circuit and changed the next-hop IP for the default route from 203.0.113.1 to 198.51.100.1. After the change, all internet traffic is failing. The firewall is a PA-220 running PAN-OS 9.1. The administrator verifies that the new default route is present in the virtual router and that the security policies are unchanged. The IP address configuration on the ethernet interface is correct and the link is up. When pinging 8.8.8.8 from the firewall's management interface, it succeeds. But traffic from internal hosts fails. The traffic log shows 'drop' with reason 'route - no route to host'. What is the most likely cause?
52A large enterprise uses a PA-5250 as a perimeter firewall with multiple virtual systems (vsys). One vsys is for the DMZ, and it is logging high amounts of dropped traffic. The administrator notices that the firewall's dataplane CPU is consistently above 80%. The logs show many 'application-id timeout' drops. The DMZ hosts are running custom applications on non-standard ports. What is the first step to mitigate the issue?
53A company uses GlobalProtect for remote access. After upgrading the GP portal and gateway from 5.0 to 5.1, some users cannot connect. They report that they receive 'Unable to connect to gateway' error. The firewall logs show that the user is unable to authenticate. The authentication profile uses LDAP. The administrator can successfully bind to the LDAP server from the firewall CLI. What could be the issue?
54A network engineer is troubleshooting a slow file transfer through a PA-5200. The file transfer is between two sites connected via IPsec VPN. The firewall has a symmetric crypto profile with AES-256 and SHA-256. The throughput is lower than expected. The engineer checks the dataplane CPU and sees it is 30%. The firewall's interface counters show no errors. What should be the first step to improve throughput?
55A security administrator reports that they can ping and access internal resources, but cannot access any external websites. The firewall is configured with a default route pointing to the internet router, and the NAT policy includes a source NAT rule for the internal subnet. Which step should the administrator take first to troubleshoot this issue?
56Based on the exhibit, which THREE conclusions can be drawn?
57A company with multiple branch offices connects to headquarters using IPSec VPN tunnels terminated on PA-220 firewalls. Users at one branch report intermittent connectivity issues when accessing critical applications hosted at HQ. Ping tests to HQ servers succeed consistently, but TCP-based applications (e.g., file transfers, web access) frequently drop connections after a few seconds, particularly when transferring large data. The VPN tunnel status shows 'active' with no rekeys. Security policies are configured to allow all required application traffic. Interface statistics show no discards or errors. Which action should be taken to resolve the issue?
Deep-dive questions
The most-searched questions in this domain — detailed explanations, worked examples, full answer breakdowns.
Troubleshoot questions on this certification test your ability to deploy and manage troubleshoot concepts in scenario-based situations.
The Courseiva PCNSE question bank contains 57 questions in the Troubleshoot domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Troubleshoot domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included