PCNSE · topic practice

Troubleshoot practice questions

Use this page to practise Troubleshoot questions for this certification. Focus on how the exam tests troubleshoot in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Troubleshoot

What the exam tests

What to know about Troubleshoot

Troubleshoot questions on this certification test your ability to deploy and manage troubleshoot concepts in scenario-based situations.

Core Troubleshoot concepts and how they apply in real-world cloud scenarios.

How to deploy troubleshoot correctly and verify the outcome.

Troubleshooting troubleshoot issues by interpreting error output and system state.

Cloud best practices and Troubleshoot design trade-offs tested by this certification.

Watch out for

Common Troubleshoot exam traps

  • Selecting the most expensive service when a simpler managed option meets the requirement.
  • Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • Choosing a global service fix when the issue is region-specific.
  • Overlooking cost implications of cross-region data transfer in architecture questions.

Practice set

Troubleshoot questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full VPN explanation →

A company is experiencing intermittent connectivity issues between two branch offices connected via an IPSec tunnel. Users report that they can access resources for a few minutes, then lose connectivity, and after a short time it comes back. Which troubleshooting step should be taken first?

Question 2hardmultiple choice
Review the full subnetting walkthrough →

An engineer is troubleshooting a case where users on a specific subnet cannot reach a web server behind a Palo Alto Networks firewall. The security policy allows the traffic, and the firewall sees the session hit the rule. However, the server does not receive the request. What is the most likely cause?

Question 3easymultiple choice
Read the full NAT/PAT explanation →

A network administrator notices that traffic from a specific user to the internet is being blocked by the firewall. The user's IP is 10.1.1.100, and the destination is a public website. The security policy has a rule that allows traffic from subnet 10.1.1.0/24 to any. What is the first thing the administrator should verify?

Question 4mediummultiple choice
Read the full Troubleshoot explanation →

A company deploys a new application that uses UDP on port 12345. The security policy is configured to allow UDP traffic from the internal network to the application server. However, users report that the application does not work. The firewall logs show that the traffic is allowed. What is the most likely cause?

Question 5hardmultiple choice
Read the full Troubleshoot explanation →

An engineer is troubleshooting an issue where GlobalProtect users are unable to connect to the portal. The portal is configured with a certificate signed by an internal CA. Users can reach the portal's IP address from the internet, but the connection fails. The firewall log shows 'TLS handshake failed'. What is the most likely cause?

Question 6mediummultiple choice
Read the full Troubleshoot explanation →

After upgrading a Palo Alto Networks firewall, the administrator notices that some URL filtering categories are not being blocked as configured. The URL filtering profile is applied to the security rule. What should the administrator verify first?

Question 7easymultiple choice
Read the full Troubleshoot explanation →

A user reports that they cannot access a specific website. The firewall security policy allows web traffic. The administrator checks the traffic log and sees that the session is being denied due to a 'URL Filtering' block. What should the administrator do to allow access?

Question 8hardmultiple choice
Read the full Troubleshoot explanation →

An administrator is troubleshooting a situation where traffic from a specific application is being dropped by the firewall. The security policy allows the application. The firewall logs show the session is denied, and the reason is 'application mismatch'. What does this indicate?

Question 9mediummulti select
Read the full Troubleshoot explanation →

Which TWO troubleshooting steps should be performed when a user cannot access an internal server through a Palo Alto Networks firewall, and the traffic log shows that the session was dropped by a security rule?

Question 10hardmulti select
Read the full VPN explanation →

Which THREE components should be verified when troubleshooting a site-to-site IPSec VPN that is not coming up?

Question 11easymulti select
Read the full VPN explanation →

Which TWO commands can be used to check the status of an IPSec tunnel on a Palo Alto Networks firewall?

Question 12mediummultiple choice
Read the full Troubleshoot explanation →

Refer to the exhibit. A user at 10.1.1.100 is browsing the internet. The session is established. However, the user reports that the page is not loading completely. What could be the issue?

Exhibit

admin@PA-5000> show session id 12345
Session ID: 12345
Source IP: 10.1.1.100
Destination IP: 203.0.113.50
Application: web-browsing
State: ESTABLISHED
From Zone: trust
To Zone: untrust
Rule: allow-web
Question 13hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. The traffic log shows a drop event from source IP 203.0.113.10 to destination 10.1.1.200 on port 443. The rule matched is 'deny-rule'. What is the most likely reason for this drop?

Exhibit

2025/03/15 10:30:45,drop,203.0.113.10,10.1.1.200,https,443,trust,untrust,deny-rule,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any,any
Question 14mediummultiple choice
Read the full NAT/PAT explanation →

A company has two Palo Alto Networks firewalls in an active/passive high availability pair. The firewalls are configured with a virtual IP (VIP) for the internal network. Recently, the passive firewall was upgraded to a new PAN-OS version. After the upgrade, the active firewall is still running the old version. The administrator wants to perform a failover to make the upgraded firewall active. However, when the administrator attempts to manually failover, the new passive firewall does not become active. The HA synchronization status shows 'synchronized' but the preemption is disabled. The administrator checks the HA configuration and finds that the peer's version is not compatible. What should the administrator do to successfully failover to the upgraded firewall?

Question 15hardmultiple choice
Review the full subnetting walkthrough →

A large organization uses GlobalProtect for remote access. Users report that they can connect to the portal and download the client, but the client fails to establish a tunnel after connecting. The firewall's GlobalProtect gateway is configured with an authentication profile that uses LDAP. The gateway is configured to use an internal IP pool. The administrator checks the GlobalProtect logs and sees that the user authenticates successfully, but the gateway fails to assign an IP address. The IP pool is configured with a range of 10.10.10.100-10.10.10.200. The administrator verifies that there are no other devices using those IPs. The gateway is on a different subnet than the IP pool. What is the most likely cause?

Question 16easymultiple choice
Read the full Troubleshoot explanation →

A user reports intermittent connectivity to a database server through the firewall. The session table shows active sessions, but the user experiences timeouts. What is the most likely cause?

Question 17mediummultiple choice
Review the full subnetting walkthrough →

A security administrator notices that traffic logs are not being generated for allowed traffic from a specific subnet. The security policy rule for that subnet has 'Log at Session End' enabled. What should the engineer check?

Question 18hardmultiple choice
Read the full Troubleshoot explanation →

In an active/passive HA pair, the passive firewall shows state 'non-functioning'. Both firewalls are running PAN-OS 10.1.5. What is the most likely cause?

Question 19easymultiple choice
Read the full Troubleshoot explanation →

A firewall administrator is troubleshooting a scenario where users cannot reach an internal web server. The security policy allows the traffic, and the server is reachable from other networks. What should the administrator check first?

Question 20mediummultiple choice
Read the full Troubleshoot explanation →

A company is using GlobalProtect for remote access. Users report that they can connect but cannot access internal resources. The firewall logs show successful GlobalProtect tunnel establishment. What is the most likely issue?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Troubleshoot sessions

Start a Troubleshoot only practice session

Every question in these sessions is drawn from the Troubleshoot domain — nothing else.

Related practice questions

Related PCNSE topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PCNSE exam test about Troubleshoot?
Troubleshoot questions on this certification test your ability to deploy and manage troubleshoot concepts in scenario-based situations.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Troubleshoot questions in a focused session?
Yes — the session launcher on this page draws every question from the Troubleshoot domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PCNSE topics?
Use the topic links above to move to related areas, or go back to the PCNSE question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PCNSE exam covers. They are not copied from any real exam or dump site.