Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Secure Access and VPN practice sets

PCNSE Secure Access and VPN • Complete Question Bank

PCNSE Secure Access and VPN — All Questions With Answers

Complete PCNSE Secure Access and VPN question bank — all 0 questions with answers and detailed explanations.

55
Questions
Free
No signup
Certifications/PCNSE/Practice Test/Secure Access and VPN/All Questions
Question 1easymultiple choice
Read the full VPN explanation →

An administrator configures a GlobalProtect portal with an authentication profile that uses Kerberos. Users report they cannot connect from remote locations. What is the most likely cause?

Question 2mediummultiple choice
Read the full VPN explanation →

A company is deploying GlobalProtect with internal gateways. They want to ensure that users who are inside the corporate network connect directly to internal resources without going through the firewall. Which configuration is required?

Question 3hardmultiple choice
Read the full VPN explanation →

A firewall is configured with a GlobalProtect gateway that uses an IPSec tunnel. Remote users can connect but cannot access any resources. The administrator verifies that the tunnel is established and the client receives an IP address. What is the most likely cause?

Question 4mediummultiple choice
Read the full VPN explanation →

A company configures site-to-site VPN between two Palo Alto Networks firewalls using IKEv2. The tunnel does not come up. The administrator checks the IKE gateway configuration on both sides and sees matching pre-shared keys, IKE version, and encryption algorithms. What is the most likely remaining issue?

Question 5hardmultiple choice
Read the full VPN explanation →

An administrator is troubleshooting a GlobalProtect VPN where users report frequent disconnections. The administrator notices that the GlobalProtect gateway logs show 'Tunnel rekey failed' errors. What is the most likely cause?

Question 6easymultiple choice
Read the full VPN explanation →

A network engineer wants to allow remote users to access internal applications via GlobalProtect, but only for specific users. Which configuration method should be used to restrict access?

Question 7mediummultiple choice
Read the full VPN explanation →

An organization uses GlobalProtect with multiple gateways for different regions. Users in the Asia region are connecting to the wrong gateway. What is the most likely cause?

Question 8mediummulti select
Read the full VPN explanation →

Which TWO are required for a GlobalProtect gateway to establish an IPSec tunnel with a remote client?

Question 9hardmulti select
Read the full VPN explanation →

Which THREE are valid methods for configuring a site-to-site VPN on a Palo Alto Networks firewall?

Question 10hardmultiple choice
Read the full VPN explanation →

Refer to the exhibit. A site-to-site VPN is configured between two branches. The tunnel is up but traffic is not passing. What is the most likely issue?

Exhibit

Refer to the exhibit.

show vpn gateway

Name: Corp-GW
Peer IP: 203.0.113.1
Local IP: 198.51.100.1
IKE version: IKEv2
Pre-shared key: ****
IKE crypto profile: default
DPD: enabled

show vpn tunnel

Name: Corp-Tun
Tunnel interface: tunnel.1
Type: IPSec
IKE gateway: Corp-GW
IPSec crypto profile: default
Proxy IDs: local 10.0.0.0/16, remote 172.16.0.0/16

show routing route

Destination: 172.16.0.0/16
Next hop: tunnel.1
Metric: 10

show interface tunnel.1

Interface: tunnel.1
Zone: VPN-Zone
Virtual router: default
Question 11mediummultiple choice
Read the full VPN explanation →

Refer to the exhibit. A user inside the corporate network (IP: 10.1.1.5) connects to the portal. The portal detects the internal host and does not assign a gateway. However, the user still cannot access internal resources. What is the most likely issue?

Exhibit

Refer to the exhibit.

GlobalProtect Portal Configuration:
  Portal Name: corp-portal
  Authentication Profile: LDAP_Auth
  Gateway: corp-gw
  Client Authentication: Required
  Internal Host Detection: 10.0.0.0/8

GlobalProtect Gateway Configuration:
  Gateway Name: corp-gw
  Tunnel Interface: tunnel.3
  IPSec Crypto Profile: GP-default
  Client IP Pool: 192.168.1.100-192.168.1.200
  Security Rules: allow all
Question 12hardmultiple choice
Read the full VPN explanation →

A large enterprise uses a Palo Alto Networks firewall as the central hub for site-to-site VPN connections to 50 branch offices. Each branch office has a different subnet (e.g., 10.x.0.0/16 where x is the branch number). The VPN tunnels are configured using IKEv2 with pre-shared keys. Recently, the IT team decided to migrate to certificate-based authentication for improved security. They issued certificates from an internal CA to all branch firewalls and the hub firewall. After the migration, all tunnels failed to establish. The hub firewall logs show 'IKE negotiation failed' with error 'no proposal chosen'. The administrator checks the IKE gateway configuration on the hub: the IKE version is IKEv2, the authentication method is set to 'Certificate', and the certificate profile is configured with the root CA certificate. The administrator also verifies that the branch firewalls have the correct certificates and the hub's certificate is trusted. The branch firewalls' IKE gateways are configured with the hub's IP and pre-shared key (still configured as a fallback). What should the administrator do to resolve the issue?

Question 13mediumdrag order
Read the full VPN explanation →

Order the steps to capture traffic on a Palo Alto Networks firewall using the packet capture feature.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 14mediummatching
Read the full VPN explanation →

Match each security rule action to its effect.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Permits traffic matching the rule

Blocks traffic and sends a reset

Silently discards traffic without notification

Sends TCP reset to client only

Sends TCP reset to both client and server

Question 15easymultiple choice
Read the full VPN explanation →

A GlobalProtect user can successfully authenticate to the portal but cannot connect to the internal gateway. The portal and gateway are configured on the same firewall. What is the most likely cause?

Question 16mediummultiple choice
Read the full VPN explanation →

An IPSec tunnel between two PA firewalls fails to establish. On the initiator, 'show vpn ipsec-sa' shows no SAs. Which debug command would provide the most detailed information about IKE negotiation?

Question 17hardmultiple choice
Read the full VPN explanation →

A GlobalProtect user cannot connect to any resources after authenticating successfully. Portal and gateway configurations appear correct. What is the most likely issue?

Question 18easymultiple choice
Read the full VPN explanation →

When configuring GlobalProtect with certificate authentication, a user reports that the client prompts for username and password even though the certificate is installed. What is the most likely cause?

Question 19mediummultiple choice
Read the full VPN explanation →

A network engineer configures a tunnel interface for IPSec VPN. After committing, the interface is up but no traffic passes. The tunnel itself is established (IKEv2). What should the engineer check first?

Question 20hardmultiple choice
Read the full VPN explanation →

A company wants to use GlobalProtect with pre-logon (user unknown). After configuration, users report that they can authenticate but cannot access the gateway during pre-logon. Which configuration item is most likely missing?

Question 21easymultiple choice
Read the full VPN explanation →

An administrator sees the IPSec tunnel state 'down' under the tunnel monitor. What is the most common cause for this issue?

Question 22mediummultiple choice
Read the full VPN explanation →

A company wants to provide VPN access to external business partners who do not have the GlobalProtect client installed. Which VPN method should be used?

Question 23hardmultiple choice
Read the full VPN explanation →

An organization uses RADIUS as the primary authentication method for GlobalProtect with One-Time Password (OTP). Users can authenticate to the portal, but the gateway connection fails. The RADIUS server logs show successful authentication. What is the most likely issue?

Question 24easymulti select
Read the full VPN explanation →

Which TWO of the following are supported authentication methods for IPSec VPN tunnel setup between two Palo Alto Networks firewalls?

Question 25mediummulti select
Read the full VPN explanation →

Which THREE of the following are valid configuration elements for a tunnel interface in Palo Alto Networks?

Question 26hardmulti select
Read the full VPN explanation →

Which THREE of the following are capabilities of GlobalProtect Host Information Profile (HIP)?

Question 27easymultiple choice
Read the full VPN explanation →

What is the most likely cause of Phase2 being down?

Exhibit

Refer to the exhibit.

CLI output:
admin@PA> show vpn ipsec tunnel name Corp-VPN
tunnel Corp-VPN: id 123, establishment status: initiator
  Phase1: state UP, IKEv2
  Phase2: state DOWN, reason: no matching proposal
Question 28mediummultiple choice
Read the full VPN explanation →

A user tries to connect to the GlobalProtect portal but receives 'Certificate validation failed'. What is the most likely missing configuration?

Exhibit

Refer to the exhibit.

Config snippet from portal:
set portal myportal authentication certificate enable yes
set portal myportal authentication profile localAuth
set portal myportal gateway CorpGateway
set shared certificate profile GP-SSL
Question 29hardmultiple choice
Read the full VPN explanation →

A GlobalProtect user behind the tunnel is unable to browse HTTPS websites. What is the issue?

Exhibit

Refer to the exhibit.

Decryption policy rule:
{
  "name": "Skip Decrypt for VPN",
  "from": ["any"],
  "to": ["any"],
  "source": ["10.0.0.0/8"],
  "destination": ["any"],
  "service": ["application-default"],
  "category": ["any"],
  "action": "no-decrypt"
}

Additionally, the GlobalProtect gateway is configured with 'Tunnel Inspection' set to 'Required'.
Question 30easymultiple choice
Read the full VPN explanation →

A network administrator configures GlobalProtect for remote users. Users report they can connect but cannot access internal resources. The firewall shows the user is connected with a valid IP. What is the most likely cause?

Question 31mediummultiple choice
Read the full VPN explanation →

An organization has two sites connected via IPSec VPN. The tunnel is up, but ICMP traffic between sites fails. No other traffic works. The firewall policy allows any-any. What is the most likely issue?

Question 32hardmultiple choice
Read the full VPN explanation →

A company integrates GlobalProtect with SAML for SSO. Users report that after authentication, they receive a 'Portal cannot be reached' error. The firewall logs show the SAML authentication succeeded. What should the administrator check?

Question 33easymultiple choice
Read the full VPN explanation →

Refer to the exhibit. A network engineer sees multiple IKE SAs for the same peer. What does this indicate?

Exhibit

admin@PA-5020> show vpn ike-sa
Gateway    Peer     Interface  Role      Life     LifeKB  State
GW1        10.1.1.1 ethernet1/2 Responder 86400   0       ACTIVE
GW1        10.1.1.1 ethernet1/2 Initiator 86400   0       ACTIVE
GW1        10.1.1.1 ethernet1/2 Responder 86400   0       ACTIVE
Question 34mediummultiple choice
Read the full VPN explanation →

Refer to the exhibit. A firewall administrator configures an IPSec tunnel. After committing, the tunnel never becomes active. What is the most likely reason?

Exhibit

set network tunnel ipsec ipsec-tunnel VPN-Tunnel
 set tunnel-interface tunnel.1
 set proxy-id local 192.168.1.0/24
 set proxy-id remote 10.0.0.0/8
 set proxy-id protocol any
 set ike-gateway GW1
 set ipsec-crypto-profile AES256-SHA256
commit
Question 35hardmultiple choice
Read the full VPN explanation →

Refer to the exhibit. A firewall log shows these messages for an IPSec tunnel. Which configuration mismatch is the likely cause?

Exhibit

2019-04-10 14:23:45, ERROR: ike: IKE negotiation failed: No proposal chosen (1.2.3.4 -> 5.6.7.8)
2019-04-10 14:23:45, WARN: ike: Phase 2 negotiation failed for vpn-tunnel1: no acceptable set of proposals
2019-04-10 14:23:46, INFO: ike: IPSec SA deleted (1.2.3.4 -> 5.6.7.8 spi 0x12345678)
Question 36easymulti select
Read the full VPN explanation →

Which TWO conditions are required for a successful GlobalProtect connection using certificate authentication?

Question 37mediummulti select
Read the full VPN explanation →

Which THREE troubleshooting steps should be taken when a site-to-site VPN tunnel is up but no traffic passes?

Question 38hardmulti select
Read the full VPN explanation →

Which TWO features are exclusive to GlobalProtect gateway configurations and not available on the portal?

Question 39easymultiple choice
Read the full VPN explanation →

A remote user's GlobalProtect client disconnects every 10 minutes. What setting should the administrator check?

Question 40mediummultiple choice
Read the full VPN explanation →

A company uses GlobalProtect with internal gateways for accessing data center resources. Users on the internal network should not use the VPN. What is the best practice configuration?

Question 41hardmultiple choice
Read the full VPN explanation →

During a security audit, it is discovered that the GlobalProtect gateway allows clients to use weak encryption algorithms. Which configuration object controls this?

Question 42hardmultiple choice
Read the full VPN explanation →

A company wants to deploy GlobalProtect to 10,000 remote users. Which method provides the most scalable and automated distribution of the client software?

Question 43mediummultiple choice
Read the full VPN explanation →

A network engineer configures an IPSec tunnel with multiple proxy IDs for different subnets. After committing, only one proxy ID establishes IPsec SAs. What should the engineer check?

Question 44easymultiple choice
Read the full VPN explanation →

An administrator configures a VPN tunnel between two Palo Alto firewalls. The tunnel shows as active, but traffic is not being encrypted. What configuration step is most likely missing?

Question 45easymultiple choice
Read the full VPN explanation →

A company is deploying GlobalProtect for remote users and wants to enforce that only users with valid certificates are allowed to connect. Which configuration is required on the GlobalProtect gateway?

Question 46mediummultiple choice
Read the full VPN explanation →

A network administrator is troubleshooting an IPsec site-to-site VPN that fails to establish. IKE phase 1 completes successfully, but phase 2 fails with a 'no proposal chosen' message. Both sides have identical IKE and IPsec crypto profiles, and the pre-shared key is correct. What is the most likely cause of the failure?

Question 47easymulti select
Read the full VPN explanation →

Which TWO configurations are required on a GlobalProtect portal to enable automatic tunnel configuration for macOS clients? (Choose two.)

Question 48hardmulti select
Read the full VPN explanation →

Which THREE factors must match between two IKE peers for successful IPsec tunnel establishment? (Choose three.)

Question 49easymultiple choice
Read the full VPN explanation →

A small company has two sites connected by a policy-based IPsec VPN. Users at Site B report they cannot reach a server at Site A with IP 10.1.1.100. The firewall administrator checks the VPN monitor and sees the tunnel is active and IKE SAs are up. From the Site B firewall, a ping to 10.1.1.100 succeeds. However, a user on a PC (192.168.50.10) behind the Site B firewall cannot ping 10.1.1.100. The security policy on the Site B firewall allows traffic from trust to VPN zones. What is the most likely cause of the issue?

Question 50mediummultiple choice
Read the full VPN explanation →

A large organization uses GlobalProtect for remote access. Recently, users in the APAC region have been reporting frequent disconnections from the VPN. They can connect and authenticate, but after about 5 minutes the session drops and they must reconnect. The firewall logs show 'GlobalProtect gateway timeout' for these users. The gateway's tunnel timeout is set to 30 minutes. What is the most likely cause?

Question 51hardmultiple choice
Read the full VPN explanation →

After upgrading a firewall pair from PAN-OS 9.1 to 10.0, a route-based IPsec VPN to a partner is no longer establishing. The tunnel is configured with a tunnel interface (tunnel.1) with IP 10.0.0.1/30 and the remote tunnel interface is 10.0.0.2/30. IKE phase 1 completes successfully, but phase 2 fails with 'no proposal chosen' on both sides. Both firewalls have identical IPsec crypto profiles (ESP-AES-256, SHA-256, DH-5, 1-hour lifetime). What is the most likely cause?

Question 52mediummultiple choice
Read the full VPN explanation →

A multinational corporation uses GlobalProtect with multiple gateways distributed globally for load balancing. The portal has 'Enable Location Awareness' enabled and region mapping is configured to map APAC users to the APAC gateway, US users to the US gateway, etc. Recently, users in the APAC region are being redirected to the US gateway, causing high latency. The AD admin confirms that users are in the correct APAC subnets. What is the most likely misconfiguration?

Question 53mediummultiple choice
Read the full VPN explanation →

A remote user reports they cannot connect to the corporate network via GlobalProtect. The GlobalProtect client shows 'Connection failed. Unable to establish a secure connection.' The portal and gateway are configured with certificate authentication. The administrator verifies that the portal/gateway certificates are valid and not expired, and the common name matches the portal's FQDN. The client's machine time is synchronized. Which configuration misconfiguration is most likely the cause?

Question 54easymulti select
Read the full VPN explanation →

A network engineer is configuring a new GlobalProtect gateway to provide remote access. Which TWO items are required for the gateway to function properly?

Question 55hardmultiple choice
Read the full VPN explanation →

A site-to-site IPsec tunnel between two Palo Alto Networks firewalls is not passing traffic. The administrator runs the 'show vpn ipsec-sa' command and sees the output in the exhibit. The remote peer is configured to use IKEv2 only. Based on the configuration, what is the most likely cause of the tunnel being in 'init' state?

Exhibit

admin@PA-5000> show vpn ipsec-sa
Total IPsec SA: 3
  Gateway: VPN-GW-1, Tunnel-id: 1, State: active, SPI: 123456, Encapsulation: tunnel
  Gateway: VPN-GW-2, Tunnel-id: 2, State: init, SPI: 0, Encapsulation: tunnel
  Gateway: VPN-GW-3, Tunnel-id: 3, State: active, SPI: 789012, Encapsulation: transport

Configuration for VPN-GW-2:
set network tunnel ipsec ipsec-crypto VPN-GW-2 ike-gateway VPN-GW-2-IKE
set network tunnel ipsec ipsec-crypto VPN-GW-2 esp-authentication sha1
set network tunnel ipsec ipsec-crypto VPN-GW-2 esp-encryption aes128
set network tunnel ipsec ipsec-crypto VPN-GW-2 lifetime 3600
set network ike gateway VPN-GW-2-IKE version ikev1
set network ike gateway VPN-GW-2-IKE protocol-version ikev1
set network ike gateway VPN-GW-2-IKE peer-address 10.1.1.1
set network ike gateway VPN-GW-2-IKE pre-shared-key mykey
set network ike gateway VPN-GW-2-IKE local-address 10.1.1.2
set network ike gateway VPN-GW-2-IKE local-id 10.1.1.2
set network ike gateway VPN-GW-2-IKE peer-id 10.1.1.1
set network tunnel ipsec ipsec-crypto VPN-GW-2 proxy-id local-ip 192.168.1.0/24
set network tunnel ipsec ipsec-crypto VPN-GW-2 proxy-id remote-ip 192.168.2.0/24

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCNSE Practice Test 1 — 10 Questions→PCNSE Practice Test 2 — 10 Questions→PCNSE Practice Test 3 — 10 Questions→PCNSE Practice Test 4 — 10 Questions→PCNSE Practice Test 5 — 10 Questions→PCNSE Practice Exam 1 — 20 Questions→PCNSE Practice Exam 2 — 20 Questions→PCNSE Practice Exam 3 — 20 Questions→PCNSE Practice Exam 4 — 20 Questions→Free PCNSE Practice Test 1 — 30 Questions→Free PCNSE Practice Test 2 — 30 Questions→Free PCNSE Practice Test 3 — 30 Questions→PCNSE Practice Questions 1 — 50 Questions→PCNSE Practice Questions 2 — 50 Questions→PCNSE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Manage, Monitor and OperateSecuring Traffic and App-IDSecuring Users and Applications with AuthenticationDecryption and SSL InspectionManaging Troubleshooting and High AvailabilityDeploy and Configure FirewallsCore Concepts and ArchitectureSecure Access and VPNTroubleshoot

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Secure Access and VPN setsAll Secure Access and VPN questionsPCNSE Practice Hub