Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›PCNSE›Objectives›Troubleshoot
Objective 4.0

Troubleshoot

PCNSE Practice Questions

Use this page to practise Troubleshoot questions for this certification. Focus on how the exam tests troubleshoot in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

PCNSE Troubleshoot — Key Topics

Troubleshoot questions on this certification test your ability to deploy and manage troubleshoot concepts in scenario-based situations.

  • Core Troubleshoot concepts and how they apply in real-world cloud scenarios.
  • How to deploy troubleshoot correctly and verify the outcome.
  • Troubleshooting troubleshoot issues by interpreting error output and system state.
  • Cloud best practices and Troubleshoot design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Troubleshoot

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

PCNSE Troubleshoot — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Read the full VPN explanation →

A company is experiencing intermittent connectivity issues between two branch offices connected via an IPSec tunnel. Users report that they can access resources for a few minutes, then lose connectivity, and after a short time it comes back. Which troubleshooting step should be taken first?

Question 3hardmultiple choice
Review the full subnetting walkthrough →

An engineer is troubleshooting a case where users on a specific subnet cannot reach a web server behind a Palo Alto Networks firewall. The security policy allows the traffic, and the firewall sees the session hit the rule. However, the server does not receive the request. What is the most likely cause?

Question 4easymultiple choice
Read the full NAT/PAT explanation →

A network administrator notices that traffic from a specific user to the internet is being blocked by the firewall. The user's IP is 10.1.1.100, and the destination is a public website. The security policy has a rule that allows traffic from subnet 10.1.1.0/24 to any. What is the first thing the administrator should verify?

Question 5mediummultiple choice
Full question →

A company deploys a new application that uses UDP on port 12345. The security policy is configured to allow UDP traffic from the internal network to the application server. However, users report that the application does not work. The firewall logs show that the traffic is allowed. What is the most likely cause?

Question 6hardmultiple choice
Full question →

An engineer is troubleshooting an issue where GlobalProtect users are unable to connect to the portal. The portal is configured with a certificate signed by an internal CA. Users can reach the portal's IP address from the internet, but the connection fails. The firewall log shows 'TLS handshake failed'. What is the most likely cause?

Question 7mediummultiple choice
Full question →

After upgrading a Palo Alto Networks firewall, the administrator notices that some URL filtering categories are not being blocked as configured. The URL filtering profile is applied to the security rule. What should the administrator verify first?

Question 8easymultiple choice
Full question →

A user reports that they cannot access a specific website. The firewall security policy allows web traffic. The administrator checks the traffic log and sees that the session is being denied due to a 'URL Filtering' block. What should the administrator do to allow access?

Question 9hardmultiple choice
Full question →

An administrator is troubleshooting a situation where traffic from a specific application is being dropped by the firewall. The security policy allows the application. The firewall logs show the session is denied, and the reason is 'application mismatch'. What does this indicate?

Question 10mediummulti select
Full question →

Which TWO troubleshooting steps should be performed when a user cannot access an internal server through a Palo Alto Networks firewall, and the traffic log shows that the session was dropped by a security rule?

Question 11hardmulti select
Read the full VPN explanation →

Which THREE components should be verified when troubleshooting a site-to-site IPSec VPN that is not coming up?

Question 12easymulti select
Read the full VPN explanation →

Which TWO commands can be used to check the status of an IPSec tunnel on a Palo Alto Networks firewall?

Question 13mediummultiple choice
Full question →

Refer to the exhibit. A user at 10.1.1.100 is browsing the internet. The session is established. However, the user reports that the page is not loading completely. What could be the issue?

Exhibit

admin@PA-5000> show session id 12345
Session ID: 12345
Source IP: 10.1.1.100
Destination IP: 203.0.113.50
Application: web-browsing
State: ESTABLISHED
From Zone: trust
To Zone: untrust
Rule: allow-web
Question 14hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. The traffic log shows a drop event from source IP 203.0.113.10 to destination 10.1.1.200 on port 443. The rule matched is 'deny-rule'. What is the most likely reason for this drop?

Exhibit

2025/03/15 10:30:45,drop,203.0.113.10,10.1.1.200,https,443,trust,untrust,deny-rule,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any
Question 15mediummultiple choice
Read the full NAT/PAT explanation →

A company has two Palo Alto Networks firewalls in an active/passive high availability pair. The firewalls are configured with a virtual IP (VIP) for the internal network. Recently, the passive firewall was upgraded to a new PAN-OS version. After the upgrade, the active firewall is still running the old version. The administrator wants to perform a failover to make the upgraded firewall active. However, when the administrator attempts to manually failover, the new passive firewall does not become active. The HA synchronization status shows 'synchronized' but the preemption is disabled. The administrator checks the HA configuration and finds that the peer's version is not compatible. What should the administrator do to successfully failover to the upgraded firewall?

Question 16hardmultiple choice
Review the full subnetting walkthrough →

A large organization uses GlobalProtect for remote access. Users report that they can connect to the portal and download the client, but the client fails to establish a tunnel after connecting. The firewall's GlobalProtect gateway is configured with an authentication profile that uses LDAP. The gateway is configured to use an internal IP pool. The administrator checks the GlobalProtect logs and sees that the user authenticates successfully, but the gateway fails to assign an IP address. The IP pool is configured with a range of 10.10.10.100-10.10.10.200. The administrator verifies that there are no other devices using those IPs. The gateway is on a different subnet than the IP pool. What is the most likely cause?

Question 17easymultiple choice
Full question →

A user reports intermittent connectivity to a database server through the firewall. The session table shows active sessions, but the user experiences timeouts. What is the most likely cause?

Question 18mediummultiple choice
Review the full subnetting walkthrough →

A security administrator notices that traffic logs are not being generated for allowed traffic from a specific subnet. The security policy rule for that subnet has 'Log at Session End' enabled. What should the engineer check?

Question 19hardmultiple choice
Full question →

In an active/passive HA pair, the passive firewall shows state 'non-functioning'. Both firewalls are running PAN-OS 10.1.5. What is the most likely cause?

Question 20easymultiple choice
Full question →

A firewall administrator is troubleshooting a scenario where users cannot reach an internal web server. The security policy allows the traffic, and the server is reachable from other networks. What should the administrator check first?

Question 21mediummultiple choice
Full question →

A company is using GlobalProtect for remote access. Users report that they can connect but cannot access internal resources. The firewall logs show successful GlobalProtect tunnel establishment. What is the most likely issue?

Question 22hardmultiple choice
Full question →

A firewall is experiencing high CPU utilization. The engineer suspects a denial-of-service attack. Which command should be used to identify the source of the attack?

Question 23easymultiple choice
Full question →

A network engineer needs to verify that a specific security rule is being hit by traffic. Which firewall log should be examined?

Question 24mediummultiple choice
Full question →

A user reports that they cannot access a website. The firewall logs show the session was denied with 'No rule matched'. The security policy has a rule that should match the traffic. What is the most likely cause?

Question 25hardmultiple choice
Full question →

A firewall has a security policy that includes a rule with a 'Schedule' object. During the scheduled time, traffic should be allowed, but it is being blocked. The schedule is configured correctly. What could be the issue?

Question 26easymulti select
Full question →

Which TWO are valid methods to troubleshoot a firewall not passing traffic? (Choose two.)

Question 27mediummulti select
Full question →

Which TWO are common causes of session drops after the initial handshake? (Choose two.)

Question 28hardmulti select
Read the full VPN explanation →

Which THREE are required for a successful firewall-to-firewall IPSec VPN tunnel? (Choose three.)

Question 29mediummultiple choice
Full question →

Refer to the exhibit. The session is in FIN_WAIT state. What does this indicate about the TCP connection?

Exhibit

Refer to the exhibit.

---
> show session id 12345
Session ID: 12345
Source IP: 10.1.1.100
Destination IP: 192.168.2.50
Source Port: 34567
Destination Port: 80
Protocol: TCP
State: FIN_WAIT
Application: ssl
NAT Source: 10.1.1.100
NAT Destination: 192.168.2.50
---
Question 30mediummultiple choice
Full question →

A user reports that they cannot access a specific website. Traffic matches a security policy rule that allows the application 'web-browsing' but the session is being dropped. Which of the following is the most likely cause?

Question 31easymultiple choice
Full question →

After upgrading Panorama to a newer version, a configuration push to a managed firewall fails with the error 'Commit failed: template validation error.' Which of the following should be checked first?

More Troubleshoot questions available in the full practice test.

Continue Practising →

All PCNSE Objectives

  • 4.Troubleshoot