CCNA Secure Access and VPN Questions

55 questions · Secure Access and VPN · All types, answers revealed

1
Multi-Selecthard

Which TWO features are exclusive to GlobalProtect gateway configurations and not available on the portal?

Select 2 answers
A.Clientless VPN access.
B.Enforcement of host integrity checks.
C.Configuration of internal gateway for split tunneling.
D.Application override settings.
E.Use of SSL as a transport protocol.
AnswersB, C

Correct. Host integrity is configured on the gateway.

Why this answer

Host integrity checks and internal gateway configuration for split tunneling are configured only on the gateway, not on the portal.

2
MCQmedium

A company is deploying GlobalProtect with internal gateways. They want to ensure that users who are inside the corporate network connect directly to internal resources without going through the firewall. Which configuration is required?

A.Configure the portal to assign the gateway only when the user is external.
B.Set the gateway's 'Tunnel Mode' to 'No' for internal users.
C.Configure the gateway agent with internal host detection.
D.Set the portal's 'Internal Host Detection' to detect the internal network and set 'Gateway' to 'None' for the internal network.
AnswerD

When the portal detects an internal host, it can be configured to not assign a gateway, allowing direct access.

Why this answer

Option D is correct because GlobalProtect's Internal Host Detection (IHD) feature allows the portal to detect whether a user is inside the corporate network. When the portal detects the user is internal, it can be configured to assign 'None' as the gateway, meaning the client will not establish a VPN tunnel and will connect directly to internal resources. This ensures traffic does not hairpin through the firewall.

Exam trap

The trap here is that candidates often confuse Internal Host Detection as a gateway-side feature (Option C) or think the portal can simply assign gateways based on user location without the explicit IHD check (Option A).

How to eliminate wrong answers

Option A is wrong because the portal does not assign gateways based solely on external status; it uses Internal Host Detection to decide which gateway (or none) to assign. Option B is wrong because setting the gateway's 'Tunnel Mode' to 'No' would disable the tunnel for all users assigned to that gateway, not just internal users, and would still require the client to connect to the gateway. Option C is wrong because the gateway agent does not perform Internal Host Detection; that detection is done by the portal during the initial configuration download, not by the gateway.

3
MCQeasy

A remote user's GlobalProtect client disconnects every 10 minutes. What setting should the administrator check?

A.The reconnection interval on the portal.
B.The idle timeout on the authentication profile.
C.The ping interval on the gateway.
D.The UDP checksum offloading on the client.
AnswerC

Correct. Gateway ping interval defines how often keepalives are sent.

Why this answer

The gateway sends keepalive pings to maintain the tunnel. If the ping interval is set too short or the threshold for missed pings is low, the client may disconnect prematurely.

4
Multi-Selecthard

Which THREE factors must match between two IKE peers for successful IPsec tunnel establishment? (Choose three.)

Select 3 answers
A.Dead peer detection interval
B.IKE encryption algorithm
C.IKE authentication algorithm
D.Local certificate
E.IKE version (v1 or v2)
AnswersB, C, E

The encryption algorithm must match for phase 1.

Why this answer

Options A, B, and D are correct. IKE version, encryption algorithm, and authentication algorithm must match. Option C is incorrect because the local certificate is not required to match; certificates must be trusted, not identical.

Option E is incorrect because dead peer detection is a keepalive mechanism, not a mandatory matching factor.

5
MCQeasy

When configuring GlobalProtect with certificate authentication, a user reports that the client prompts for username and password even though the certificate is installed. What is the most likely cause?

A.The certificate is expired
B.The portal authentication profile requires both certificate and password
C.The client certificate does not match the username
D.The root CA certificate is not imported into the firewall
AnswerB

If the profile is configured for multi-factor, the client requires both certificate and password.

Why this answer

When the portal authentication profile requires both certificate and password, the client will prompt for credentials even if a valid certificate is present.

6
MCQmedium

Refer to the exhibit. A user inside the corporate network (IP: 10.1.1.5) connects to the portal. The portal detects the internal host and does not assign a gateway. However, the user still cannot access internal resources. What is the most likely issue?

A.The gateway is not configured with a client IP pool.
B.The GlobalProtect client is configured to always use the gateway.
C.The portal's authentication profile is incorrect.
D.The portal is not configured with internal host detection.
AnswerB

If the client is set to 'Always use VPN', it may still try to tunnel even when internal.

Why this answer

When the GlobalProtect client is configured to 'always use the gateway,' it forces all traffic (including internal traffic) to be tunneled to the gateway even when the user is already inside the corporate network. The portal correctly detects the internal host and does not assign a gateway, but the client still attempts to send traffic through the gateway, which is not reachable or not configured to forward internal traffic back, breaking access to internal resources.

Exam trap

The trap here is that candidates assume internal host detection alone solves the problem, but they overlook the client-side 'always use the gateway' setting that overrides the portal's decision and forces tunneled traffic even for internal users.

How to eliminate wrong answers

Option A is wrong because the gateway not having a client IP pool would prevent external users from getting an IP, but the issue here is that no gateway is assigned at all, and the client is still trying to use a gateway. Option C is wrong because an incorrect authentication profile would prevent the user from logging into the portal, but the user successfully connects to the portal and is detected as internal. Option D is wrong because internal host detection is working correctly (the portal detects the internal host and does not assign a gateway), so this is not the issue.

7
MCQhard

A GlobalProtect user behind the tunnel is unable to browse HTTPS websites. What is the issue?

A.The firewall's decryption policy is not applied to the tunnel
B.The decryption policy rule blocks traffic from 10.0.0.0/8
C.The user's SSL certificate is not trusted
D.The tunnel inspection required conflicts with the no-decrypt rule, causing SSL sessions to be dropped
AnswerD

When tunnel inspection is required, the firewall must decrypt all SSL traffic. A no-decrypt rule forces decryption to be skipped, causing the firewall to drop the session.

Why this answer

With 'Tunnel Inspection Required', the firewall must decrypt all SSL traffic from the tunnel. The no-decrypt rule for internal traffic creates a conflict, causing the firewall to drop the SSL sessions because it cannot decide whether to decrypt or not.

8
Matchingmedium

Match each security rule action to its effect.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Permits traffic matching the rule

Blocks traffic and sends a reset

Silently discards traffic without notification

Sends TCP reset to client only

Sends TCP reset to both client and server

Why these pairings

These actions determine how the firewall handles matching traffic.

9
MCQeasy

A network administrator configures GlobalProtect for remote users. Users report they can connect but cannot access internal resources. The firewall shows the user is connected with a valid IP. What is the most likely cause?

A.The client's local firewall is blocking traffic.
B.The GlobalProtect gateway is not configured with the correct internal DNS suffix.
C.Split tunneling is misconfigured, causing missing internal routes.
D.The authentication profile is set to require multi-factor authentication.
AnswerC

Correct. Missing routes prevent access to internal subnets.

Why this answer

Split tunneling controls which traffic goes through the tunnel. If misconfigured, internal routes may be missing, preventing access to internal resources.

10
MCQmedium

A large organization uses GlobalProtect for remote access. Recently, users in the APAC region have been reporting frequent disconnections from the VPN. They can connect and authenticate, but after about 5 minutes the session drops and they must reconnect. The firewall logs show 'GlobalProtect gateway timeout' for these users. The gateway's tunnel timeout is set to 30 minutes. What is the most likely cause?

A.The GlobalProtect client's keepalive interval is set to 60 minutes
B.The portal's authentication timeout is set to 120 minutes
C.The IP pool for the gateway is exhausted
D.The internal gateway hostname cannot be resolved by the client
AnswerA

If the keepalive interval exceeds the gateway's idle timeout, the session is dropped.

Why this answer

Option A is correct because if the tunnel timeout is 30 minutes but the client's keepalive interval is longer than the gateway's idle timeout, the gateway may drop the session. Option B is incorrect because hostname resolution causes connection issues, not timeouts. Option C is incorrect because authentication timeout is set to 120 minutes, which is longer.

Option D is incorrect because IP pool exhaustion would prevent new connections, not drop established.

11
MCQmedium

A network engineer configures a tunnel interface for IPSec VPN. After committing, the interface is up but no traffic passes. The tunnel itself is established (IKEv2). What should the engineer check first?

A.The tunnel interface is in the wrong virtual router
B.The tunnel interface has no IP address
C.The tunnel interface is not assigned to a zone
D.The tunnel interface does not have a management profile
AnswerB

A tunnel interface requires an IP address to route traffic; without it, packets are not routed.

Why this answer

Without an IP address, the tunnel interface cannot route packets, even if the IPSec tunnel is established.

12
MCQmedium

A network engineer configures an IPSec tunnel with multiple proxy IDs for different subnets. After committing, only one proxy ID establishes IPsec SAs. What should the engineer check?

A.The number of concurrent tunnels allowed.
B.The IPSec crypto profile.
C.The IKE gateway mode.
D.The tunnel monitor settings.
AnswerA

Correct. The firewall may limit concurrent SAs per gateway.

Why this answer

There is a maximum number of concurrent IPsec SAs (tunnels) per IKE gateway. If the limit is reached, additional proxy IDs will not establish SAs.

13
MCQmedium

A remote user reports they cannot connect to the corporate network via GlobalProtect. The GlobalProtect client shows 'Connection failed. Unable to establish a secure connection.' The portal and gateway are configured with certificate authentication. The administrator verifies that the portal/gateway certificates are valid and not expired, and the common name matches the portal's FQDN. The client's machine time is synchronized. Which configuration misconfiguration is most likely the cause?

A.The client's GlobalProtect app is an older version that does not support TLS 1.2.
B.The gateway authentication profile is set to use RADIUS instead of certificate.
C.The portal is configured with an incorrect server certificate common name (CN) that does not match the portal's FQDN.
D.The GlobalProtect gateway is configured to require HIP match, but the user's endpoint does not meet the HIP profile.
AnswerA

An older client may not support TLS 1.2, causing the connection to fail if the gateway requires it.

Why this answer

Option D is correct because if the GlobalProtect client is an older version that does not support TLS 1.2, it will fail to establish the secure connection when the gateway requires TLS 1.2. Option A is incorrect because a HIP mismatch would typically cause a different error (e.g., 'Access denied' or 'Not compliant') after authentication, not a connection failure. Option B is incorrect because the administrator already confirmed the certificate CN matches the portal FQDN.

Option C is incorrect because the gateway authentication profile is not used for the TLS handshake; it is used after the tunnel is established.

14
Multi-Selecteasy

Which TWO conditions are required for a successful GlobalProtect connection using certificate authentication?

Select 2 answers
A.The client certificate must be issued by a CA trusted by the firewall.
B.The GlobalProtect portal must have a certificate for SSL.
C.The user's browser must have the firewall's root CA certificate.
D.The firewall must have the client certificate's public key.
E.The client must have a valid username and password.
AnswersA, B

Correct. The firewall trusts the CA to validate the client certificate.

Why this answer

Certificate authentication requires the client certificate to be trusted by the firewall (the CA must be trusted), and the GlobalProtect portal must have an SSL certificate for the web interface.

15
Multi-Selecteasy

Which TWO configurations are required on a GlobalProtect portal to enable automatic tunnel configuration for macOS clients? (Choose two.)

Select 2 answers
A.GlobalProtect client package assigned to macOS
B.Enable Automatic Tunnel
C.Gateway IP Pool configured
D.PanGPS (Pan GlobalProtect Service) enabled
E.Specify a Tunnel Interface
AnswersB, E

This setting must be enabled in the portal to allow automatic tunnel configuration.

Why this answer

Options A and D are correct. The portal must have 'Enable Automatic Tunnel' checked and a tunnel interface specified for macOS clients to receive automatic tunnel settings. Option B (PanGPS) is a helper tool for GPS but not required for automatic tunnel.

Option C (client package) is needed to distribute the client, but not specifically for automatic tunnel configuration. Option E (Gateway IP pool) is a gateway setting, not portal.

16
Drag & Dropmedium

Order the steps to capture traffic on a Palo Alto Networks firewall using the packet capture feature.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Packet capture involves filter setup, traffic generation, and download.

17
MCQhard

An administrator is troubleshooting a GlobalProtect VPN where users report frequent disconnections. The administrator notices that the GlobalProtect gateway logs show 'Tunnel rekey failed' errors. What is the most likely cause?

A.The GlobalProtect app's cookie integrity is corrupted.
B.The IKE gateway's rekey lifetime is shorter than the IPSec security association lifetime.
C.The GlobalProtect client needs to be reinstalled.
D.The user-id agent is not resolving usernames correctly.
AnswerB

If the IKE rekey lifetime expires before the IPSec SA, the tunnel may be torn down unexpectedly.

Why this answer

The 'Tunnel rekey failed' error indicates that the IPsec security association (SA) rekey process failed. This most commonly occurs when the IKE gateway's rekey lifetime is shorter than the IPsec SA lifetime, causing the IKE phase 1 SA to expire before the IPsec phase 2 SA can be rekeyed. As a result, the tunnel drops and the client disconnects.

Exam trap

The trap here is that candidates often assume client-side issues (like app corruption or reinstallation) are the cause, when the error is clearly a gateway-side IPsec rekey misconfiguration.

How to eliminate wrong answers

Option A is wrong because cookie integrity corruption would cause authentication or session validation failures, not a rekey failure during IPsec SA renewal. Option C is wrong because reinstalling the client would not resolve a misconfiguration in the gateway's IKE or IPsec lifetime settings; the issue is on the server side. Option D is wrong because the user-id agent's inability to resolve usernames affects user mapping and policy enforcement, not the IPsec tunnel rekey process.

18
MCQeasy

An administrator configures a GlobalProtect portal with an authentication profile that uses Kerberos. Users report they cannot connect from remote locations. What is the most likely cause?

A.The remote users' computers are not domain-joined.
B.The external gateway is not configured for Kerberos authentication.
C.The authentication profile is not configured on the gateway.
D.The GlobalProtect gateway certificate is not trusted by the client.
AnswerA

Kerberos authentication requires the client to be domain-joined to obtain a ticket.

Why this answer

Kerberos authentication relies on the client being a member of the Active Directory domain to obtain a ticket-granting ticket (TGT) from the Key Distribution Center (KDC). Remote users whose computers are not domain-joined cannot acquire or present Kerberos tickets, causing authentication to fail. This is the most common reason for connection failures when Kerberos is used for GlobalProtect portal authentication.

Exam trap

The trap here is that candidates may assume Kerberos authentication can be used for external gateways or that the issue is certificate-related, but the key is understanding that Kerberos requires domain membership and cannot work for non-domain-joined remote clients.

How to eliminate wrong answers

Option B is wrong because the external gateway does not perform Kerberos authentication; Kerberos authentication is handled by the portal, and the gateway uses the authentication cookie issued by the portal after successful authentication. Option C is wrong because the authentication profile is configured on the portal, not the gateway; the gateway relies on the portal to validate the user and does not require its own authentication profile for Kerberos. Option D is wrong because while an untrusted gateway certificate can cause connection issues, it would typically produce a certificate warning or error, not a Kerberos authentication failure; the scenario specifically points to Kerberos authentication as the root cause.

19
MCQeasy

A network engineer wants to allow remote users to access internal applications via GlobalProtect, but only for specific users. Which configuration method should be used to restrict access?

A.Use user-ID on the GlobalProtect gateway.
B.Configure group mapping on the GlobalProtect portal.
C.Create a HIP profile and assign it to the gateway.
D.Configure a security policy with user-ID matching the required users.
AnswerD

Security policies can use user-ID to allow or deny traffic based on authenticated user.

Why this answer

Option D is correct because the security policy is the enforcement point that controls access to internal applications. By configuring a security policy with user-ID matching the required users, the firewall can restrict traffic based on the authenticated user identity, ensuring only specific users can reach the internal applications via GlobalProtect.

Exam trap

The trap here is that candidates often confuse the portal and gateway functions, thinking that user or group restrictions configured on the portal (like group mapping) will control application access, when in fact the security policy on the firewall is the only place to enforce which users can access specific internal resources.

How to eliminate wrong answers

Option A is wrong because user-ID on the GlobalProtect gateway is used to map IP addresses to usernames for visibility and policy enforcement, but it does not itself restrict access; it merely provides identity information. Option B is wrong because group mapping on the GlobalProtect portal is used to define which user groups can authenticate and download the portal configuration, but it does not control access to specific internal applications after the tunnel is established. Option C is wrong because a HIP profile is used to enforce endpoint compliance (e.g., antivirus, disk encryption) and is not a method to restrict access based on specific user identity; it checks the health of the client device, not the user.

20
MCQeasy

A GlobalProtect user can successfully authenticate to the portal but cannot connect to the internal gateway. The portal and gateway are configured on the same firewall. What is the most likely cause?

A.User not assigned a license
B.Incorrect gateway IP address in portal configuration
C.Gateway interface not in the same zone as portal
D.Gateway MTU mismatch
AnswerB

The portal configuration must list the correct gateway IP address; otherwise the client cannot reach the gateway.

Why this answer

When a user can authenticate to the portal but cannot connect to the gateway, the portal may be supplying the wrong gateway IP address. The client uses this IP to initiate the gateway connection. If it is incorrect, the connection fails.

21
MCQmedium

A network administrator is troubleshooting an IPsec site-to-site VPN that fails to establish. IKE phase 1 completes successfully, but phase 2 fails with a 'no proposal chosen' message. Both sides have identical IKE and IPsec crypto profiles, and the pre-shared key is correct. What is the most likely cause of the failure?

A.The proxy IDs (local/remote subnets) do not match between peers
B.The tunnel is configured as route-based instead of policy-based
C.The IKE gateway's local interface is down
D.Dead peer detection is not enabled on the IKE gateway
AnswerA

Mismatched proxy IDs are the most common cause of phase 2 failure.

Why this answer

Option C is correct because phase 2 failure with matching crypto profiles typically indicates a proxy ID mismatch. Option A is incorrect because route-based VPNs still require proxy IDs. Option B is incorrect because the IKE gateway is active.

Option D is incorrect because dead peer detection settings do not affect phase 2 proposal negotiation.

22
MCQhard

A large enterprise uses a Palo Alto Networks firewall as the central hub for site-to-site VPN connections to 50 branch offices. Each branch office has a different subnet (e.g., 10.x.0.0/16 where x is the branch number). The VPN tunnels are configured using IKEv2 with pre-shared keys. Recently, the IT team decided to migrate to certificate-based authentication for improved security. They issued certificates from an internal CA to all branch firewalls and the hub firewall. After the migration, all tunnels failed to establish. The hub firewall logs show 'IKE negotiation failed' with error 'no proposal chosen'. The administrator checks the IKE gateway configuration on the hub: the IKE version is IKEv2, the authentication method is set to 'Certificate', and the certificate profile is configured with the root CA certificate. The administrator also verifies that the branch firewalls have the correct certificates and the hub's certificate is trusted. The branch firewalls' IKE gateways are configured with the hub's IP and pre-shared key (still configured as a fallback). What should the administrator do to resolve the issue?

A.Remove the pre-shared key from the IKE gateway configuration on the branch firewalls.
B.Change the IKE version on the hub to IKEv1.
C.Reissue the hub firewall's certificate with the correct subject name.
D.Ensure the internal CA is reachable from the branch firewalls.
AnswerA

When using certificate authentication, the pre-shared key should not be configured; otherwise the IKE proposal negotiation fails.

Why this answer

When using certificate-based authentication in IKEv2, the IKE gateway configuration must use only the certificate for authentication. If a pre-shared key is also configured, the firewall will attempt to use PSK authentication instead of the certificate, causing a mismatch with the peer expecting certificate-based authentication. This results in the 'no proposal chosen' error because the authentication method proposed (PSK) does not match the expected method (certificate).

Removing the pre-shared key from the branch firewalls' IKE gateway configuration forces them to use the certificate, aligning with the hub's configuration.

Exam trap

The trap here is that candidates assume a pre-shared key can remain as a fallback without affecting the authentication method negotiation, but in Palo Alto Networks IKEv2, the presence of a PSK overrides certificate authentication, causing a proposal mismatch.

How to eliminate wrong answers

Option B is wrong because changing the IKE version to IKEv1 would not resolve the authentication method mismatch; the issue is the authentication method, not the IKE version, and both sides are already configured for IKEv2. Option C is wrong because the hub's certificate subject name is not relevant to the 'no proposal chosen' error; the error indicates a proposal mismatch in authentication method, not a certificate validation issue. Option D is wrong because the internal CA does not need to be reachable during IKE negotiation; certificate validation uses the locally stored root CA certificate, not online CRL or OCSP checks by default, and the administrator already verified the root CA certificate is trusted.

23
MCQhard

After upgrading a firewall pair from PAN-OS 9.1 to 10.0, a route-based IPsec VPN to a partner is no longer establishing. The tunnel is configured with a tunnel interface (tunnel.1) with IP 10.0.0.1/30 and the remote tunnel interface is 10.0.0.2/30. IKE phase 1 completes successfully, but phase 2 fails with 'no proposal chosen' on both sides. Both firewalls have identical IPsec crypto profiles (ESP-AES-256, SHA-256, DH-5, 1-hour lifetime). What is the most likely cause?

A.The tunnel interface IP address conflicts with another interface
B.The new PAN-OS version requires a stronger DH group for IPsec
C.The proxy ID configuration was removed during the upgrade
D.A security policy block IKE is blocking the tunnel
AnswerC

Proxy IDs are required for route-based VPNs to map traffic; if missing, phase 2 fails.

Why this answer

Option C is correct because after an upgrade, proxy ID configurations may be lost or reset. Option A is incorrect because the crypto profiles are identical. Option B is incorrect because route-based VPNs use proxy IDs for traffic selection.

Option D is incorrect because the security policy would affect phase 1.

24
Multi-Selecteasy

A network engineer is configuring a new GlobalProtect gateway to provide remote access. Which TWO items are required for the gateway to function properly?

Select 2 answers
A.A certificate for the gateway
B.An authentication profile
C.An IP pool for client IP assignment
D.A split tunneling configuration
E.A clientless VPN configuration
AnswersA, C

Required to secure the TLS tunnel.

Why this answer

A certificate is required for the gateway to terminate TLS connections, and an IP pool is required to assign IP addresses to VPN clients. An authentication profile can be configured but is not strictly required if the portal handles authentication. Clientless VPN and split tunneling are optional features.

25
MCQmedium

A multinational corporation uses GlobalProtect with multiple gateways distributed globally for load balancing. The portal has 'Enable Location Awareness' enabled and region mapping is configured to map APAC users to the APAC gateway, US users to the US gateway, etc. Recently, users in the APAC region are being redirected to the US gateway, causing high latency. The AD admin confirms that users are in the correct APAC subnets. What is the most likely misconfiguration?

A.The APAC gateway's region mapping is configured with incorrect IP subnets
B.The location awareness database is outdated for APAC IP subnets
C.The APAC gateway's IP pool is exhausted
D.The portal's 'Primary Gateway' is set to the US gateway
AnswerB

An outdated database can cause incorrect gateway assignment.

Why this answer

Option A is correct because if the location database is outdated, the portal cannot determine the correct region. Option B is incorrect because the IP pool does not affect location redirection. Option C is incorrect because the primary gateway setting is not used with location awareness.

Option D is incorrect because the admin has already enabled region mapping.

26
MCQeasy

An administrator sees the IPSec tunnel state 'down' under the tunnel monitor. What is the most common cause for this issue?

A.Incorrect pre-shared key
B.Proxy ID mismatch
C.Tunnel interface IP misconfiguration
D.IKE version mismatch
AnswerA

An incorrect PSK causes phase1 negotiation to fail, bringing the tunnel down.

Why this answer

The pre-shared key is used for peer authentication in phase1. A mismatch is a frequent cause of tunnel failure.

27
MCQhard

A site-to-site IPsec tunnel between two Palo Alto Networks firewalls is not passing traffic. The administrator runs the 'show vpn ipsec-sa' command and sees the output in the exhibit. The remote peer is configured to use IKEv2 only. Based on the configuration, what is the most likely cause of the tunnel being in 'init' state?

A.The IKE version is incompatible.
B.The pre-shared key is incorrect.
C.The proxy IDs are mismatched with the peer.
D.The IPsec crypto profile lifetime is too short.
AnswerA

Local uses IKEv1, remote expects IKEv2; Phase 1 negotiation fails, resulting in 'init' state.

Why this answer

The 'init' state indicates that IKE Phase 1 has not completed successfully. Since the local firewall is configured for IKEv1 but the remote peer uses IKEv2 only, the IKE version mismatch prevents Phase 1 negotiation. Option A (pre-shared key incorrect) could also cause Phase 1 failure, but the exhibit does not indicate a key mismatch, and the problem statement emphasizes the peer's IKE version.

Option B (proxy IDs mismatched) would cause Phase 2 failure, not Phase 1. Option D (lifetime too short) is unlikely to cause a permanent 'init' state; it affects re-keying.

28
MCQmedium

An IPSec tunnel between two PA firewalls fails to establish. On the initiator, 'show vpn ipsec-sa' shows no SAs. Which debug command would provide the most detailed information about IKE negotiation?

A.show counter global | match ipsec
B.show log system
C.debug ike global on
D.debug flow basic
AnswerC

This command enables detailed IKE debug logs, showing negotiation steps.

Why this answer

The 'debug ike global on' command enables detailed IKE negotiation logging, which is essential for diagnosing tunnel establishment failures.

29
MCQhard

During a security audit, it is discovered that the GlobalProtect gateway allows clients to use weak encryption algorithms. Which configuration object controls this?

A.The SSL/TLS service profile on the gateway.
B.The IPSec crypto profile associated with the gateway.
C.The GlobalProtect portal agent configuration.
D.The SSL/SSH service profile on the firewall.
AnswerB

Correct. Crypto profile defines algorithms for data encryption.

Why this answer

The IPSec crypto profile attached to the GlobalProtect gateway specifies the allowed encryption and authentication algorithms for the data tunnel.

30
MCQeasy

What is the most likely cause of Phase2 being down?

A.Mismatched IKE version
B.Mismatched IPSec encryption or authentication settings
C.Wrong tunnel interface IP address
D.Incorrect pre-shared key
AnswerB

'no matching proposal' indicates the IPsec proposal parameters do not match between peers.

Why this answer

The Phase2 state is DOWN because the IPsec proposals (encryption, authentication, lifetime) do not match between the two tunnel endpoints.

31
MCQeasy

Refer to the exhibit. A network engineer sees multiple IKE SAs for the same peer. What does this indicate?

A.A configuration error causes duplicate SAs.
B.Multiple Phase 2 tunnels are established.
C.Multiple Phase 1 proposals are accepted.
D.The firewall is under DDoS attack.
AnswerB

Correct. Each unique proxy ID results in a separate IKE SA.

Why this answer

Multiple IKE SAs for the same peer typically indicate multiple Phase 2 tunnels (different proxy IDs) are established.

32
MCQhard

An organization uses RADIUS as the primary authentication method for GlobalProtect with One-Time Password (OTP). Users can authenticate to the portal, but the gateway connection fails. The RADIUS server logs show successful authentication. What is the most likely issue?

A.The portal's authentication profile does not pass the OTP to the gateway
B.The RADIUS server does not return a session timeout
C.The firewall is not configured to allow RADIUS traffic
D.The gateway is not configured to use RADIUS
AnswerD

The gateway must have its own authentication profile; if not set, it may use default local authentication which fails.

Why this answer

The gateway must have its own authentication profile that references the RADIUS server. If it's not configured, the gateway will not accept the authentication.

33
MCQmedium

An organization uses GlobalProtect with multiple gateways for different regions. Users in the Asia region are connecting to the wrong gateway. What is the most likely cause?

A.Users are manually selecting the wrong gateway from the client.
B.The gateways are not configured with priority settings.
C.The gateway selection rules on the portal do not match the users' source IP ranges.
D.The DNS resolution for the portal returns multiple IPs in round-robin.
AnswerC

If the source IP ranges in the rules are incorrect, users may be assigned to a non-optimal gateway.

Why this answer

Option C is correct because GlobalProtect gateway selection is primarily determined by the gateway selection rules configured on the portal. These rules evaluate the user's source IP address against defined IP ranges (or countries) to assign the appropriate gateway. If the rules do not match the users' source IP ranges in the Asia region, the portal will either fail to assign a gateway or assign a default gateway, causing users to connect to the wrong gateway.

Exam trap

The trap here is that candidates often confuse gateway priority (which controls load balancing within a region) with gateway selection rules (which control which region's gateway a user connects to), leading them to incorrectly choose Option B.

How to eliminate wrong answers

Option A is wrong because while manual selection is possible, the scenario describes users 'connecting to the wrong gateway,' which implies an automated selection failure, not user error; manual selection would require deliberate action and is not the 'most likely cause' in a multi-region deployment. Option B is wrong because priority settings on gateways control load balancing and failover order among gateways within the same region, not which region a user connects to; gateway selection is based on portal rules, not gateway priority. Option D is wrong because DNS round-robin for the portal would distribute users across multiple portal IPs, but the portal itself still enforces gateway selection rules; this would not cause users to connect to the wrong gateway unless the portal configuration is incorrect.

34
Multi-Selectmedium

Which THREE troubleshooting steps should be taken when a site-to-site VPN tunnel is up but no traffic passes?

Select 3 answers
A.Verify the routing table on both firewalls.
B.Check the firewall policies for the tunnel zone.
C.Increase the IPSec SA lifetime.
D.Verify the proxy IDs on both peers match.
E.Ensure the tunnel interface is placed in a virtual router.
AnswersA, B, D

Correct. Routing must direct traffic into the tunnel.

Why this answer

Common causes for no traffic despite tunnel up include mismatched proxy IDs, missing security policies, or routing issues.

35
MCQmedium

A company configures site-to-site VPN between two Palo Alto Networks firewalls using IKEv2. The tunnel does not come up. The administrator checks the IKE gateway configuration on both sides and sees matching pre-shared keys, IKE version, and encryption algorithms. What is the most likely remaining issue?

A.The tunnel interface is not assigned to a security zone.
B.Dead peer detection (DPD) is not configured.
C.The local and peer IP addresses are swapped on one side.
D.The MTU on the WAN interface is set too low.
AnswerC

If the local and peer IPs are reversed, the IKE negotiation will fail because the peer expects the opposite.

Why this answer

Option C is correct because if the local and peer IP addresses are swapped on one side, the IKE gateway configuration will not match the expected endpoints. IKEv2 requires that each side's local address corresponds to the other side's peer address; a mismatch prevents the initial IKE_SA_INIT exchange from completing, as the firewalls will not recognize each other as valid peers despite matching pre-shared keys and algorithms.

Exam trap

The trap here is that candidates assume matching pre-shared keys and encryption algorithms guarantee tunnel establishment, overlooking the fundamental requirement that the IKE gateway's local and peer IP addresses must be correctly mirrored on both sides.

How to eliminate wrong answers

Option A is wrong because a tunnel interface not assigned to a security zone would prevent traffic from being processed by security policies, but it does not prevent the IKEv2 tunnel from establishing at the IKE/Phase 1 level. Option B is wrong because Dead Peer Detection (DPD) is used to monitor the liveliness of an established tunnel, not to bring it up; a missing DPD configuration does not block the initial IKE negotiation. Option D is wrong because an MTU set too low on the WAN interface could cause fragmentation issues for encapsulated packets, but it would not prevent the IKEv2 handshake from starting; the tunnel would likely come up but experience packet drops for larger payloads.

36
MCQmedium

Refer to the exhibit. A firewall administrator configures an IPSec tunnel. After committing, the tunnel never becomes active. What is the most likely reason?

A.The tunnel interface is not in a zone.
B.The IKE gateway configuration is missing.
C.The proxy-id protocol should be set to '0' for all.
D.The crypto profile name is invalid.
AnswerB

Correct. Without a valid IKE gateway, the tunnel cannot establish.

Why this answer

The configuration references an IKE gateway named 'GW1'. If that gateway is not configured or missing, IKE negotiation cannot start.

37
MCQmedium

An organization has two sites connected via IPSec VPN. The tunnel is up, but ICMP traffic between sites fails. No other traffic works. The firewall policy allows any-any. What is the most likely issue?

A.The IKE phase 1 proposal is mismatched.
B.The proxy IDs (interesting traffic) are not configured correctly.
C.The IPSec crypto profile uses AES-256 and the peer uses 3DES.
D.The tunnel interface MTU is set too low.
AnswerB

Correct. Mismatched proxy IDs cause the firewall to not encrypt traffic.

Why this answer

Even if the tunnel is up, traffic might not be encapsulated if proxy IDs (interesting traffic) are mismatched, causing the firewall to drop or not encrypt traffic.

38
MCQhard

A company integrates GlobalProtect with SAML for SSO. Users report that after authentication, they receive a 'Portal cannot be reached' error. The firewall logs show the SAML authentication succeeded. What should the administrator check?

A.The user's browser is blocking pop-ups from the portal.
B.The GlobalProtect portal agent is not set to use the correct SAML profile.
C.The SAML identity provider's certificate is not imported on the firewall.
D.The SSL/TLS service profile on the portal is not bound to the correct certificate.
AnswerD

Correct. A mismatched certificate causes the browser to block the portal after SAML.

Why this answer

After SAML authentication, the portal must present its web page over SSL. If the SSL/TLS service profile is not bound to the correct certificate, the browser may reject the connection.

39
MCQhard

A company wants to deploy GlobalProtect to 10,000 remote users. Which method provides the most scalable and automated distribution of the client software?

A.Web-based download from the portal.
B.Manual installation via USB.
C.Email attachment.
D.Group Policy deployment via Active Directory.
AnswerA

Correct. Users download the client from the portal, which is automated and scalable.

Why this answer

Web-based download from the portal is the simplest and most automated method for large-scale deployments, as users can download the client on demand.

40
MCQmedium

A company wants to provide VPN access to external business partners who do not have the GlobalProtect client installed. Which VPN method should be used?

A.SSL VPN (clientless)
B.GlobalProtect with pre-logon
C.IPSec VPN
D.L2TP over IPSec
AnswerA

Clientless SSL VPN allows users to access web applications via a browser without installing software.

Why this answer

Clientless SSL VPN provides web-based access without installing any client software, ideal for partners.

41
MCQhard

A firewall is configured with a GlobalProtect gateway that uses an IPSec tunnel. Remote users can connect but cannot access any resources. The administrator verifies that the tunnel is established and the client receives an IP address. What is the most likely cause?

A.The tunnel interface is not in a virtual router.
B.The firewall does not have a route to the virtual IP pool.
C.The security policy does not allow traffic from the VPN zone.
D.The IP pool for the VPN client is exhausted.
AnswerB

Without a route for the virtual IP pool, the firewall cannot route return traffic to the tunnel interface.

Why this answer

When a GlobalProtect gateway uses an IPSec tunnel, the client receives an IP address from a virtual IP pool assigned to the tunnel interface. If the firewall lacks a route to that virtual IP pool, return traffic from internal resources cannot reach the client, even though the tunnel is established and the client has an IP. This is a common misconfiguration because the tunnel interface itself does not automatically inject a route for the pool into the virtual router.

Exam trap

The trap here is that candidates assume a successful tunnel establishment and IP assignment guarantee connectivity, overlooking the separate requirement for a return route to the virtual IP pool.

How to eliminate wrong answers

Option A is wrong because the tunnel interface must be assigned to a virtual router for the IPSec tunnel to establish and for the client to receive an IP address; if it were missing, the tunnel would not come up. Option C is wrong because security policies are evaluated after routing, and if there is no route to the virtual IP pool, traffic will be dropped before reaching the policy engine, so the policy is not the primary cause. Option D is wrong because if the IP pool were exhausted, the client would not receive an IP address and would fail to connect entirely, but the question states the client does receive an IP address.

42
MCQeasy

A small company has two sites connected by a policy-based IPsec VPN. Users at Site B report they cannot reach a server at Site A with IP 10.1.1.100. The firewall administrator checks the VPN monitor and sees the tunnel is active and IKE SAs are up. From the Site B firewall, a ping to 10.1.1.100 succeeds. However, a user on a PC (192.168.50.10) behind the Site B firewall cannot ping 10.1.1.100. The security policy on the Site B firewall allows traffic from trust to VPN zones. What is the most likely cause of the issue?

A.The security policy on Site B does not include the user subnet as a source VPN zone traffic
B.NAT is translating the user's IP to an incorrect address
C.The IPsec tunnel has a misconfigured proxy ID
D.The Site A firewall has a route missing for the Site B user subnet
AnswerA

The policy must have the correct source zone (trust) and destination zone (VPN) and include the user subnet.

Why this answer

Option B is correct because the tunnel is policy-based and needs a security policy that includes the user subnet. Even though a general rule exists, it may not match the specific source. Option A is incorrect because the tunnel is up.

Option C is incorrect because ping from firewall works. Option D is incorrect because routing is fine since the firewall can reach the destination.

43
MCQmedium

A company uses GlobalProtect with internal gateways for accessing data center resources. Users on the internal network should not use the VPN. What is the best practice configuration?

A.Use the same portal for both internal and external with a single gateway.
B.Use the Internal Gateway with a pre-logon check.
C.Set the gateway to require internal client detection via IP range exclusion.
D.Disable the GlobalProtect agent for internal IP ranges.
AnswerB

Correct. Internal Gateway automatically detects internal connectivity and skips VPN.

Why this answer

The GlobalProtect internal gateway feature allows the agent to detect when the user is inside the corporate network and bypass tunnel establishment.

44
MCQhard

Refer to the exhibit. A firewall log shows these messages for an IPSec tunnel. Which configuration mismatch is the likely cause?

A.IKE Phase 1 proposal mismatch.
B.Preshared key mismatch.
C.IKE Phase 2 proposal mismatch.
D.Invalid peer IP address.
AnswerC

Correct. The warning explicitly states Phase 2 negotiation failed.

Why this answer

The log indicates Phase 2 negotiation failed due to no acceptable proposal set. This points to a mismatch in IPSec parameters (e.g., encryption, authentication, lifetime).

45
MCQmedium

A user tries to connect to the GlobalProtect portal but receives 'Certificate validation failed'. What is the most likely missing configuration?

A.The root CA certificate is not imported into the firewall
B.The gateway's certificate is not configured
C.The user's client certificate is expired
D.The portal's certificate is not configured
AnswerA

The firewall must trust the CA that issued the client certificates.

Why this answer

For certificate-based client authentication, the firewall needs the root CA certificate of the client certificates imported; otherwise, it cannot validate the client certs.

46
MCQeasy

A company is deploying GlobalProtect for remote users and wants to enforce that only users with valid certificates are allowed to connect. Which configuration is required on the GlobalProtect gateway?

A.Define a tunnel interface with an IP address that matches the certificate subject
B.Set the gateway's IP pool to require certificate authentication
C.Configure a certificate profile in the gateway's authentication settings
D.Configure client authentication in the portal with a certificate profile
AnswerC

The gateway uses a certificate profile to validate client certificates during tunnel establishment.

Why this answer

Option B is correct because the gateway must use a certificate profile to authenticate client certificates. Option A is incorrect because client authentication in the portal is for portal access, not gateway. Option C is incorrect because the IP pool assigns IP addresses but does not enforce certificate authentication.

Option D is incorrect because the gateway's tunnel interface IP is unrelated to certificate authentication.

47
MCQhard

A company wants to use GlobalProtect with pre-logon (user unknown). After configuration, users report that they can authenticate but cannot access the gateway during pre-logon. Which configuration item is most likely missing?

A.Pre-logon token not enabled on the portal
B.Gateway's certificate not imported or untrusted
C.Pre-logon token not enabled on the gateway
D.Portal's authentication profile does not allow pre-logon
AnswerB

If the gateway's certificate is not trusted, the client will reject the connection during pre-logon.

Why this answer

During pre-logon, the client connects to the gateway using machine credentials. If the gateway certificate is not trusted, the SSL handshake fails, preventing access.

48
Multi-Selectmedium

Which TWO are required for a GlobalProtect gateway to establish an IPSec tunnel with a remote client?

Select 2 answers
A.Client certificate
B.Security zone for the tunnel interface
C.Tunnel interface
D.GlobalProtect portal configuration
E.IKE gateway configuration
AnswersC, E

The tunnel interface is the endpoint for the VPN traffic.

Why this answer

A tunnel interface is required on the firewall to terminate the IPSec tunnel from the remote GlobalProtect client. The tunnel interface serves as the logical endpoint for the encrypted traffic, allowing the firewall to apply security policies and route decrypted traffic appropriately. Without a tunnel interface, the IPSec security associations cannot be mapped to a virtual interface for traffic processing.

Exam trap

The trap here is that candidates often confuse the GlobalProtect portal configuration as a prerequisite for the IPSec tunnel, but the portal is only needed for client configuration and certificate provisioning, not for the actual tunnel establishment between the gateway and the remote client.

49
Multi-Selecteasy

Which TWO of the following are supported authentication methods for IPSec VPN tunnel setup between two Palo Alto Networks firewalls?

Select 2 answers
A.Certificate
B.RADIUS
C.SAML
D.LDAP
E.Pre-shared key
AnswersA, E

Certificate authentication is supported for IPSec tunnels.

Why this answer

IPSec tunnel authentication between firewalls supports pre-shared keys and digital certificates.

50
Multi-Selecthard

Which THREE are valid methods for configuring a site-to-site VPN on a Palo Alto Networks firewall?

Select 3 answers
A.Policy-based VPN using a tunnel monitor
B.GlobalProtect Gateway configuration
C.Route-based VPN using a virtual router and static route
D.SSL VPN using GlobalProtect portal
E.Tunnel interface with IPSec tunnel configuration
AnswersA, C, E

Policy-based VPN uses security policies to define interesting traffic.

Why this answer

Option A is correct because a policy-based VPN on Palo Alto Networks uses a tunnel monitor to verify the health of the IPSec tunnel by sending ICMP probes to the peer's tunnel IP address. This allows the firewall to detect tunnel failures and trigger failover or route changes, which is a standard method for site-to-site VPN configuration.

Exam trap

The trap here is that candidates confuse remote access VPN methods (GlobalProtect Gateway and Portal) with site-to-site VPN methods, leading them to select options B or D, which are exclusively for client-to-site connectivity.

51
MCQhard

Refer to the exhibit. A site-to-site VPN is configured between two branches. The tunnel is up but traffic is not passing. What is the most likely issue?

A.The IKE gateway is not configured with the correct peer IP.
B.No security policy allows traffic from the VPN zone.
C.The proxy IDs do not match the remote peer.
D.The tunnel interface is not assigned to a zone.
AnswerB

Even though the tunnel is up, traffic can be blocked by security policy if no rule permits it.

Why this answer

When a site-to-site VPN tunnel is up but traffic is not passing, the most common cause is the absence of a security policy that permits traffic from the VPN zone to the destination zone. Even if IKE and IPsec SAs are established, the firewall drops the decrypted traffic if no rule explicitly allows it. This is a fundamental Palo Alto Networks concept: tunnel establishment and data forwarding are separate control and data plane functions.

Exam trap

Palo Alto Networks often tests the misconception that a tunnel being up automatically means traffic will pass, but Palo Alto Networks requires an explicit security policy to permit decrypted traffic from the VPN zone.

How to eliminate wrong answers

Option A is wrong because if the IKE gateway had an incorrect peer IP, the tunnel would not come up at all (IKE phase 1 would fail). Option C is wrong because mismatched proxy IDs would cause IPsec SA negotiation to fail, preventing the tunnel from reaching an up state. Option D is wrong because a tunnel interface not assigned to a zone would cause the interface itself to be inactive, and the tunnel would not show as up; the question states the tunnel is up, so the interface must be zoned.

52
MCQhard

A GlobalProtect user cannot connect to any resources after authenticating successfully. Portal and gateway configurations appear correct. What is the most likely issue?

A.The user's GlobalProtect client software is outdated
B.The gateway's 'Allow Access' list does not include the user
C.The gateway's interface is not in the same zone as the portal
D.The portal's 'Access' list does not include the user
AnswerB

The gateway can restrict access based on user or group; if the user is not allowed, the connection is dropped.

Why this answer

Even after authentication, the gateway's 'Allow Access' list controls which users are permitted to establish the VPN tunnel. If the user is not listed, the gateway will reject the connection.

53
Multi-Selecthard

Which THREE of the following are capabilities of GlobalProtect Host Information Profile (HIP)?

Select 3 answers
A.Check the user's location
B.Check the browser version
C.Check if antivirus is installed and running
D.Check if disk encryption is enabled
E.Check the operating system version
AnswersC, D, E

HIP can verify antivirus status.

Why this answer

HIP collects system information such as OS, antivirus, disk encryption, and firewall status to enforce compliance.

54
Multi-Selectmedium

Which THREE of the following are valid configuration elements for a tunnel interface in Palo Alto Networks?

Select 3 answers
A.Zone
B.IP address
C.Traffic shaping policy
D.Management Profile
E.Netflow profile
AnswersA, B, D

A tunnel interface must be assigned to a zone for security policy.

Why this answer

A tunnel interface requires an IP address, a zone assignment, and optionally a management profile for management access.

55
MCQeasy

An administrator configures a VPN tunnel between two Palo Alto firewalls. The tunnel shows as active, but traffic is not being encrypted. What configuration step is most likely missing?

A.The encryption algorithm must be set to null.
B.A NAT policy to translate private addresses.
C.A security policy allowing traffic from the tunnel interface to the destination.
D.The tunnel interface must be assigned to a security zone.
AnswerC

Correct. Without a policy, traffic is dropped.

Why this answer

Even if the tunnel is active, a security policy is required to allow traffic from the source to the destination zone; without it, packets are dropped before encryption.

Ready to test yourself?

Try a timed practice session using only Secure Access and VPN questions.