Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Troubleshoot practice sets

PCNSE Troubleshoot • Complete Question Bank

PCNSE Troubleshoot — All Questions With Answers

Complete PCNSE Troubleshoot question bank — all 0 questions with answers and detailed explanations.

57
Questions
Free
No signup
Certifications/PCNSE/Practice Test/Troubleshoot/All Questions
Question 1mediummultiple choice
Read the full VPN explanation →

A company is experiencing intermittent connectivity issues between two branch offices connected via an IPSec tunnel. Users report that they can access resources for a few minutes, then lose connectivity, and after a short time it comes back. Which troubleshooting step should be taken first?

Question 2hardmultiple choice
Review the full subnetting walkthrough →

An engineer is troubleshooting a case where users on a specific subnet cannot reach a web server behind a Palo Alto Networks firewall. The security policy allows the traffic, and the firewall sees the session hit the rule. However, the server does not receive the request. What is the most likely cause?

Question 3easymultiple choice
Read the full NAT/PAT explanation →

A network administrator notices that traffic from a specific user to the internet is being blocked by the firewall. The user's IP is 10.1.1.100, and the destination is a public website. The security policy has a rule that allows traffic from subnet 10.1.1.0/24 to any. What is the first thing the administrator should verify?

Question 4mediummultiple choice
Read the full Troubleshoot explanation →

A company deploys a new application that uses UDP on port 12345. The security policy is configured to allow UDP traffic from the internal network to the application server. However, users report that the application does not work. The firewall logs show that the traffic is allowed. What is the most likely cause?

Question 5hardmultiple choice
Read the full Troubleshoot explanation →

An engineer is troubleshooting an issue where GlobalProtect users are unable to connect to the portal. The portal is configured with a certificate signed by an internal CA. Users can reach the portal's IP address from the internet, but the connection fails. The firewall log shows 'TLS handshake failed'. What is the most likely cause?

Question 6mediummultiple choice
Read the full Troubleshoot explanation →

After upgrading a Palo Alto Networks firewall, the administrator notices that some URL filtering categories are not being blocked as configured. The URL filtering profile is applied to the security rule. What should the administrator verify first?

Question 7easymultiple choice
Read the full Troubleshoot explanation →

A user reports that they cannot access a specific website. The firewall security policy allows web traffic. The administrator checks the traffic log and sees that the session is being denied due to a 'URL Filtering' block. What should the administrator do to allow access?

Question 8hardmultiple choice
Read the full Troubleshoot explanation →

An administrator is troubleshooting a situation where traffic from a specific application is being dropped by the firewall. The security policy allows the application. The firewall logs show the session is denied, and the reason is 'application mismatch'. What does this indicate?

Question 9mediummulti select
Read the full Troubleshoot explanation →

Which TWO troubleshooting steps should be performed when a user cannot access an internal server through a Palo Alto Networks firewall, and the traffic log shows that the session was dropped by a security rule?

Question 10hardmulti select
Read the full VPN explanation →

Which THREE components should be verified when troubleshooting a site-to-site IPSec VPN that is not coming up?

Question 11easymulti select
Read the full VPN explanation →

Which TWO commands can be used to check the status of an IPSec tunnel on a Palo Alto Networks firewall?

Question 12mediummultiple choice
Read the full Troubleshoot explanation →

Refer to the exhibit. A user at 10.1.1.100 is browsing the internet. The session is established. However, the user reports that the page is not loading completely. What could be the issue?

Exhibit

admin@PA-5000> show session id 12345
Session ID: 12345
Source IP: 10.1.1.100
Destination IP: 203.0.113.50
Application: web-browsing
State: ESTABLISHED
From Zone: trust
To Zone: untrust
Rule: allow-web
Question 13hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. The traffic log shows a drop event from source IP 203.0.113.10 to destination 10.1.1.200 on port 443. The rule matched is 'deny-rule'. What is the most likely reason for this drop?

Exhibit

2025/03/15 10:30:45,drop,203.0.113.10,10.1.1.200,https,443,trust,untrust,deny-rule,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any
Question 14mediummultiple choice
Read the full NAT/PAT explanation →

A company has two Palo Alto Networks firewalls in an active/passive high availability pair. The firewalls are configured with a virtual IP (VIP) for the internal network. Recently, the passive firewall was upgraded to a new PAN-OS version. After the upgrade, the active firewall is still running the old version. The administrator wants to perform a failover to make the upgraded firewall active. However, when the administrator attempts to manually failover, the new passive firewall does not become active. The HA synchronization status shows 'synchronized' but the preemption is disabled. The administrator checks the HA configuration and finds that the peer's version is not compatible. What should the administrator do to successfully failover to the upgraded firewall?

Question 15hardmultiple choice
Review the full subnetting walkthrough →

A large organization uses GlobalProtect for remote access. Users report that they can connect to the portal and download the client, but the client fails to establish a tunnel after connecting. The firewall's GlobalProtect gateway is configured with an authentication profile that uses LDAP. The gateway is configured to use an internal IP pool. The administrator checks the GlobalProtect logs and sees that the user authenticates successfully, but the gateway fails to assign an IP address. The IP pool is configured with a range of 10.10.10.100-10.10.10.200. The administrator verifies that there are no other devices using those IPs. The gateway is on a different subnet than the IP pool. What is the most likely cause?

Question 16easymultiple choice
Read the full Troubleshoot explanation →

A user reports intermittent connectivity to a database server through the firewall. The session table shows active sessions, but the user experiences timeouts. What is the most likely cause?

Question 17mediummultiple choice
Review the full subnetting walkthrough →

A security administrator notices that traffic logs are not being generated for allowed traffic from a specific subnet. The security policy rule for that subnet has 'Log at Session End' enabled. What should the engineer check?

Question 18hardmultiple choice
Read the full Troubleshoot explanation →

In an active/passive HA pair, the passive firewall shows state 'non-functioning'. Both firewalls are running PAN-OS 10.1.5. What is the most likely cause?

Question 19easymultiple choice
Read the full Troubleshoot explanation →

A firewall administrator is troubleshooting a scenario where users cannot reach an internal web server. The security policy allows the traffic, and the server is reachable from other networks. What should the administrator check first?

Question 20mediummultiple choice
Read the full Troubleshoot explanation →

A company is using GlobalProtect for remote access. Users report that they can connect but cannot access internal resources. The firewall logs show successful GlobalProtect tunnel establishment. What is the most likely issue?

Question 21hardmultiple choice
Read the full Troubleshoot explanation →

A firewall is experiencing high CPU utilization. The engineer suspects a denial-of-service attack. Which command should be used to identify the source of the attack?

Question 22easymultiple choice
Read the full Troubleshoot explanation →

A network engineer needs to verify that a specific security rule is being hit by traffic. Which firewall log should be examined?

Question 23mediummultiple choice
Read the full Troubleshoot explanation →

A user reports that they cannot access a website. The firewall logs show the session was denied with 'No rule matched'. The security policy has a rule that should match the traffic. What is the most likely cause?

Question 24hardmultiple choice
Read the full Troubleshoot explanation →

A firewall has a security policy that includes a rule with a 'Schedule' object. During the scheduled time, traffic should be allowed, but it is being blocked. The schedule is configured correctly. What could be the issue?

Question 25easymulti select
Read the full Troubleshoot explanation →

Which TWO are valid methods to troubleshoot a firewall not passing traffic? (Choose two.)

Question 26mediummulti select
Read the full Troubleshoot explanation →

Which TWO are common causes of session drops after the initial handshake? (Choose two.)

Question 27hardmulti select
Read the full VPN explanation →

Which THREE are required for a successful firewall-to-firewall IPSec VPN tunnel? (Choose three.)

Question 28mediummultiple choice
Read the full Troubleshoot explanation →

Refer to the exhibit. The session is in FIN_WAIT state. What does this indicate about the TCP connection?

Exhibit

Refer to the exhibit.

---
> show session id 12345
Session ID: 12345
Source IP: 10.1.1.100
Destination IP: 192.168.2.50
Source Port: 34567
Destination Port: 80
Protocol: TCP
State: FIN_WAIT
Application: ssl
NAT Source: 10.1.1.100
NAT Destination: 192.168.2.50
---
Question 29mediummultiple choice
Read the full Troubleshoot explanation →

A user reports that they cannot access a specific website. Traffic matches a security policy rule that allows the application 'web-browsing' but the session is being dropped. Which of the following is the most likely cause?

Question 30easymultiple choice
Read the full Troubleshoot explanation →

After upgrading Panorama to a newer version, a configuration push to a managed firewall fails with the error 'Commit failed: template validation error.' Which of the following should be checked first?

Question 31hardmultiple choice
Read the full Troubleshoot explanation →

An organization uses SSL Forward Proxy decryption for all web traffic. A user reports intermittent connectivity issues to a SaaS application. The firewall shows no drops or errors. Which of the following is the most likely cause?

Question 32mediummultiple choice
Read the full Troubleshoot explanation →

A security policy rule is configured to deny traffic, but no logs are generated when the traffic is denied. Which of the following is the most likely reason?

Question 33easymultiple choice
Read the full Troubleshoot explanation →

A network administrator wants to verify if a specific internal IP address (10.1.1.100) is being translated to a public IP when accessing the internet. Which CLI command should be used?

Question 34hardmultiple choice
Read the full Troubleshoot explanation →

A Panorama-managed firewall is not sending logs to Panorama. The firewall is operational and policies are being pushed successfully. Which of the following is the most likely cause?

Question 35mediummultiple choice
Read the full Troubleshoot explanation →

A remote user is unable to connect to the GlobalProtect gateway. The user's client shows 'Connecting' but never establishes a tunnel. The firewall shows no drops in the GlobalProtect logs. Which of the following should be checked first?

Question 36easymultiple choice
Read the full Troubleshoot explanation →

A new application is not being identified by the firewall. Traffic for the application is being treated as 'unknown-tcp'. Which action should be taken to resolve this?

Question 37hardmultiple choice
Read the full Troubleshoot explanation →

A Palo Alto Networks firewall experiences high CPU utilization consistently above 90%. Which of the following is the most effective first step to identify the cause?

Question 38mediummulti select
Read the full Troubleshoot explanation →

Which TWO CLI commands can be used to check whether a specific security policy rule is being matched by traffic? (Choose two.)

Question 39easymulti select
Read the full Troubleshoot explanation →

Which TWO methods can be used to export logs from Panorama to an external system? (Choose two.)

Question 40hardmulti select
Read the full NAT/PAT explanation →

Which THREE factors can cause a session to be terminated abnormally with a 'tcp-rst-from-server' or 'tcp-rst-from-client' flag in the session end reason? (Choose three.)

Question 41mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A user at 10.1.1.10 is trying to connect to a web server at 203.0.113.5 on port 443. The session shows 'State: DROP' with reason 'policy-deny'. However, the administrator has a security policy rule that allows SSL traffic from the source zone to the destination zone. What is the most likely cause of the drop?

Exhibit

show session id 12345
Session 12345: 10.1.1.10:50000 -> 203.0.113.5:443 (10.1.1.10:50000 -> 203.0.113.5:443)
Application: ssl	State: DROP	Type: FLOW
Reason: policy-deny	Flags: 0x40000000
NAT: source 10.1.1.10:50000 (no NAT)
Question 42hardmultiple choice
Read the full Troubleshoot explanation →

Refer to the exhibit. A user at 10.1.1.10 attempts to access https://www.example.com (port 443). The firewall correctly identifies the application as 'ssl' and matches the rule 'Allow-SSL'. However, the session is still being denied. What is the most likely reason?

Exhibit

config shared
security-rulebase
 security-rules
  rule "Allow-SSL"
   from [ "Trust-L3" ]
   to [ "Untrust-L3" ]
   source [ "10.0.0.0/8" ]
   destination [ "any" ]
   application [ "ssl" ]
   service [ "application-default" ]
   action allow
   log-start no
   log-end yes
   log-setting "Profile1"
 end-rule
  rule "Block-HTTP"
   from [ "Trust-L3" ]
   to [ "Untrust-L3" ]
   source [ "10.0.0.0/8" ]
   destination [ "any" ]
   application [ "web-browsing" ]
   service [ "application-default" ]
   action deny
   log-start no
   log-end yes
 end-rule
end
config shared
 application-group "Web-Apps"
  members [ "ssl" "web-browsing" ]
 end-application-group
end
Question 43easymultiple choice
Read the full Troubleshoot explanation →

Refer to the exhibit. A firewall system log contains a critical license expiration entry for URL Filtering. What will happen to URL Filtering functionality?

Exhibit

system log:
2019-03-15 14:23:45, severity: critical, module: license, description: License for URL Filtering has expired.
Question 44easymultiple choice
Review the full subnetting walkthrough →

A network engineer notices that traffic from a specific subnet is being dropped by the firewall. The traffic log shows 'drop' with reason 'policy deny'. The engineer checks the security policy and confirms there is an allow rule for that subnet. What should be checked next?

Question 45mediummultiple choice
Read the full NAT/PAT explanation →

During a troubleshooting session, a user reports that they cannot access an internal web server through the firewall's public IP. The firewall is configured with destination NAT. The engineer checks the NAT policy and sees the rule is active. What should be the next step to verify the NAT is functioning correctly?

Question 46hardmultiple choice
Read the full VPN explanation →

An administrator is troubleshooting VPN tunnel flapping. The logs show multiple Phase 2 rekeys. The tunnel uses IKEv2 with pre-shared key. What is the most likely cause?

Question 47mediummultiple choice
Read the full Troubleshoot explanation →

After upgrading a PA-5250, the firewall is not passing traffic. The administrator checks the dataplane CPU utilization and sees it is at 100%. Which command should be run to identify the cause?

Question 48easymultiple choice
Read the full Troubleshoot explanation →

A firewall is configured with User-ID mapping via domain controller polling. Some users are not being mapped correctly. What is the most likely cause?

Question 49mediummulti select
Read the full Troubleshoot explanation →

A security administrator is trying to isolate a performance issue on a PA-3220. Which two commands provide real-time information about the dataplane performance? (Choose two.)

Question 50hardmulti select
Read the full Troubleshoot explanation →

An engineer is troubleshooting a scenario where traffic from a specific source IP is not being logged although the security policy log setting is set to 'log at session end'. Which three conditions could prevent logging for that traffic? (Choose three.)

Question 51easymultiple choice
Review the full routing breakdown →

A healthcare organization recently replaced their primary internet circuit and changed the next-hop IP for the default route from 203.0.113.1 to 198.51.100.1. After the change, all internet traffic is failing. The firewall is a PA-220 running PAN-OS 9.1. The administrator verifies that the new default route is present in the virtual router and that the security policies are unchanged. The IP address configuration on the ethernet interface is correct and the link is up. When pinging 8.8.8.8 from the firewall's management interface, it succeeds. But traffic from internal hosts fails. The traffic log shows 'drop' with reason 'route - no route to host'. What is the most likely cause?

Question 52hardmultiple choice
Read the full Troubleshoot explanation →

A large enterprise uses a PA-5250 as a perimeter firewall with multiple virtual systems (vsys). One vsys is for the DMZ, and it is logging high amounts of dropped traffic. The administrator notices that the firewall's dataplane CPU is consistently above 80%. The logs show many 'application-id timeout' drops. The DMZ hosts are running custom applications on non-standard ports. What is the first step to mitigate the issue?

Question 53mediummultiple choice
Read the full Troubleshoot explanation →

A company uses GlobalProtect for remote access. After upgrading the GP portal and gateway from 5.0 to 5.1, some users cannot connect. They report that they receive 'Unable to connect to gateway' error. The firewall logs show that the user is unable to authenticate. The authentication profile uses LDAP. The administrator can successfully bind to the LDAP server from the firewall CLI. What could be the issue?

Question 54mediummultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting a slow file transfer through a PA-5200. The file transfer is between two sites connected via IPsec VPN. The firewall has a symmetric crypto profile with AES-256 and SHA-256. The throughput is lower than expected. The engineer checks the dataplane CPU and sees it is 30%. The firewall's interface counters show no errors. What should be the first step to improve throughput?

Question 55mediummultiple choice
Read the full NAT/PAT explanation →

A security administrator reports that they can ping and access internal resources, but cannot access any external websites. The firewall is configured with a default route pointing to the internet router, and the NAT policy includes a source NAT rule for the internal subnet. Which step should the administrator take first to troubleshoot this issue?

Question 56hardmulti select
Read the full Troubleshoot explanation →

Based on the exhibit, which THREE conclusions can be drawn?

Exhibit

Refer to the exhibit.
```
admin@PA-5250> show session id 12345
Session ID: 12345
  Source IP: 10.10.1.100
  Destination IP: 203.0.113.50
  Source port: 34567
  Destination port: 443
  Ingress interface: ethernet1/2
  Egress interface: ethernet1/3
  NAT source IP: 192.0.2.100
  NAT destination IP: 203.0.113.50
  Protocol: TCP
  State: ACTIVE
  Type: FLOW
  Policy ID: 4
  Application: ssl
  Rule: allow-ssl
  User: unknown
```
Question 57easymultiple choice
Read the full VPN explanation →

A company with multiple branch offices connects to headquarters using IPSec VPN tunnels terminated on PA-220 firewalls. Users at one branch report intermittent connectivity issues when accessing critical applications hosted at HQ. Ping tests to HQ servers succeed consistently, but TCP-based applications (e.g., file transfers, web access) frequently drop connections after a few seconds, particularly when transferring large data. The VPN tunnel status shows 'active' with no rekeys. Security policies are configured to allow all required application traffic. Interface statistics show no discards or errors. Which action should be taken to resolve the issue?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCNSE Practice Test 1 — 10 Questions→PCNSE Practice Test 2 — 10 Questions→PCNSE Practice Test 3 — 10 Questions→PCNSE Practice Test 4 — 10 Questions→PCNSE Practice Test 5 — 10 Questions→PCNSE Practice Exam 1 — 20 Questions→PCNSE Practice Exam 2 — 20 Questions→PCNSE Practice Exam 3 — 20 Questions→PCNSE Practice Exam 4 — 20 Questions→Free PCNSE Practice Test 1 — 30 Questions→Free PCNSE Practice Test 2 — 30 Questions→Free PCNSE Practice Test 3 — 30 Questions→PCNSE Practice Questions 1 — 50 Questions→PCNSE Practice Questions 2 — 50 Questions→PCNSE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Manage, Monitor and OperateSecuring Traffic and App-IDSecuring Users and Applications with AuthenticationDecryption and SSL InspectionManaging Troubleshooting and High AvailabilityDeploy and Configure FirewallsCore Concepts and ArchitectureSecure Access and VPNTroubleshoot

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Troubleshoot setsAll Troubleshoot questionsPCNSE Practice Hub