Practice PCNSE Secure Access and VPN questions with full explanations on every answer.
Start practicing
Secure Access and VPN — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An administrator configures a GlobalProtect portal with an authentication profile that uses Kerberos. Users report they cannot connect from remote locations. What is the most likely cause?
2A company is deploying GlobalProtect with internal gateways. They want to ensure that users who are inside the corporate network connect directly to internal resources without going through the firewall. Which configuration is required?
3A firewall is configured with a GlobalProtect gateway that uses an IPSec tunnel. Remote users can connect but cannot access any resources. The administrator verifies that the tunnel is established and the client receives an IP address. What is the most likely cause?
4A company configures site-to-site VPN between two Palo Alto Networks firewalls using IKEv2. The tunnel does not come up. The administrator checks the IKE gateway configuration on both sides and sees matching pre-shared keys, IKE version, and encryption algorithms. What is the most likely remaining issue?
5An administrator is troubleshooting a GlobalProtect VPN where users report frequent disconnections. The administrator notices that the GlobalProtect gateway logs show 'Tunnel rekey failed' errors. What is the most likely cause?
6A network engineer wants to allow remote users to access internal applications via GlobalProtect, but only for specific users. Which configuration method should be used to restrict access?
7An organization uses GlobalProtect with multiple gateways for different regions. Users in the Asia region are connecting to the wrong gateway. What is the most likely cause?
8Which TWO are required for a GlobalProtect gateway to establish an IPSec tunnel with a remote client?
9Which THREE are valid methods for configuring a site-to-site VPN on a Palo Alto Networks firewall?
10Refer to the exhibit. A site-to-site VPN is configured between two branches. The tunnel is up but traffic is not passing. What is the most likely issue?
11Refer to the exhibit. A user inside the corporate network (IP: 10.1.1.5) connects to the portal. The portal detects the internal host and does not assign a gateway. However, the user still cannot access internal resources. What is the most likely issue?
12A large enterprise uses a Palo Alto Networks firewall as the central hub for site-to-site VPN connections to 50 branch offices. Each branch office has a different subnet (e.g., 10.x.0.0/16 where x is the branch number). The VPN tunnels are configured using IKEv2 with pre-shared keys. Recently, the IT team decided to migrate to certificate-based authentication for improved security. They issued certificates from an internal CA to all branch firewalls and the hub firewall. After the migration, all tunnels failed to establish. The hub firewall logs show 'IKE negotiation failed' with error 'no proposal chosen'. The administrator checks the IKE gateway configuration on the hub: the IKE version is IKEv2, the authentication method is set to 'Certificate', and the certificate profile is configured with the root CA certificate. The administrator also verifies that the branch firewalls have the correct certificates and the hub's certificate is trusted. The branch firewalls' IKE gateways are configured with the hub's IP and pre-shared key (still configured as a fallback). What should the administrator do to resolve the issue?
13Order the steps to capture traffic on a Palo Alto Networks firewall using the packet capture feature.
14Match each security rule action to its effect.
15A GlobalProtect user can successfully authenticate to the portal but cannot connect to the internal gateway. The portal and gateway are configured on the same firewall. What is the most likely cause?
16An IPSec tunnel between two PA firewalls fails to establish. On the initiator, 'show vpn ipsec-sa' shows no SAs. Which debug command would provide the most detailed information about IKE negotiation?
17A GlobalProtect user cannot connect to any resources after authenticating successfully. Portal and gateway configurations appear correct. What is the most likely issue?
18When configuring GlobalProtect with certificate authentication, a user reports that the client prompts for username and password even though the certificate is installed. What is the most likely cause?
19A network engineer configures a tunnel interface for IPSec VPN. After committing, the interface is up but no traffic passes. The tunnel itself is established (IKEv2). What should the engineer check first?
20A company wants to use GlobalProtect with pre-logon (user unknown). After configuration, users report that they can authenticate but cannot access the gateway during pre-logon. Which configuration item is most likely missing?
21An administrator sees the IPSec tunnel state 'down' under the tunnel monitor. What is the most common cause for this issue?
22A company wants to provide VPN access to external business partners who do not have the GlobalProtect client installed. Which VPN method should be used?
23An organization uses RADIUS as the primary authentication method for GlobalProtect with One-Time Password (OTP). Users can authenticate to the portal, but the gateway connection fails. The RADIUS server logs show successful authentication. What is the most likely issue?
24Which TWO of the following are supported authentication methods for IPSec VPN tunnel setup between two Palo Alto Networks firewalls?
25Which THREE of the following are valid configuration elements for a tunnel interface in Palo Alto Networks?
26Which THREE of the following are capabilities of GlobalProtect Host Information Profile (HIP)?
27What is the most likely cause of Phase2 being down?
28A user tries to connect to the GlobalProtect portal but receives 'Certificate validation failed'. What is the most likely missing configuration?
29A GlobalProtect user behind the tunnel is unable to browse HTTPS websites. What is the issue?
30A network administrator configures GlobalProtect for remote users. Users report they can connect but cannot access internal resources. The firewall shows the user is connected with a valid IP. What is the most likely cause?
31An organization has two sites connected via IPSec VPN. The tunnel is up, but ICMP traffic between sites fails. No other traffic works. The firewall policy allows any-any. What is the most likely issue?
32A company integrates GlobalProtect with SAML for SSO. Users report that after authentication, they receive a 'Portal cannot be reached' error. The firewall logs show the SAML authentication succeeded. What should the administrator check?
33Refer to the exhibit. A network engineer sees multiple IKE SAs for the same peer. What does this indicate?
34Refer to the exhibit. A firewall administrator configures an IPSec tunnel. After committing, the tunnel never becomes active. What is the most likely reason?
35Refer to the exhibit. A firewall log shows these messages for an IPSec tunnel. Which configuration mismatch is the likely cause?
36Which TWO conditions are required for a successful GlobalProtect connection using certificate authentication?
37Which THREE troubleshooting steps should be taken when a site-to-site VPN tunnel is up but no traffic passes?
38Which TWO features are exclusive to GlobalProtect gateway configurations and not available on the portal?
39A remote user's GlobalProtect client disconnects every 10 minutes. What setting should the administrator check?
40A company uses GlobalProtect with internal gateways for accessing data center resources. Users on the internal network should not use the VPN. What is the best practice configuration?
41During a security audit, it is discovered that the GlobalProtect gateway allows clients to use weak encryption algorithms. Which configuration object controls this?
42A company wants to deploy GlobalProtect to 10,000 remote users. Which method provides the most scalable and automated distribution of the client software?
43A network engineer configures an IPSec tunnel with multiple proxy IDs for different subnets. After committing, only one proxy ID establishes IPsec SAs. What should the engineer check?
44An administrator configures a VPN tunnel between two Palo Alto firewalls. The tunnel shows as active, but traffic is not being encrypted. What configuration step is most likely missing?
45A company is deploying GlobalProtect for remote users and wants to enforce that only users with valid certificates are allowed to connect. Which configuration is required on the GlobalProtect gateway?
46A network administrator is troubleshooting an IPsec site-to-site VPN that fails to establish. IKE phase 1 completes successfully, but phase 2 fails with a 'no proposal chosen' message. Both sides have identical IKE and IPsec crypto profiles, and the pre-shared key is correct. What is the most likely cause of the failure?
47Which TWO configurations are required on a GlobalProtect portal to enable automatic tunnel configuration for macOS clients? (Choose two.)
48Which THREE factors must match between two IKE peers for successful IPsec tunnel establishment? (Choose three.)
49A small company has two sites connected by a policy-based IPsec VPN. Users at Site B report they cannot reach a server at Site A with IP 10.1.1.100. The firewall administrator checks the VPN monitor and sees the tunnel is active and IKE SAs are up. From the Site B firewall, a ping to 10.1.1.100 succeeds. However, a user on a PC (192.168.50.10) behind the Site B firewall cannot ping 10.1.1.100. The security policy on the Site B firewall allows traffic from trust to VPN zones. What is the most likely cause of the issue?
50A large organization uses GlobalProtect for remote access. Recently, users in the APAC region have been reporting frequent disconnections from the VPN. They can connect and authenticate, but after about 5 minutes the session drops and they must reconnect. The firewall logs show 'GlobalProtect gateway timeout' for these users. The gateway's tunnel timeout is set to 30 minutes. What is the most likely cause?
51After upgrading a firewall pair from PAN-OS 9.1 to 10.0, a route-based IPsec VPN to a partner is no longer establishing. The tunnel is configured with a tunnel interface (tunnel.1) with IP 10.0.0.1/30 and the remote tunnel interface is 10.0.0.2/30. IKE phase 1 completes successfully, but phase 2 fails with 'no proposal chosen' on both sides. Both firewalls have identical IPsec crypto profiles (ESP-AES-256, SHA-256, DH-5, 1-hour lifetime). What is the most likely cause?
52A multinational corporation uses GlobalProtect with multiple gateways distributed globally for load balancing. The portal has 'Enable Location Awareness' enabled and region mapping is configured to map APAC users to the APAC gateway, US users to the US gateway, etc. Recently, users in the APAC region are being redirected to the US gateway, causing high latency. The AD admin confirms that users are in the correct APAC subnets. What is the most likely misconfiguration?
53A remote user reports they cannot connect to the corporate network via GlobalProtect. The GlobalProtect client shows 'Connection failed. Unable to establish a secure connection.' The portal and gateway are configured with certificate authentication. The administrator verifies that the portal/gateway certificates are valid and not expired, and the common name matches the portal's FQDN. The client's machine time is synchronized. Which configuration misconfiguration is most likely the cause?
54A network engineer is configuring a new GlobalProtect gateway to provide remote access. Which TWO items are required for the gateway to function properly?
55A site-to-site IPsec tunnel between two Palo Alto Networks firewalls is not passing traffic. The administrator runs the 'show vpn ipsec-sa' command and sees the output in the exhibit. The remote peer is configured to use IKEv2 only. Based on the configuration, what is the most likely cause of the tunnel being in 'init' state?
The Secure Access and VPN domain covers the key concepts tested in this area of the PCNSE exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSE domains — no account required.
The Courseiva PCNSE question bank contains 55 questions in the Secure Access and VPN domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Secure Access and VPN domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included