Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCNSEDomainsSecure Access and VPN
PCNSEFree — No Signup

Secure Access and VPN

Practice PCNSE Secure Access and VPN questions with full explanations on every answer.

55questions

Start practicing

Secure Access and VPN — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

PCNSE Domains

Manage, Monitor and OperateSecuring Traffic and App-IDSecuring Users and Applications with AuthenticationDecryption and SSL InspectionManaging Troubleshooting and High AvailabilityDeploy and Configure FirewallsCore Concepts and ArchitectureSecure Access and VPNTroubleshoot

Practice Secure Access and VPN questions

10Q20Q30Q50Q

All PCNSE Secure Access and VPN questions (55)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

An administrator configures a GlobalProtect portal with an authentication profile that uses Kerberos. Users report they cannot connect from remote locations. What is the most likely cause?

2

A company is deploying GlobalProtect with internal gateways. They want to ensure that users who are inside the corporate network connect directly to internal resources without going through the firewall. Which configuration is required?

3

A firewall is configured with a GlobalProtect gateway that uses an IPSec tunnel. Remote users can connect but cannot access any resources. The administrator verifies that the tunnel is established and the client receives an IP address. What is the most likely cause?

4

A company configures site-to-site VPN between two Palo Alto Networks firewalls using IKEv2. The tunnel does not come up. The administrator checks the IKE gateway configuration on both sides and sees matching pre-shared keys, IKE version, and encryption algorithms. What is the most likely remaining issue?

5

An administrator is troubleshooting a GlobalProtect VPN where users report frequent disconnections. The administrator notices that the GlobalProtect gateway logs show 'Tunnel rekey failed' errors. What is the most likely cause?

6

A network engineer wants to allow remote users to access internal applications via GlobalProtect, but only for specific users. Which configuration method should be used to restrict access?

7

An organization uses GlobalProtect with multiple gateways for different regions. Users in the Asia region are connecting to the wrong gateway. What is the most likely cause?

8

Which TWO are required for a GlobalProtect gateway to establish an IPSec tunnel with a remote client?

9

Which THREE are valid methods for configuring a site-to-site VPN on a Palo Alto Networks firewall?

10

Refer to the exhibit. A site-to-site VPN is configured between two branches. The tunnel is up but traffic is not passing. What is the most likely issue?

11

Refer to the exhibit. A user inside the corporate network (IP: 10.1.1.5) connects to the portal. The portal detects the internal host and does not assign a gateway. However, the user still cannot access internal resources. What is the most likely issue?

12

A large enterprise uses a Palo Alto Networks firewall as the central hub for site-to-site VPN connections to 50 branch offices. Each branch office has a different subnet (e.g., 10.x.0.0/16 where x is the branch number). The VPN tunnels are configured using IKEv2 with pre-shared keys. Recently, the IT team decided to migrate to certificate-based authentication for improved security. They issued certificates from an internal CA to all branch firewalls and the hub firewall. After the migration, all tunnels failed to establish. The hub firewall logs show 'IKE negotiation failed' with error 'no proposal chosen'. The administrator checks the IKE gateway configuration on the hub: the IKE version is IKEv2, the authentication method is set to 'Certificate', and the certificate profile is configured with the root CA certificate. The administrator also verifies that the branch firewalls have the correct certificates and the hub's certificate is trusted. The branch firewalls' IKE gateways are configured with the hub's IP and pre-shared key (still configured as a fallback). What should the administrator do to resolve the issue?

13

Order the steps to capture traffic on a Palo Alto Networks firewall using the packet capture feature.

14

Match each security rule action to its effect.

15

A GlobalProtect user can successfully authenticate to the portal but cannot connect to the internal gateway. The portal and gateway are configured on the same firewall. What is the most likely cause?

16

An IPSec tunnel between two PA firewalls fails to establish. On the initiator, 'show vpn ipsec-sa' shows no SAs. Which debug command would provide the most detailed information about IKE negotiation?

17

A GlobalProtect user cannot connect to any resources after authenticating successfully. Portal and gateway configurations appear correct. What is the most likely issue?

18

When configuring GlobalProtect with certificate authentication, a user reports that the client prompts for username and password even though the certificate is installed. What is the most likely cause?

19

A network engineer configures a tunnel interface for IPSec VPN. After committing, the interface is up but no traffic passes. The tunnel itself is established (IKEv2). What should the engineer check first?

20

A company wants to use GlobalProtect with pre-logon (user unknown). After configuration, users report that they can authenticate but cannot access the gateway during pre-logon. Which configuration item is most likely missing?

21

An administrator sees the IPSec tunnel state 'down' under the tunnel monitor. What is the most common cause for this issue?

22

A company wants to provide VPN access to external business partners who do not have the GlobalProtect client installed. Which VPN method should be used?

23

An organization uses RADIUS as the primary authentication method for GlobalProtect with One-Time Password (OTP). Users can authenticate to the portal, but the gateway connection fails. The RADIUS server logs show successful authentication. What is the most likely issue?

24

Which TWO of the following are supported authentication methods for IPSec VPN tunnel setup between two Palo Alto Networks firewalls?

25

Which THREE of the following are valid configuration elements for a tunnel interface in Palo Alto Networks?

26

Which THREE of the following are capabilities of GlobalProtect Host Information Profile (HIP)?

27

What is the most likely cause of Phase2 being down?

28

A user tries to connect to the GlobalProtect portal but receives 'Certificate validation failed'. What is the most likely missing configuration?

29

A GlobalProtect user behind the tunnel is unable to browse HTTPS websites. What is the issue?

30

A network administrator configures GlobalProtect for remote users. Users report they can connect but cannot access internal resources. The firewall shows the user is connected with a valid IP. What is the most likely cause?

31

An organization has two sites connected via IPSec VPN. The tunnel is up, but ICMP traffic between sites fails. No other traffic works. The firewall policy allows any-any. What is the most likely issue?

32

A company integrates GlobalProtect with SAML for SSO. Users report that after authentication, they receive a 'Portal cannot be reached' error. The firewall logs show the SAML authentication succeeded. What should the administrator check?

33

Refer to the exhibit. A network engineer sees multiple IKE SAs for the same peer. What does this indicate?

34

Refer to the exhibit. A firewall administrator configures an IPSec tunnel. After committing, the tunnel never becomes active. What is the most likely reason?

35

Refer to the exhibit. A firewall log shows these messages for an IPSec tunnel. Which configuration mismatch is the likely cause?

36

Which TWO conditions are required for a successful GlobalProtect connection using certificate authentication?

37

Which THREE troubleshooting steps should be taken when a site-to-site VPN tunnel is up but no traffic passes?

38

Which TWO features are exclusive to GlobalProtect gateway configurations and not available on the portal?

39

A remote user's GlobalProtect client disconnects every 10 minutes. What setting should the administrator check?

40

A company uses GlobalProtect with internal gateways for accessing data center resources. Users on the internal network should not use the VPN. What is the best practice configuration?

41

During a security audit, it is discovered that the GlobalProtect gateway allows clients to use weak encryption algorithms. Which configuration object controls this?

42

A company wants to deploy GlobalProtect to 10,000 remote users. Which method provides the most scalable and automated distribution of the client software?

43

A network engineer configures an IPSec tunnel with multiple proxy IDs for different subnets. After committing, only one proxy ID establishes IPsec SAs. What should the engineer check?

44

An administrator configures a VPN tunnel between two Palo Alto firewalls. The tunnel shows as active, but traffic is not being encrypted. What configuration step is most likely missing?

45

A company is deploying GlobalProtect for remote users and wants to enforce that only users with valid certificates are allowed to connect. Which configuration is required on the GlobalProtect gateway?

46

A network administrator is troubleshooting an IPsec site-to-site VPN that fails to establish. IKE phase 1 completes successfully, but phase 2 fails with a 'no proposal chosen' message. Both sides have identical IKE and IPsec crypto profiles, and the pre-shared key is correct. What is the most likely cause of the failure?

47

Which TWO configurations are required on a GlobalProtect portal to enable automatic tunnel configuration for macOS clients? (Choose two.)

48

Which THREE factors must match between two IKE peers for successful IPsec tunnel establishment? (Choose three.)

49

A small company has two sites connected by a policy-based IPsec VPN. Users at Site B report they cannot reach a server at Site A with IP 10.1.1.100. The firewall administrator checks the VPN monitor and sees the tunnel is active and IKE SAs are up. From the Site B firewall, a ping to 10.1.1.100 succeeds. However, a user on a PC (192.168.50.10) behind the Site B firewall cannot ping 10.1.1.100. The security policy on the Site B firewall allows traffic from trust to VPN zones. What is the most likely cause of the issue?

50

A large organization uses GlobalProtect for remote access. Recently, users in the APAC region have been reporting frequent disconnections from the VPN. They can connect and authenticate, but after about 5 minutes the session drops and they must reconnect. The firewall logs show 'GlobalProtect gateway timeout' for these users. The gateway's tunnel timeout is set to 30 minutes. What is the most likely cause?

51

After upgrading a firewall pair from PAN-OS 9.1 to 10.0, a route-based IPsec VPN to a partner is no longer establishing. The tunnel is configured with a tunnel interface (tunnel.1) with IP 10.0.0.1/30 and the remote tunnel interface is 10.0.0.2/30. IKE phase 1 completes successfully, but phase 2 fails with 'no proposal chosen' on both sides. Both firewalls have identical IPsec crypto profiles (ESP-AES-256, SHA-256, DH-5, 1-hour lifetime). What is the most likely cause?

52

A multinational corporation uses GlobalProtect with multiple gateways distributed globally for load balancing. The portal has 'Enable Location Awareness' enabled and region mapping is configured to map APAC users to the APAC gateway, US users to the US gateway, etc. Recently, users in the APAC region are being redirected to the US gateway, causing high latency. The AD admin confirms that users are in the correct APAC subnets. What is the most likely misconfiguration?

53

A remote user reports they cannot connect to the corporate network via GlobalProtect. The GlobalProtect client shows 'Connection failed. Unable to establish a secure connection.' The portal and gateway are configured with certificate authentication. The administrator verifies that the portal/gateway certificates are valid and not expired, and the common name matches the portal's FQDN. The client's machine time is synchronized. Which configuration misconfiguration is most likely the cause?

54

A network engineer is configuring a new GlobalProtect gateway to provide remote access. Which TWO items are required for the gateway to function properly?

55

A site-to-site IPsec tunnel between two Palo Alto Networks firewalls is not passing traffic. The administrator runs the 'show vpn ipsec-sa' command and sees the output in the exhibit. The remote peer is configured to use IKEv2 only. Based on the configuration, what is the most likely cause of the tunnel being in 'init' state?

Practice all 55 Secure Access and VPN questions

Other PCNSE exam domains

Manage, Monitor and OperateSecuring Traffic and App-IDSecuring Users and Applications with AuthenticationDecryption and SSL InspectionManaging Troubleshooting and High AvailabilityDeploy and Configure FirewallsCore Concepts and ArchitectureTroubleshoot

Frequently asked questions

What does the Secure Access and VPN domain cover on the PCNSE exam?

The Secure Access and VPN domain covers the key concepts tested in this area of the PCNSE exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSE domains — no account required.

How many Secure Access and VPN questions are in the PCNSE question bank?

The Courseiva PCNSE question bank contains 55 questions in the Secure Access and VPN domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Secure Access and VPN for PCNSE?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Secure Access and VPN questions for PCNSE?

Yes — the session launcher on this page draws questions exclusively from the Secure Access and VPN domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your PCNSE domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide