Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCNSEDomainsTroubleshoot
PCNSEFree — No Signup

Troubleshoot

Troubleshoot questions on this certification test your ability to deploy and manage troubleshoot concepts in scenario-based situations.

57questions

Start practicing

Troubleshoot — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

PCNSE Domains

Manage, Monitor and OperateSecuring Traffic and App-IDSecuring Users and Applications with AuthenticationDecryption and SSL InspectionManaging Troubleshooting and High AvailabilityDeploy and Configure FirewallsCore Concepts and ArchitectureSecure Access and VPNTroubleshoot

Domain overview

About the Troubleshoot domain

Use this page to practise Troubleshoot questions for this certification. Focus on how the exam tests troubleshoot in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Exam objectives

What Troubleshoot tests on PCNSE

  1. 1

    Core Troubleshoot concepts and how they apply in real-world cloud scenarios.

  2. 2

    How to deploy troubleshoot correctly and verify the outcome.

  3. 3

    Troubleshooting troubleshoot issues by interpreting error output and system state.

  4. 4

    Cloud best practices and Troubleshoot design trade-offs tested by this certification.

Watch out — common Troubleshoot traps

  • !

    Selecting the most expensive service when a simpler managed option meets the requirement.

  • !

    Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.

  • !

    Choosing a global service fix when the issue is region-specific.

  • !

    Overlooking cost implications of cross-region data transfer in architecture questions.

Practice Troubleshoot questions

10Q20Q30Q50Q

All PCNSE Troubleshoot questions (57)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company is experiencing intermittent connectivity issues between two branch offices connected via an IPSec tunnel. Users report that they can access resources for a few minutes, then lose connectivity, and after a short time it comes back. Which troubleshooting step should be taken first?

2

An engineer is troubleshooting a case where users on a specific subnet cannot reach a web server behind a Palo Alto Networks firewall. The security policy allows the traffic, and the firewall sees the session hit the rule. However, the server does not receive the request. What is the most likely cause?

3

A network administrator notices that traffic from a specific user to the internet is being blocked by the firewall. The user's IP is 10.1.1.100, and the destination is a public website. The security policy has a rule that allows traffic from subnet 10.1.1.0/24 to any. What is the first thing the administrator should verify?

4

A company deploys a new application that uses UDP on port 12345. The security policy is configured to allow UDP traffic from the internal network to the application server. However, users report that the application does not work. The firewall logs show that the traffic is allowed. What is the most likely cause?

5

An engineer is troubleshooting an issue where GlobalProtect users are unable to connect to the portal. The portal is configured with a certificate signed by an internal CA. Users can reach the portal's IP address from the internet, but the connection fails. The firewall log shows 'TLS handshake failed'. What is the most likely cause?

6

After upgrading a Palo Alto Networks firewall, the administrator notices that some URL filtering categories are not being blocked as configured. The URL filtering profile is applied to the security rule. What should the administrator verify first?

7

A user reports that they cannot access a specific website. The firewall security policy allows web traffic. The administrator checks the traffic log and sees that the session is being denied due to a 'URL Filtering' block. What should the administrator do to allow access?

8

An administrator is troubleshooting a situation where traffic from a specific application is being dropped by the firewall. The security policy allows the application. The firewall logs show the session is denied, and the reason is 'application mismatch'. What does this indicate?

9

Which TWO troubleshooting steps should be performed when a user cannot access an internal server through a Palo Alto Networks firewall, and the traffic log shows that the session was dropped by a security rule?

10

Which THREE components should be verified when troubleshooting a site-to-site IPSec VPN that is not coming up?

11

Which TWO commands can be used to check the status of an IPSec tunnel on a Palo Alto Networks firewall?

12

Refer to the exhibit. A user at 10.1.1.100 is browsing the internet. The session is established. However, the user reports that the page is not loading completely. What could be the issue?

13

Refer to the exhibit. The traffic log shows a drop event from source IP 203.0.113.10 to destination 10.1.1.200 on port 443. The rule matched is 'deny-rule'. What is the most likely reason for this drop?

14

A company has two Palo Alto Networks firewalls in an active/passive high availability pair. The firewalls are configured with a virtual IP (VIP) for the internal network. Recently, the passive firewall was upgraded to a new PAN-OS version. After the upgrade, the active firewall is still running the old version. The administrator wants to perform a failover to make the upgraded firewall active. However, when the administrator attempts to manually failover, the new passive firewall does not become active. The HA synchronization status shows 'synchronized' but the preemption is disabled. The administrator checks the HA configuration and finds that the peer's version is not compatible. What should the administrator do to successfully failover to the upgraded firewall?

15

A large organization uses GlobalProtect for remote access. Users report that they can connect to the portal and download the client, but the client fails to establish a tunnel after connecting. The firewall's GlobalProtect gateway is configured with an authentication profile that uses LDAP. The gateway is configured to use an internal IP pool. The administrator checks the GlobalProtect logs and sees that the user authenticates successfully, but the gateway fails to assign an IP address. The IP pool is configured with a range of 10.10.10.100-10.10.10.200. The administrator verifies that there are no other devices using those IPs. The gateway is on a different subnet than the IP pool. What is the most likely cause?

16

A user reports intermittent connectivity to a database server through the firewall. The session table shows active sessions, but the user experiences timeouts. What is the most likely cause?

17

A security administrator notices that traffic logs are not being generated for allowed traffic from a specific subnet. The security policy rule for that subnet has 'Log at Session End' enabled. What should the engineer check?

18

In an active/passive HA pair, the passive firewall shows state 'non-functioning'. Both firewalls are running PAN-OS 10.1.5. What is the most likely cause?

19

A firewall administrator is troubleshooting a scenario where users cannot reach an internal web server. The security policy allows the traffic, and the server is reachable from other networks. What should the administrator check first?

20

A company is using GlobalProtect for remote access. Users report that they can connect but cannot access internal resources. The firewall logs show successful GlobalProtect tunnel establishment. What is the most likely issue?

21

A firewall is experiencing high CPU utilization. The engineer suspects a denial-of-service attack. Which command should be used to identify the source of the attack?

22

A network engineer needs to verify that a specific security rule is being hit by traffic. Which firewall log should be examined?

23

A user reports that they cannot access a website. The firewall logs show the session was denied with 'No rule matched'. The security policy has a rule that should match the traffic. What is the most likely cause?

24

A firewall has a security policy that includes a rule with a 'Schedule' object. During the scheduled time, traffic should be allowed, but it is being blocked. The schedule is configured correctly. What could be the issue?

25

Which TWO are valid methods to troubleshoot a firewall not passing traffic? (Choose two.)

26

Which TWO are common causes of session drops after the initial handshake? (Choose two.)

27

Which THREE are required for a successful firewall-to-firewall IPSec VPN tunnel? (Choose three.)

28

Refer to the exhibit. The session is in FIN_WAIT state. What does this indicate about the TCP connection?

29

A user reports that they cannot access a specific website. Traffic matches a security policy rule that allows the application 'web-browsing' but the session is being dropped. Which of the following is the most likely cause?

30

After upgrading Panorama to a newer version, a configuration push to a managed firewall fails with the error 'Commit failed: template validation error.' Which of the following should be checked first?

31

An organization uses SSL Forward Proxy decryption for all web traffic. A user reports intermittent connectivity issues to a SaaS application. The firewall shows no drops or errors. Which of the following is the most likely cause?

32

A security policy rule is configured to deny traffic, but no logs are generated when the traffic is denied. Which of the following is the most likely reason?

33

A network administrator wants to verify if a specific internal IP address (10.1.1.100) is being translated to a public IP when accessing the internet. Which CLI command should be used?

34

A Panorama-managed firewall is not sending logs to Panorama. The firewall is operational and policies are being pushed successfully. Which of the following is the most likely cause?

35

A remote user is unable to connect to the GlobalProtect gateway. The user's client shows 'Connecting' but never establishes a tunnel. The firewall shows no drops in the GlobalProtect logs. Which of the following should be checked first?

36

A new application is not being identified by the firewall. Traffic for the application is being treated as 'unknown-tcp'. Which action should be taken to resolve this?

37

A Palo Alto Networks firewall experiences high CPU utilization consistently above 90%. Which of the following is the most effective first step to identify the cause?

38

Which TWO CLI commands can be used to check whether a specific security policy rule is being matched by traffic? (Choose two.)

39

Which TWO methods can be used to export logs from Panorama to an external system? (Choose two.)

40

Which THREE factors can cause a session to be terminated abnormally with a 'tcp-rst-from-server' or 'tcp-rst-from-client' flag in the session end reason? (Choose three.)

41

Refer to the exhibit. A user at 10.1.1.10 is trying to connect to a web server at 203.0.113.5 on port 443. The session shows 'State: DROP' with reason 'policy-deny'. However, the administrator has a security policy rule that allows SSL traffic from the source zone to the destination zone. What is the most likely cause of the drop?

42

Refer to the exhibit. A user at 10.1.1.10 attempts to access https://www.example.com (port 443). The firewall correctly identifies the application as 'ssl' and matches the rule 'Allow-SSL'. However, the session is still being denied. What is the most likely reason?

43

Refer to the exhibit. A firewall system log contains a critical license expiration entry for URL Filtering. What will happen to URL Filtering functionality?

44

A network engineer notices that traffic from a specific subnet is being dropped by the firewall. The traffic log shows 'drop' with reason 'policy deny'. The engineer checks the security policy and confirms there is an allow rule for that subnet. What should be checked next?

45

During a troubleshooting session, a user reports that they cannot access an internal web server through the firewall's public IP. The firewall is configured with destination NAT. The engineer checks the NAT policy and sees the rule is active. What should be the next step to verify the NAT is functioning correctly?

46

An administrator is troubleshooting VPN tunnel flapping. The logs show multiple Phase 2 rekeys. The tunnel uses IKEv2 with pre-shared key. What is the most likely cause?

47

After upgrading a PA-5250, the firewall is not passing traffic. The administrator checks the dataplane CPU utilization and sees it is at 100%. Which command should be run to identify the cause?

48

A firewall is configured with User-ID mapping via domain controller polling. Some users are not being mapped correctly. What is the most likely cause?

49

A security administrator is trying to isolate a performance issue on a PA-3220. Which two commands provide real-time information about the dataplane performance? (Choose two.)

50

An engineer is troubleshooting a scenario where traffic from a specific source IP is not being logged although the security policy log setting is set to 'log at session end'. Which three conditions could prevent logging for that traffic? (Choose three.)

51

A healthcare organization recently replaced their primary internet circuit and changed the next-hop IP for the default route from 203.0.113.1 to 198.51.100.1. After the change, all internet traffic is failing. The firewall is a PA-220 running PAN-OS 9.1. The administrator verifies that the new default route is present in the virtual router and that the security policies are unchanged. The IP address configuration on the ethernet interface is correct and the link is up. When pinging 8.8.8.8 from the firewall's management interface, it succeeds. But traffic from internal hosts fails. The traffic log shows 'drop' with reason 'route - no route to host'. What is the most likely cause?

52

A large enterprise uses a PA-5250 as a perimeter firewall with multiple virtual systems (vsys). One vsys is for the DMZ, and it is logging high amounts of dropped traffic. The administrator notices that the firewall's dataplane CPU is consistently above 80%. The logs show many 'application-id timeout' drops. The DMZ hosts are running custom applications on non-standard ports. What is the first step to mitigate the issue?

53

A company uses GlobalProtect for remote access. After upgrading the GP portal and gateway from 5.0 to 5.1, some users cannot connect. They report that they receive 'Unable to connect to gateway' error. The firewall logs show that the user is unable to authenticate. The authentication profile uses LDAP. The administrator can successfully bind to the LDAP server from the firewall CLI. What could be the issue?

54

A network engineer is troubleshooting a slow file transfer through a PA-5200. The file transfer is between two sites connected via IPsec VPN. The firewall has a symmetric crypto profile with AES-256 and SHA-256. The throughput is lower than expected. The engineer checks the dataplane CPU and sees it is 30%. The firewall's interface counters show no errors. What should be the first step to improve throughput?

55

A security administrator reports that they can ping and access internal resources, but cannot access any external websites. The firewall is configured with a default route pointing to the internet router, and the NAT policy includes a source NAT rule for the internal subnet. Which step should the administrator take first to troubleshoot this issue?

56

Based on the exhibit, which THREE conclusions can be drawn?

57

A company with multiple branch offices connects to headquarters using IPSec VPN tunnels terminated on PA-220 firewalls. Users at one branch report intermittent connectivity issues when accessing critical applications hosted at HQ. Ping tests to HQ servers succeed consistently, but TCP-based applications (e.g., file transfers, web access) frequently drop connections after a few seconds, particularly when transferring large data. The VPN tunnel status shows 'active' with no rekeys. Security policies are configured to allow all required application traffic. Interface statistics show no discards or errors. Which action should be taken to resolve the issue?

Practice all 57 Troubleshoot questions

Deep-dive questions

Must-know Troubleshoot questions

The most-searched questions in this domain — detailed explanations, worked examples, full answer breakdowns.

  • Identify DoS Attack Source: Show Session All Command→
  • Troubleshooting Intermittent IPsec Connectivity: Rekey Failure→
  • Troubleshoot Intermittent IPsec VPN: SA Rekey Failure→
  • Post-Upgrade URL Filtering Issues: Verify Database is Up-to-Date→
  • Fix URL Filtering After PAN-OS Upgrade: Verify Database Currency→
  • Why a Correctly Configured Schedule Object Might Not Work Due to Timezone→
  • Why a Geolocation-Based Security Rule Blocks GlobalProtect Internal Access→
  • Export Logs from Panorama: API and Syslog→

Other PCNSE exam domains

Manage, Monitor and OperateSecuring Traffic and App-IDSecuring Users and Applications with AuthenticationDecryption and SSL InspectionManaging Troubleshooting and High AvailabilityDeploy and Configure FirewallsCore Concepts and ArchitectureSecure Access and VPN

Frequently asked questions

What does the Troubleshoot domain cover on the PCNSE exam?

Troubleshoot questions on this certification test your ability to deploy and manage troubleshoot concepts in scenario-based situations.

How many Troubleshoot questions are in the PCNSE question bank?

The Courseiva PCNSE question bank contains 57 questions in the Troubleshoot domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Troubleshoot for PCNSE?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Troubleshoot questions for PCNSE?

Yes — the session launcher on this page draws questions exclusively from the Troubleshoot domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your PCNSE domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide