Practice PCNSE Securing Users and Applications with Authentication questions with full explanations on every answer.
Start practicing
Securing Users and Applications with Authentication — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company wants to enforce MFA for VPN users but allow users to authenticate without MFA when connecting from the corporate office. Which authentication policy configuration achieves this?
2After configuring SAML authentication for GlobalProtect, users report they are repeatedly prompted for credentials even though they already authenticated via the IdP. The firewall logs show 'saml-auth-success' but the portal log shows 'user-login-failure: invalid saml assertion'. What is the most likely cause?
3A network administrator needs to authenticate users accessing the internet through the firewall using Active Directory credentials. Which authentication method should be used to transparently authenticate users without requiring a browser-based captive portal?
4An organization has deployed GlobalProtect with certificate authentication. Users on macOS report that after updating their client, they cannot connect and see error 'Certificate validation failed: The certificate hash does not match.' What is the most likely cause?
5An administrator configured the authentication profile shown. Users in the domain 'EXAMPLE' are unable to authenticate; logs show 'Authentication failed: user not found'. What is the likely issue?
6Which TWO authentication methods support single sign-on (SSO) capabilities in Palo Alto Networks firewalls?
7Which THREE factors should be considered when designing an authentication policy for a multi-zone environment with varied security requirements? (Choose THREE.)
8A large enterprise with 10,000+ users is deploying GlobalProtect with SAML authentication. The IdP is Azure AD. Users report that authentication sometimes fails during peak hours with error 'SAML response timeout'. Which design change would most effectively address this issue?
9You are a network security engineer for a multinational corporation with users in different regions. The company uses GlobalProtect for remote access and requires multi-factor authentication (MFA) using a mobile app for all users. Recently, users in the Asia-Pacific region have reported intermittent failures when authenticating via GlobalProtect. The symptoms include: after entering credentials on the GlobalProtect portal, the authentication challenge from the MFA provider times out after 30 seconds, and the user is disconnected. Users in other regions do not experience this issue. The GlobalProtect gateways and portals are configured with Authentication Profile that uses an LDAP server for primary authentication and an MFA vendor as authentication sequence. The MFA provider sends push notifications to users' mobile devices. The firewall logs show no errors related to LDAP or MFA, but the GlobalProtect logs indicate authentication timeouts. The firewall is located in the central data center, and the MFA provider's servers are in the United States. What should you do to resolve this issue?
10An organization wants to enforce multi-factor authentication (MFA) for administrative access to the Palo Alto Networks firewall. Which TWO authentication methods are supported for local administrator accounts?
11Refer to the exhibit. A firewall administrator created a local user group named 'Engineering' and added two users. However, when applying a security policy that uses this group as the source user, only one user (asmith) is matched correctly. What is the most likely cause of this issue?
12A company uses a Palo Alto Networks firewall with Authentication Policy to enforce MFA for external users accessing a web application via GlobalProtect. The authentication sequence is set to 'PingID, LDAP'. Recently, users report that after entering their LDAP credentials, they are not prompted for PingID MFA and are allowed access immediately. The firewall logs show that the authentication policy is hit and the authentication method used is 'LDAP' only. The PingID service is reachable from the firewall. The administrator checks the Authentication Profile and sees that PingID is configured correctly. What is the most likely cause of this issue?
13Arrange the steps to deploy a new Panorama template to a managed firewall.
14Match each security profile type to its purpose.
15An administrator configures an authentication policy to require authentication for the 'ssl' application. After committing, the firewall does not prompt users for credentials when they access HTTPS sites. Which step is most likely missing?
16A company has configured multi-factor authentication (MFA) via an authentication sequence using LDAP and RADIUS. Users authenticate successfully with LDAP but the MFA prompt from RADIUS does not appear. What is the most likely cause?
17A security administrator notices that users are able to bypass authentication by accessing resources using IP addresses instead of FQDNs, even though authentication policies are configured. How can this be prevented?
18A company wants to authenticate users who are accessing internal applications from the internet through a firewall. The users should be prompted once per session. Which authentication solution best meets this requirement?
19An administrator has configured an authentication profile with LDAP and sets the authentication sequence to 'continue on failure'. A user enters an incorrect password first, then correct. Will the user be authenticated?
20Which of the following is required for SAML-based single sign-on to work with a Palo Alto Networks firewall acting as the service provider?
21A network engineer is troubleshooting an authentication issue where users in a specific group are not being prompted for credentials, even though the authentication policy matches their traffic. The firewall logs show that the traffic is allowed by the security policy. What is the most likely cause?
22An organization uses captive portal authentication. Users report that after closing the browser, they are still authenticated and can access resources without re-authenticating. How can the administrator enforce re-authentication after browser closure?
23When configuring an authentication policy, which match criteria is required to trigger authentication?
24An administrator is configuring authentication for a captive portal. Which two configuration steps are necessary? (Choose two.)
25A security architect is designing authentication for a hybrid workforce with both on-premises and remote users. Which three best practices should be implemented? (Choose three.)
26When troubleshooting an authentication issue where users are not prompted for credentials, which two logs or commands would be most useful? (Choose two.)
27Refer to the exhibit. A network administrator is troubleshooting why users are not being prompted for authentication when accessing HTTPS sites. The authentication rule and security policy are shown. What is the most likely cause?
28Refer to the exhibit. The administrator committed this configuration but users cannot authenticate via SAML. What is the problem?
29Refer to the exhibit. A user at IP 10.10.1.11 is unable to access internal resources that require authentication. The firewall logs show 'no user mapping' for traffic from this IP. Which step should the administrator take first?
30A company uses GlobalProtect with SAML authentication. Users report being redirected to the IdP login page repeatedly even after successfully authenticating. What is the most likely cause?
31A security architect needs to enforce authentication for all application-based policies using an external authentication source with MFA. Which combination of features best achieves this?
32An administrator wants to enforce authentication for SSL decrypted traffic so that only authenticated users can access decrypted content. Which firewall feature should be configured?
33Users are unable to authenticate via Captive Portal. The firewall receives authentication requests but they time out. What should be checked first?
34An organization needs to enforce authentication for application-based policies. Users are in multiple AD groups. Which authentication enforcement method best scales and minimizes administrative overhead?
35To reduce the number of authentication prompts for users accessing multiple applications through the firewall, which configuration is recommended?
36An organization uses Microsoft Active Directory for User-ID mapping. Some users are not being mapped because their IP addresses change frequently due to DHCP. Which approach should be implemented to ensure these users are identified?
37A company needs to authenticate remote users accessing internal web applications via GlobalProtect portal and wants to use SAML with Azure AD for MFA. Which component must be configured on the firewall?
38A security admin receives reports that some users are bypassing authentication by manually setting a different IP address. Which feature can enforce that only users who have authenticated through the firewall can access resources?
39Which TWO factors should be considered when designing an authentication enforcement strategy? (Choose two.)
40Which THREE components are part of the GlobalProtect infrastructure? (Choose three.)
41Which TWO are prerequisites for using Authentication Policy? (Choose two.)
42Refer to the exhibit. A user is trying to authenticate via SAML and receives this error. What is the most likely cause?
43Refer to the exhibit. What happens when a user with an unknown identity (source-user unknown) tries to access resources in 192.168.1.0/24?
44Refer to the exhibit. Which configuration is required in the authentication profile 'SAML-Auth'?
45A company is migrating to cloud-based SaaS applications and wants to enforce SAML-based authentication with single logout. They have a Palo Alto firewall running the latest PAN-OS. What is the recommended configuration to enable SAML authentication for these applications?
46After a PAN-OS upgrade from 9.1 to 10.2, users report that captive portal authentication fails consistently. The authentication profile uses LDAP and the LDAP server is reachable from the firewall. The captive portal page loads, but after entering credentials, users are redirected back to the login page. What is the most likely cause?
47Which TWO authentication methods are supported for captive portal on a Palo Alto Networks firewall?
48Which THREE components are required to deploy the Palo Alto Networks User-ID agent in a typical Windows environment to map users to IP addresses?
49A large enterprise uses GlobalProtect with SAML authentication integrated with Azure AD for remote access. Users on laptops report intermittent authentication failures when moving between different office locations or switching wireless access points. The firewall clusters are geographically distributed and connected via MPLS. The authentication policy is configured correctly and the SAML identity provider is reachable. What should the administrator check first to resolve the issue?
50An organization uses captive portal for guest Wi-Fi access with LDAP authentication against an on-premise Active Directory. Users complain that after successfully logging in, they are repeatedly prompted for credentials every few minutes. The captive portal page loads correctly and credentials are accepted initially. The authentication profile has a session timeout of 60 minutes. What is the most likely cause of the repeated prompts?
51A company wants to enforce multi-factor authentication (MFA) for all administrative access to the Palo Alto Networks firewall. They have a RADIUS server configured with MFA capability (e.g., RSA SecurID). The firewall is currently using local authentication for admin accounts. What must be configured to enforce MFA for admin access?
52A cloud-based application is accessed via URL filtering and uses SAML authentication. After a user changes their password in the identity provider (Okta), they are unable to authenticate to the application. The firewall is configured with an authentication policy that uses SAML. Other users who have not changed passwords can authenticate successfully. What is the most likely issue?
53A company wants to enforce multi-factor authentication (MFA) for employees accessing a specific internal application through the firewall. Which two configurations are required on the Palo Alto Networks firewall? (Choose two.)
54A firewall administrator configured the security rule shown in the exhibit to enforce SAML authentication for web-browsing traffic from the trust zone to the untrust zone. However, users are not prompted to authenticate. What is the most likely cause?
55A multinational corporation uses Palo Alto Networks NGFWs to secure user access to cloud-based productivity applications. Users authenticate via SAML using an external identity provider. Recently, the helpdesk has received multiple complaints that when users log in to the first application in the morning, they are prompted for SAML authentication. After authenticating successfully, if they navigate to a different application (e.g., from email to document editing) within the same browser tab, they are again prompted to re-authenticate, which disrupts their workflow. The firewall authentication logs show that each application access triggers a new SAML authentication request, even though the user’s session is still active. The administrator has verified that the SAML identity provider is properly configured, and the authentication profile on the firewall uses a unique identifier per user. The company wants to minimize re-authentication prompts while maintaining security. Which action should the administrator take?
The Securing Users and Applications with Authentication domain covers the key concepts tested in this area of the PCNSE exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSE domains — no account required.
The Courseiva PCNSE question bank contains 55 questions in the Securing Users and Applications with Authentication domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Securing Users and Applications with Authentication domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included