PCNSA · topic practice

Troubleshooting practice questions

Practise Palo Alto Networks Certified Network Security Administrator PCNSA Troubleshooting practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Troubleshooting

What the exam tests

What to know about Troubleshooting

Troubleshooting questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Troubleshooting exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Troubleshooting questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A network engineer is troubleshooting a drop in traffic from a critical application. The traffic is allowed by the security policy, but the firewall is dropping the packets. The engineer views the session log and sees that the session is being terminated due to 'tcp-non-syn'. What is the most likely cause?

Question 2mediummultiple choice
Read the full Troubleshooting explanation →

Refer to the exhibit. A firewall administrator is troubleshooting a performance issue. The number of half-open TCP connections is unusually high. What is a likely cause?

Exhibit

Refer to the exhibit.

admin@PA-500> show counter global | match tcp

tcp-conn-init           1500
tcp-conn-established    1200
tcp-conn-closed         1400
tcp-conn-failed         200
tcp-conn-reset          100
tcp-conn-half-open      50
tcp-conn-timeout        30
Question 3mediummultiple choice
Read the full Troubleshooting explanation →

A security administrator is troubleshooting a policy misconfiguration. The firewall is configured with a security rule that allows traffic from the 'Engineering' zone to the 'Servers' zone. However, traffic from an Engineering user to a server in the 'DMZ' zone is being denied. What is the most likely cause?

Match each PAN-OS CLI command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Displays firewall version and uptime

Lists all interfaces and their status

Displays active security rules

Reboots the firewall

Which THREE factors should be considered when troubleshooting a 'deny' rule that is unexpectedly blocking traffic? (Choose three.)

Which TWO of the following are valid methods to collect a technical support file from a Palo Alto Networks firewall?

Question 7mediummultiple choice
Read the full Troubleshooting explanation →

A security engineer is troubleshooting why YouTube video streaming is not being identified as 'youtube-streaming' but instead as 'youtube-base'. What could be the reason?

Which THREE factors should be considered when troubleshooting App-ID misidentification? (Choose three.)

Question 9mediummultiple choice
Read the full Troubleshooting explanation →

A security engineer is troubleshooting a connectivity issue where internal users cannot reach a public web server hosted on the internet. The firewall is configured with a security policy that allows traffic from the internal zone to the external zone on port 80. The engineer notices that traffic is being dropped. Upon checking the session table, the engineer sees that the session is initiated correctly but the return traffic is not matching the existing session. What is the most likely cause?

Question 10hardmultiple choice
Read the full NAT/PAT explanation →

A network administrator is troubleshooting a connectivity issue where users in the 192.168.1.0/24 subnet cannot reach a server at 10.0.0.10. The firewall has a rule that allows traffic from source zone 'Trust' to destination zone 'DMZ' with source address 192.168.1.0/24 and destination address 10.0.0.10. The traffic is matching the rule, but the packets are being dropped. What is the most likely reason?

Question 11hardmulti select
Read the full NAT/PAT explanation →

A firewall administrator is troubleshooting a situation where traffic from the 'Engineering' zone (source zone) to the 'Servers' zone (destination zone) is being allowed, but the desired behavior is to block it. The administrator runs 'show running security-policy' and sees the following rules in order: Rule1: from Engineering to Servers allow; Rule2: from Engineering to Servers deny; Rule3: from any to Servers allow. Which TWO statements are true regarding policy evaluation?

A security analyst is troubleshooting a decryption issue. Which TWO logs are most useful for identifying decryption failures? (Choose two.)

An administrator is troubleshooting decryption-related connectivity issues. Which two log types should be examined to gather information about decryption actions and errors?

Which three of the following services are commonly permitted on the management interface? (Choose three.)

Which TWO actions are recommended for monitoring decrypted traffic on a Palo Alto Networks firewall?

Question 16hardmultiple choice
Read the full Troubleshooting explanation →

An administrator is troubleshooting why an application is being identified as 'incomplete' in the traffic log. What does this indicate?

Question 17hardmultiple choice
Read the full Troubleshooting explanation →

During troubleshooting, a firewall shows a large number of SSL decryption failures with error 'certificate_unknown'. The firewall is configured for forward proxy decryption. What is the most likely cause?

Question 18hardmultiple choice
Read the full Troubleshooting explanation →

A security team wants to inspect traffic to and from a critical application server. They configure an inbound decryption rule to decrypt traffic destined to the server's IP address. After deploying, they find that traffic is not being decrypted. What is the first step to troubleshoot?

Question 19hardmultiple choice
Read the full Troubleshooting explanation →

An administrator wants to allow ping (ICMP) and SSH access on a data interface (e.g., ethernet1/1) for troubleshooting. Which configuration is required?

Question 20hardmultiple choice
Read the full DNS explanation →

An administrator is troubleshooting a security policy that uses a service group containing both TCP and UDP service objects. The policy is intended to allow DNS traffic (UDP 53 and TCP 53). The rule is not allowing TCP DNS. What is the most likely issue?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Troubleshooting sessions

Start a Troubleshooting only practice session

Every question in these sessions is drawn from the Troubleshooting domain — nothing else.

Related practice questions

Related PCNSA topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PCNSA exam test about Troubleshooting?
Troubleshooting questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Troubleshooting questions in a focused session?
Yes — the session launcher on this page draws every question from the Troubleshooting domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PCNSA topics?
Use the topic links above to move to related areas, or go back to the PCNSA question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PCNSA exam covers. They are not copied from any real exam or dump site.