Back to Palo Alto Networks Certified Network Security Administrator PCNSA questions

Scenario-based practice

Troubleshooting Scenario Questions

Practise Palo Alto Networks Certified Network Security Administrator PCNSA practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
PCNSA
exam code
Palo Alto Networks
vendor

Scenario guide

How to approach troubleshooting scenario questions

These questions describe a network symptom and ask you to identify the root cause or the correct fix. They appear across all certification exams and reward systematic thinking over memorisation. The best candidates follow a consistent troubleshooting framework even under time pressure.

Quick answer

Troubleshooting Scenario Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related PCNSA topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A network engineer is troubleshooting a drop in traffic from a critical application. The traffic is allowed by the security policy, but the firewall is dropping the packets. The engineer views the session log and sees that the session is being terminated due to 'tcp-non-syn'. What is the most likely cause?

Question 2hardmultiple choice
Full question →

A company has a PA-5250 firewall in an active/passive HA pair. During a maintenance window, the administrator upgrades the passive firewall from PAN-OS 10.0 to 10.1. After the upgrade, the passive firewall fails to synchronize with the active firewall. The active firewall remains at 10.0. What is the most likely cause?

Question 3hardmultiple choice
Review the full routing breakdown →

A company has a firewall configured with multiple virtual routers. A user on a trusted network can ping the firewall's management IP but cannot reach an external server. The security policy allows the traffic. What is the most likely cause?

Question 4mediummultiple choice
Full question →

Refer to the exhibit. A firewall administrator is troubleshooting a performance issue. The number of half-open TCP connections is unusually high. What is a likely cause?

Exhibit

Refer to the exhibit.

admin@PA-500> show counter global | match tcp

tcp-conn-init           1500
tcp-conn-established    1200
tcp-conn-closed         1400
tcp-conn-failed         200
tcp-conn-reset          100
tcp-conn-half-open      50
tcp-conn-timeout        30
Question 5mediummultiple choice
Full question →

A security administrator is troubleshooting a policy misconfiguration. The firewall is configured with a security rule that allows traffic from the 'Engineering' zone to the 'Servers' zone. However, traffic from an Engineering user to a server in the 'DMZ' zone is being denied. What is the most likely cause?

Question 6easymultiple choice
Full question →

A firewall administrator notices that a security rule intended to block traffic from a specific IP address is not working. The rule is placed at the bottom of the security rulebase, and the traffic is being allowed by a rule higher in the list. What is the most likely cause?

Question 7hardmulti select
Full question →

Which THREE factors should be considered when troubleshooting a 'deny' rule that is unexpectedly blocking traffic? (Choose three.)

Question 8mediummultiple choice
Full question →

A security engineer is troubleshooting why YouTube video streaming is not being identified as 'youtube-streaming' but instead as 'youtube-base'. What could be the reason?

Question 9hardmulti select
Full question →

Which THREE factors should be considered when troubleshooting App-ID misidentification? (Choose three.)

Question 10mediummultiple choice
Full question →

A security engineer is troubleshooting a connectivity issue where internal users cannot reach a public web server hosted on the internet. The firewall is configured with a security policy that allows traffic from the internal zone to the external zone on port 80. The engineer notices that traffic is being dropped. Upon checking the session table, the engineer sees that the session is initiated correctly but the return traffic is not matching the existing session. What is the most likely cause?

Question 11hardmultiple choice
Read the full NAT/PAT explanation →

A network administrator is troubleshooting a connectivity issue where users in the 192.168.1.0/24 subnet cannot reach a server at 10.0.0.10. The firewall has a rule that allows traffic from source zone 'Trust' to destination zone 'DMZ' with source address 192.168.1.0/24 and destination address 10.0.0.10. The traffic is matching the rule, but the packets are being dropped. What is the most likely reason?

Question 12hardmulti select
Read the full NAT/PAT explanation →

A firewall administrator is troubleshooting a situation where traffic from the 'Engineering' zone (source zone) to the 'Servers' zone (destination zone) is being allowed, but the desired behavior is to block it. The administrator runs 'show running security-policy' and sees the following rules in order: Rule1: from Engineering to Servers allow; Rule2: from Engineering to Servers deny; Rule3: from any to Servers allow. Which TWO statements are true regarding policy evaluation?

Question 13mediummultiple choice
Full question →

Refer to the exhibit. A firewall has the configuration shown. A security policy allows traffic from the internal zone to the external zone. However, users on the internal network (192.168.1.0/24) cannot reach the internet. What is the most likely cause?

Exhibit

> show system info

hostname: PA-5250
model: PA-5250
sw-version: 10.1.3
app-version: 8340-5987
threat-version: 8340-5987

> show running ip-route

destination: 0.0.0.0/0
nexthop: 10.0.0.1
interface: ethernet1/1

> show interface ethernet1/1

interface: ethernet1/1
state: up
ip address: 10.0.0.2/24
zone: external

> show interface ethernet1/2

interface: ethernet1/2
state: down
ip address: 192.168.1.1/24
zone: internal
Question 14mediummultiple choice
Full question →

A network administrator notices that a specific user behind a PA-820 firewall is unable to reach a critical SaaS application, while other users can access it without issues. The administrator checks the traffic logs and sees the session is being denied. Which step should the administrator take next to identify the root cause?

Question 15hardmultiple choice
Full question →

Refer to the exhibit. A user at 10.1.1.50 is unable to connect to 192.168.1.100 on TCP port 443. The traffic log shows no entries for that source IP. Which security rule is expected to match this traffic?

Exhibit

Refer to the exhibit.

admin@PA-3020> show running security-policy

rulebase security rules
  rule 1 name "Allow-Sales"
    source [ 10.1.1.0/24 ]
    destination [ 192.168.1.0/24 ]
    application [ ms-sql ]
    service [ tcp-1433 ]
    action allow
    log-start no
  rule 2 name "Allow-HR"
    source [ 10.1.2.0/24 ]
    destination [ 192.168.2.0/24 ]
    application [ web-browsing ]
    service [ application-default ]
    action allow
    log-start yes

admin@PA-3020> show session id 12345
Source IP: 10.1.1.50
Destination IP: 192.168.1.100
Application: ssl
Service: tcp-443

admin@PA-3020> show log traffic | match 10.1.1.50
... no results ...

These PCNSA practice questions are part of Courseiva's free Palo Alto Networks certification practice question bank. Courseiva provides original exam-style PCNSA questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.