Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Securing Users and Applications with Authentication practice sets

PCNSE Securing Users and Applications with Authentication • Complete Question Bank

PCNSE Securing Users and Applications with Authentication — All Questions With Answers

Complete PCNSE Securing Users and Applications with Authentication question bank — all 0 questions with answers and detailed explanations.

55
Questions
Free
No signup
Certifications/PCNSE/Practice Test/Securing Users and Applications with Authentication/All Questions
Question 1mediummultiple choice
Read the full VPN explanation →

A company wants to enforce MFA for VPN users but allow users to authenticate without MFA when connecting from the corporate office. Which authentication policy configuration achieves this?

Question 2hardmultiple choice
Read the full Securing Users and Applications with Authentication explanation →

After configuring SAML authentication for GlobalProtect, users report they are repeatedly prompted for credentials even though they already authenticated via the IdP. The firewall logs show 'saml-auth-success' but the portal log shows 'user-login-failure: invalid saml assertion'. What is the most likely cause?

Question 3easymultiple choice
Read the full Securing Users and Applications with Authentication explanation →

A network administrator needs to authenticate users accessing the internet through the firewall using Active Directory credentials. Which authentication method should be used to transparently authenticate users without requiring a browser-based captive portal?

Question 4hardmultiple choice
Read the full Securing Users and Applications with Authentication explanation →

An organization has deployed GlobalProtect with certificate authentication. Users on macOS report that after updating their client, they cannot connect and see error 'Certificate validation failed: The certificate hash does not match.' What is the most likely cause?

Question 5mediummultiple choice
Read the full Securing Users and Applications with Authentication explanation →

An administrator configured the authentication profile shown. Users in the domain 'EXAMPLE' are unable to authenticate; logs show 'Authentication failed: user not found'. What is the likely issue?

Exhibit

Refer to the exhibit.

admin@PA-5000# show shared authentication-profile TestAuth
{
  "entry": {
    "@name": "TestAuth",
    "method": {
      "kerberos": {
        "server-profile": "KDC-Profile",
        "realm": "EXAMPLE.COM"
      },
      "allow-list": ["EXAMPLE\\user1", "EXAMPLE\\user2"]
    },
    "user-domain": "EXAMPLE",
    "expiration": 60
  }
}
Question 6easymulti select
Read the full Securing Users and Applications with Authentication explanation →

Which TWO authentication methods support single sign-on (SSO) capabilities in Palo Alto Networks firewalls?

Question 7hardmulti select
Read the full Securing Users and Applications with Authentication explanation →

Which THREE factors should be considered when designing an authentication policy for a multi-zone environment with varied security requirements? (Choose THREE.)

Question 8hardmultiple choice
Read the full Securing Users and Applications with Authentication explanation →

A large enterprise with 10,000+ users is deploying GlobalProtect with SAML authentication. The IdP is Azure AD. Users report that authentication sometimes fails during peak hours with error 'SAML response timeout'. Which design change would most effectively address this issue?

Question 9hardmultiple choice
Read the full NAT/PAT explanation →

You are a network security engineer for a multinational corporation with users in different regions. The company uses GlobalProtect for remote access and requires multi-factor authentication (MFA) using a mobile app for all users. Recently, users in the Asia-Pacific region have reported intermittent failures when authenticating via GlobalProtect. The symptoms include: after entering credentials on the GlobalProtect portal, the authentication challenge from the MFA provider times out after 30 seconds, and the user is disconnected. Users in other regions do not experience this issue. The GlobalProtect gateways and portals are configured with Authentication Profile that uses an LDAP server for primary authentication and an MFA vendor as authentication sequence. The MFA provider sends push notifications to users' mobile devices. The firewall logs show no errors related to LDAP or MFA, but the GlobalProtect logs indicate authentication timeouts. The firewall is located in the central data center, and the MFA provider's servers are in the United States. What should you do to resolve this issue?

Question 10easymulti select
Read the full Securing Users and Applications with Authentication explanation →

An organization wants to enforce multi-factor authentication (MFA) for administrative access to the Palo Alto Networks firewall. Which TWO authentication methods are supported for local administrator accounts?

Question 11hardmultiple choice
Read the full Securing Users and Applications with Authentication explanation →

Refer to the exhibit. A firewall administrator created a local user group named 'Engineering' and added two users. However, when applying a security policy that uses this group as the source user, only one user (asmith) is matched correctly. What is the most likely cause of this issue?

Exhibit

Refer to the exhibit.

admin@PA-220> show user group name Engineering
group-id: 123
domain: corp.local
group name: Engineering
type: local (membership determined by s AM L)
user list:
  jdoe
  asmith

total users: 2

admin@PA-220> show user group name Engineering detail

Group: Engineering
  User: jdoe (source: LDAP)
  User: asmith (source: LDAP)

admin@PA-220> show user group name Engineering config
group {
  name "Engineering";
  id 123;
  type local;
  user {
    jdoe;
    asmith;
  }
}

admin@PA-220> show user group name Engineering statistics
  Total members: 2
  LDAP members: 2
  Local members: 0
  Cloud Identity Engine members: 0
Question 12mediummultiple choice
Read the full Securing Users and Applications with Authentication explanation →

A company uses a Palo Alto Networks firewall with Authentication Policy to enforce MFA for external users accessing a web application via GlobalProtect. The authentication sequence is set to 'PingID, LDAP'. Recently, users report that after entering their LDAP credentials, they are not prompted for PingID MFA and are allowed access immediately. The firewall logs show that the authentication policy is hit and the authentication method used is 'LDAP' only. The PingID service is reachable from the firewall. The administrator checks the Authentication Profile and sees that PingID is configured correctly. What is the most likely cause of this issue?

Question 13mediumdrag order
Read the full Securing Users and Applications with Authentication explanation →

Arrange the steps to deploy a new Panorama template to a managed firewall.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 14mediummatching
Read the full Securing Users and Applications with Authentication explanation →

Match each security profile type to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Detects and blocks malware in traffic

Prevents spyware and command-and-control traffic

Blocks exploits targeting known vulnerabilities

Controls access to websites based on category

Blocks specific file types from being transferred

Question 15easymultiple choice
Read the full Securing Users and Applications with Authentication explanation →

An administrator configures an authentication policy to require authentication for the 'ssl' application. After committing, the firewall does not prompt users for credentials when they access HTTPS sites. Which step is most likely missing?

Question 16easymultiple choice
Study the full AAA explanation →

A company has configured multi-factor authentication (MFA) via an authentication sequence using LDAP and RADIUS. Users authenticate successfully with LDAP but the MFA prompt from RADIUS does not appear. What is the most likely cause?

Question 17hardmultiple choice
Read the full DNS explanation →

A security administrator notices that users are able to bypass authentication by accessing resources using IP addresses instead of FQDNs, even though authentication policies are configured. How can this be prevented?

Question 18easymultiple choice
Read the full Securing Users and Applications with Authentication explanation →

A company wants to authenticate users who are accessing internal applications from the internet through a firewall. The users should be prompted once per session. Which authentication solution best meets this requirement?

Question 19easymultiple choice
Read the full Securing Users and Applications with Authentication explanation →

An administrator has configured an authentication profile with LDAP and sets the authentication sequence to 'continue on failure'. A user enters an incorrect password first, then correct. Will the user be authenticated?

Question 20mediummultiple choice
Read the full Securing Users and Applications with Authentication explanation →

Which of the following is required for SAML-based single sign-on to work with a Palo Alto Networks firewall acting as the service provider?

Question 21hardmultiple choice
Read the full Securing Users and Applications with Authentication explanation →

A network engineer is troubleshooting an authentication issue where users in a specific group are not being prompted for credentials, even though the authentication policy matches their traffic. The firewall logs show that the traffic is allowed by the security policy. What is the most likely cause?

Question 22mediummultiple choice
Read the full Securing Users and Applications with Authentication explanation →

An organization uses captive portal authentication. Users report that after closing the browser, they are still authenticated and can access resources without re-authenticating. How can the administrator enforce re-authentication after browser closure?

Question 23easymultiple choice
Read the full Securing Users and Applications with Authentication explanation →

When configuring an authentication policy, which match criteria is required to trigger authentication?

Question 24mediummulti select
Read the full Securing Users and Applications with Authentication explanation →

An administrator is configuring authentication for a captive portal. Which two configuration steps are necessary? (Choose two.)

Question 25hardmulti select
Read the full Securing Users and Applications with Authentication explanation →

A security architect is designing authentication for a hybrid workforce with both on-premises and remote users. Which three best practices should be implemented? (Choose three.)

Question 26mediummulti select
Read the full Securing Users and Applications with Authentication explanation →

When troubleshooting an authentication issue where users are not prompted for credentials, which two logs or commands would be most useful? (Choose two.)

Question 27hardmultiple choice
Read the full Securing Users and Applications with Authentication explanation →

Refer to the exhibit. A network administrator is troubleshooting why users are not being prompted for authentication when accessing HTTPS sites. The authentication rule and security policy are shown. What is the most likely cause?

Exhibit

admin@PA-5050> show authentication rule
id=1, rule=>, from z1, to z2, application ssl, user any, action authentication, profile AuthProfile, seq=1
id=2, rule=>, from z1, to z2, application ping, user any, action allow
admin@PA-5050> show running security-policy
rule 1: from z1 to z2, application ssl, action allow
Question 28mediummultiple choice
Read the full Securing Users and Applications with Authentication explanation →

Refer to the exhibit. The administrator committed this configuration but users cannot authenticate via SAML. What is the problem?

Exhibit

set authentication profile "SAML-Profile" method saml
set authentication profile "SAML-Profile" saml-identity-provider "AzureAD"
set authentication profile "SAML-Profile" saml-logout-url "https://login.microsoftonline.com/logout"
set authentication profile "SAML-Profile" method ldap
Question 29hardmultiple choice
Read the full Securing Users and Applications with Authentication explanation →

Refer to the exhibit. A user at IP 10.10.1.11 is unable to access internal resources that require authentication. The firewall logs show 'no user mapping' for traffic from this IP. Which step should the administrator take first?

Exhibit

admin@PA-5000> show user user-id dump
User-ID Dump
IP: 10.10.1.10     User: jdoe@company.com     Source: Pre-Login mapping
IP: 10.10.1.11     User: (unknown)
IP: 10.10.1.20     User: jsmith@company.com     Source: Kerberos
Question 30mediummultiple choice
Read the full Securing Users and Applications with Authentication explanation →

A company uses GlobalProtect with SAML authentication. Users report being redirected to the IdP login page repeatedly even after successfully authenticating. What is the most likely cause?

Question 31hardmultiple choice
Read the full NAT/PAT explanation →

A security architect needs to enforce authentication for all application-based policies using an external authentication source with MFA. Which combination of features best achieves this?

Question 32easymultiple choice
Read the full Securing Users and Applications with Authentication explanation →

An administrator wants to enforce authentication for SSL decrypted traffic so that only authenticated users can access decrypted content. Which firewall feature should be configured?

Question 33mediummultiple choice
Read the full Securing Users and Applications with Authentication explanation →

Users are unable to authenticate via Captive Portal. The firewall receives authentication requests but they time out. What should be checked first?

Question 34hardmultiple choice
Read the full Securing Users and Applications with Authentication explanation →

An organization needs to enforce authentication for application-based policies. Users are in multiple AD groups. Which authentication enforcement method best scales and minimizes administrative overhead?

Question 35easymultiple choice
Read the full Securing Users and Applications with Authentication explanation →

To reduce the number of authentication prompts for users accessing multiple applications through the firewall, which configuration is recommended?

Question 36mediummultiple choice
Read the full DHCP explanation →

An organization uses Microsoft Active Directory for User-ID mapping. Some users are not being mapped because their IP addresses change frequently due to DHCP. Which approach should be implemented to ensure these users are identified?

Question 37hardmultiple choice
Read the full Securing Users and Applications with Authentication explanation →

A company needs to authenticate remote users accessing internal web applications via GlobalProtect portal and wants to use SAML with Azure AD for MFA. Which component must be configured on the firewall?

Question 38easymultiple choice
Read the full Securing Users and Applications with Authentication explanation →

A security admin receives reports that some users are bypassing authentication by manually setting a different IP address. Which feature can enforce that only users who have authenticated through the firewall can access resources?

Question 39easymulti select
Read the full Securing Users and Applications with Authentication explanation →

Which TWO factors should be considered when designing an authentication enforcement strategy? (Choose two.)

Question 40mediummulti select
Read the full Securing Users and Applications with Authentication explanation →

Which THREE components are part of the GlobalProtect infrastructure? (Choose three.)

Question 41hardmulti select
Read the full Securing Users and Applications with Authentication explanation →

Which TWO are prerequisites for using Authentication Policy? (Choose two.)

Question 42mediummultiple choice
Read the full Securing Users and Applications with Authentication explanation →

Refer to the exhibit. A user is trying to authenticate via SAML and receives this error. What is the most likely cause?

Exhibit

Time         | Source IP | User | Auth method | Status | Reason
10:00:00     10.1.1.100 | jdoe | SAML        | FAIL  | SAML response validation failed: Invalid audience
Question 43hardmultiple choice
Read the full Securing Users and Applications with Authentication explanation →

Refer to the exhibit. What happens when a user with an unknown identity (source-user unknown) tries to access resources in 192.168.1.0/24?

Exhibit

authentication-policy {
    rules {
        "require-auth" {
            match {
                source-user "unknown"
                destination-address "192.168.1.0/24"
            }
            action allow-authentication
            authentication-profile "SAML-Auth"
        }
    }
}
Question 44easymultiple choice
Read the full Securing Users and Applications with Authentication explanation →

Refer to the exhibit. Which configuration is required in the authentication profile 'SAML-Auth'?

Exhibit

portal "Corporate-Portal" {
    authentication-profile "SAML-Auth"
    ...
}
Question 45mediummultiple choice
Read the full Securing Users and Applications with Authentication explanation →

A company is migrating to cloud-based SaaS applications and wants to enforce SAML-based authentication with single logout. They have a Palo Alto firewall running the latest PAN-OS. What is the recommended configuration to enable SAML authentication for these applications?

Question 46hardmultiple choice
Read the full Securing Users and Applications with Authentication explanation →

After a PAN-OS upgrade from 9.1 to 10.2, users report that captive portal authentication fails consistently. The authentication profile uses LDAP and the LDAP server is reachable from the firewall. The captive portal page loads, but after entering credentials, users are redirected back to the login page. What is the most likely cause?

Question 47easymulti select
Read the full Securing Users and Applications with Authentication explanation →

Which TWO authentication methods are supported for captive portal on a Palo Alto Networks firewall?

Question 48mediummulti select
Read the full Securing Users and Applications with Authentication explanation →

Which THREE components are required to deploy the Palo Alto Networks User-ID agent in a typical Windows environment to map users to IP addresses?

Question 49hardmultiple choice
Read the full MPLS explanation →

A large enterprise uses GlobalProtect with SAML authentication integrated with Azure AD for remote access. Users on laptops report intermittent authentication failures when moving between different office locations or switching wireless access points. The firewall clusters are geographically distributed and connected via MPLS. The authentication policy is configured correctly and the SAML identity provider is reachable. What should the administrator check first to resolve the issue?

Question 50mediummultiple choice
Read the full wireless explanation →

An organization uses captive portal for guest Wi-Fi access with LDAP authentication against an on-premise Active Directory. Users complain that after successfully logging in, they are repeatedly prompted for credentials every few minutes. The captive portal page loads correctly and credentials are accepted initially. The authentication profile has a session timeout of 60 minutes. What is the most likely cause of the repeated prompts?

Question 51easymultiple choice
Study the full AAA explanation →

A company wants to enforce multi-factor authentication (MFA) for all administrative access to the Palo Alto Networks firewall. They have a RADIUS server configured with MFA capability (e.g., RSA SecurID). The firewall is currently using local authentication for admin accounts. What must be configured to enforce MFA for admin access?

Question 52mediummultiple choice
Read the full Securing Users and Applications with Authentication explanation →

A cloud-based application is accessed via URL filtering and uses SAML authentication. After a user changes their password in the identity provider (Okta), they are unable to authenticate to the application. The firewall is configured with an authentication policy that uses SAML. Other users who have not changed passwords can authenticate successfully. What is the most likely issue?

Question 53mediummulti select
Read the full Securing Users and Applications with Authentication explanation →

A company wants to enforce multi-factor authentication (MFA) for employees accessing a specific internal application through the firewall. Which two configurations are required on the Palo Alto Networks firewall? (Choose two.)

Question 54hardmultiple choice
Read the full Securing Users and Applications with Authentication explanation →

A firewall administrator configured the security rule shown in the exhibit to enforce SAML authentication for web-browsing traffic from the trust zone to the untrust zone. However, users are not prompted to authenticate. What is the most likely cause?

Exhibit

Refer to the exhibit.

> show running security-rule rule "web-auth"
Source zone: trust
Destination zone: untrust
Source user: any
Destination user: any
Application: web-browsing
Service: application-default
Action: allow
Authentication enforcement: authenticate
Authentication profile: saml-profile
Question 55easymultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses Palo Alto Networks NGFWs to secure user access to cloud-based productivity applications. Users authenticate via SAML using an external identity provider. Recently, the helpdesk has received multiple complaints that when users log in to the first application in the morning, they are prompted for SAML authentication. After authenticating successfully, if they navigate to a different application (e.g., from email to document editing) within the same browser tab, they are again prompted to re-authenticate, which disrupts their workflow. The firewall authentication logs show that each application access triggers a new SAML authentication request, even though the user’s session is still active. The administrator has verified that the SAML identity provider is properly configured, and the authentication profile on the firewall uses a unique identifier per user. The company wants to minimize re-authentication prompts while maintaining security. Which action should the administrator take?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCNSE Practice Test 1 — 10 Questions→PCNSE Practice Test 2 — 10 Questions→PCNSE Practice Test 3 — 10 Questions→PCNSE Practice Test 4 — 10 Questions→PCNSE Practice Test 5 — 10 Questions→PCNSE Practice Exam 1 — 20 Questions→PCNSE Practice Exam 2 — 20 Questions→PCNSE Practice Exam 3 — 20 Questions→PCNSE Practice Exam 4 — 20 Questions→Free PCNSE Practice Test 1 — 30 Questions→Free PCNSE Practice Test 2 — 30 Questions→Free PCNSE Practice Test 3 — 30 Questions→PCNSE Practice Questions 1 — 50 Questions→PCNSE Practice Questions 2 — 50 Questions→PCNSE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Manage, Monitor and OperateSecuring Traffic and App-IDSecuring Users and Applications with AuthenticationDecryption and SSL InspectionManaging Troubleshooting and High AvailabilityDeploy and Configure FirewallsCore Concepts and ArchitectureSecure Access and VPNTroubleshoot

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Securing Users and Applications with Authentication setsAll Securing Users and Applications with Authentication questionsPCNSE Practice Hub