Back to Palo Alto Networks Certified Network Security Engineer PCNSE questions

Scenario-based practice

Troubleshooting Scenario Questions

Practise Palo Alto Networks Certified Network Security Engineer PCNSE practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
PCNSE
exam code
Palo Alto Networks
vendor

Scenario guide

How to approach troubleshooting scenario questions

These questions describe a network symptom and ask you to identify the root cause or the correct fix. They appear across all certification exams and reward systematic thinking over memorisation. The best candidates follow a consistent troubleshooting framework even under time pressure.

Quick answer

Troubleshooting Scenario Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related PCNSE topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Full question →

An administrator notices that traffic from zone A to zone B is being dropped silently. Security rules are in place. Troubleshooting shows that the session does not appear in the session table. What is the most likely cause?

Question 2easymultiple choice
Review the full subnetting walkthrough →

A company has configured a security policy that allows HTTP traffic from the internal network 10.0.0.0/8 to the internet. However, users from subnet 10.2.0.0/24 are unable to access external websites. The firewall logs show that traffic from 10.2.0.100 to 203.0.113.1 on port 80 is being denied. Which action should the administrator take to resolve the issue?

Question 3hardmultiple choice
Full question →

A security engineer is troubleshooting a connectivity issue where traffic from a specific internal host is allowed by security policy but fails to establish a connection to an external server. The firewall logs show the session was created, but no response packets are seen. What is the most likely cause?

Question 4hardmultiple choice
Full question →

Two firewalls in an active/passive HA configuration are not synchronizing sessions. The 'show high-availability state' command shows both peers as 'active' and 'passive' correctly, but session synchronization is not working. What is the most likely cause?

Question 5hardmultiple choice
Review the full subnetting walkthrough →

A company has a PA-3260 firewall configured with multiple virtual routers for segmentation. A new subnet 192.168.30.0/24 is added behind a layer3 interface that is part of virtual router 'VR-A'. The administrator adds a static route on the firewall to reach the subnet via next-hop 10.0.0.1. However, hosts in another virtual router 'VR-B' cannot reach the new subnet. The route is present in VR-A's routing table. What should the administrator do to resolve the issue?

Question 6mediummultiple choice
Read the full VPN explanation →

After upgrading a PA-5250 from PAN-OS 9.1 to PAN-OS 10.1, the firewall fails to establish IPsec VPN tunnels with remote peers. The crypto profiles and IKE gateways appear unchanged. What is the most likely cause?

Question 7hardmultiple choice
Review the full routing breakdown →

A firewall is configured with two virtual routers in an active/passive HA pair. The active firewall fails over, and after failover, traffic is not passing through the new active firewall. The interface IP addresses are configured as virtual IPs. What is the most likely cause?

Question 8mediummulti select
Full question →

A network engineer is troubleshooting high latency on the firewall. Which THREE commands from the CLI should be used to identify potential bottlenecks? (Choose three.)

Question 9mediummultiple choice
Full question →

A network administrator is troubleshooting an issue where HTTPS traffic to a particular website is being blocked. The security policy rule allows SSL traffic to that website. The firewall logs show the traffic is being blocked by the URL Filtering profile. The URL Filtering profile is set to allow the category 'Business-and-Economy'. The website belongs to the category 'Shopping'. What action should the administrator take?

Question 10easymultiple choice
Full question →

An HA pair is configured with Active/Passive mode. The passive firewall fails to become active after the active firewall's management interface goes down. What is the most likely cause?

Question 11hardmulti select
Full question →

Which TWO troubleshooting steps are most effective when an HA pair is not synchronizing sessions between peers? (Assume HA1 and HA2 are up.)

Question 12mediummultiple choice
Full question →

An engineer notices that the HA pair is not synchronizing configuration changes. The 'show high-availability sync-status' output shows 'sync-failure'. What is the first step to troubleshoot?

Question 13hardmulti select
Full question →

An engineer is troubleshooting an HA pair where session synchronization is not working. Which THREE steps should be taken to diagnose the issue? (Choose three.)

Question 14mediummulti select
Full question →

An organization has configured an active/passive high availability pair of Palo Alto Networks firewalls. During a maintenance window, the active firewall was rebooted. After the reboot, the passive firewall became active, but the session table on the original active firewall is incomplete. The administrator notices that session synchronization is not working properly. Which two configuration checks should the technician perform to resolve this issue?

Question 15mediummultiple choice
Read the full VPN explanation →

An IPSec tunnel between two PA firewalls fails to establish. On the initiator, 'show vpn ipsec-sa' shows no SAs. Which debug command would provide the most detailed information about IKE negotiation?

These PCNSE practice questions are part of Courseiva's free Palo Alto Networks certification practice question bank. Courseiva provides original exam-style PCNSE questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.