Back to Certified Information Systems Security Professional CISSP questions

Scenario-based practice

Troubleshooting Scenario Questions

Practise Certified Information Systems Security Professional CISSP practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
CISSP
exam code
ISC2
vendor

Scenario guide

How to approach troubleshooting scenario questions

These questions describe a network symptom and ask you to identify the root cause or the correct fix. They appear across all certification exams and reward systematic thinking over memorisation. The best candidates follow a consistent troubleshooting framework even under time pressure.

Quick answer

Troubleshooting Scenario Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related CISSP topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Read the full VPN explanation →

A security engineer is troubleshooting a site-to-site IPsec VPN between two firewalls. The tunnel status shows Phase 1 is up but Phase 2 is not. Which of the following is the most likely cause?

Question 2hardmultiple choice
Full question →

In a software-defined network (SDN) architecture, the control plane is separated from the data plane. A network administrator is troubleshooting packet forwarding delays. Which plane is directly responsible for forwarding packets?

Question 3easymultiple choice
Full question →

An analyst reviews the exhibit showing Windows security event logs. What activity should be investigated as a potential data exfiltration attempt?

Exhibit

Refer to the exhibit.

Event Log Entry:
Time: 2025-02-15 09:23:45
Event ID: 4663
User: SEC\jsmith
Object: \\fileserver\finance\PII_data.xlsx
Access: Read
Process: excel.exe

Time: 2025-02-15 09:24:10
Event ID: 4663
User: SEC\jsmith
Object: \\fileserver\finance\PII_data.xlsx
Access: Write
Process: excel.exe

Time: 2025-02-15 09:25:00
Event ID: 5145
User: SEC\jsmith
Object: \\fileserver\finance\PII_data.xlsx
Access: Delete
Process: cmd.exe
Question 4mediummultiple choice
Read the full VPN explanation →

A security engineer is troubleshooting a network where internal users can access internet websites but cannot reach the company's external VPN server (IP 203.0.113.50, UDP port 500). The firewall rule for VPN traffic is correctly configured. What is the most likely cause?

Question 5easymultiple choice
Review the full subnetting walkthrough →

A network administrator notices that users in the accounting department can access the internet but are unable to access the internal payroll server (10.10.10.50). The firewall rule allows traffic from the accounting subnet (10.10.20.0/24) to the payroll server. What is the most likely issue?

Question 6hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation deploys a single sign-on (SSO) solution using SAML 2.0 across all subsidiaries. Recently, users in one subsidiary report being unable to access an internal application. The identity provider (IdP) logs show successful authentication, but the service provider (SP) logs indicate assertion validation failures. Which of the following is the MOST likely cause?

Question 7mediummultiple choice
Full question →

A security engineer is troubleshooting an issue where users are unable to access a web application after being authenticated via OAuth 2.0. The users receive a 403 Forbidden error. The application logs show that the access token is valid but does not contain the required scope. What is the most likely cause?

Question 8hardmultiple choice
Full question →

A security engineer is troubleshooting an authentication failure for a Windows domain user. The user receives 'Access denied' when trying to access a file server. The Kerberos ticket-granting ticket was successfully obtained. What is the most likely issue?

Question 9hardmultiple choice
Full question →

Refer to the exhibit. A user is unable to authenticate using Kerberos. What is the most likely cause?

Exhibit

Event ID: 4771
Account Name: jdoe@DOMAIN.COM
Failure Code: 0x18
Source: Microsoft-Windows-Security-Auditing
Question 10mediummultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting a slow VPN connection between two sites. The link is symmetric 100 Mbps, but throughput tests show only 20 Mbps. The VPN uses AES-256 encryption. What is the most likely cause?

Question 11mediummultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting an IPsec VPN tunnel between two sites. The tunnel is established but no traffic is passing. Which command should the engineer use to verify the phase 2 security associations?

Question 12hardmultiple choice
Full question →

A financial institution is implementing a zero-trust network architecture (ZTNA) using micro-segmentation. They have a legacy accounting application that runs on a Windows Server and communicates with multiple client workstations using both TCP and UDP dynamic ports (49152-65535) for various features. After deploying strict host-based firewall rules that only allow specific ports, users report that the application frequently loses connection and fails to authenticate. The security team verified that the application's required ports are allowed, but the dynamic port negotiation fails because the application uses a proprietary protocol that includes ephemeral ports outside the allowed range. The application vendor is no longer supporting it. The organization cannot replace the application immediately. What is the MOST effective short-term solution?

Question 13hardmultiple choice
Full question →

A security analyst is troubleshooting a web application that is incorrectly blocking valid login requests. The WAF rule in the exhibit is the only rule configured. What is the probable issue?

Exhibit

SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_URI "/login" "phase:2,deny,msg:'Login attempt detected'"
Question 14hardmultiple choice
Read the full NAT/PAT explanation →

A company's security team discovers that a critical web application has a SQL injection vulnerability. However, the team is unable to remediate it immediately due to a dependency on a third-party component. Which of the following is the BEST approach to manage the risk while awaiting a patch?

Question 15hardmultiple choice
Full question →

Refer to the exhibit. A security analyst observes the audit log entry while troubleshooting a file access issue. The application is running under the myapp_t domain. Which action should the analyst take to resolve the issue while adhering to the principle of least privilege?

Exhibit

// Security-constrained model in SELinux policy
policy_module(myapp, 1.0.0)

type myapp_t;
type myapp_exec_t;
init_daemon_domain(myapp_t, myapp_exec_t)

allow myapp_t self:capability { dac_override };
allow myapp_t self:process { fork };
allow myapp_t myapp_data_t:file { read write create open };

// Audit log snippet
AUDIT: type=AVC msg=audit(1633028000.123:456): avc:  denied  { read } for  pid=1234 comm="myapp" name="shadow" dev="dm-0" ino=789 scontext=system_u:system_r:myapp_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file

These CISSP practice questions are part of Courseiva's free ISC2 certification practice question bank. Courseiva provides original exam-style CISSP questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.