PCNSE · topic practice

Secure Access and VPN practice questions

Practise Palo Alto Networks Certified Network Security Engineer PCNSE Secure Access and VPN practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Secure Access and VPN

What the exam tests

What to know about Secure Access and VPN

Secure Access and VPN questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Secure Access and VPN exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Secure Access and VPN questions

20 questions · select your answer, then reveal the explanation

Question 1easymultiple choice
Read the full VPN explanation →

An administrator configures a GlobalProtect portal with an authentication profile that uses Kerberos. Users report they cannot connect from remote locations. What is the most likely cause?

Question 2mediummultiple choice
Read the full VPN explanation →

A company is deploying GlobalProtect with internal gateways. They want to ensure that users who are inside the corporate network connect directly to internal resources without going through the firewall. Which configuration is required?

Question 3hardmultiple choice
Read the full VPN explanation →

A firewall is configured with a GlobalProtect gateway that uses an IPSec tunnel. Remote users can connect but cannot access any resources. The administrator verifies that the tunnel is established and the client receives an IP address. What is the most likely cause?

Question 4mediummultiple choice
Read the full VPN explanation →

A company configures site-to-site VPN between two Palo Alto Networks firewalls using IKEv2. The tunnel does not come up. The administrator checks the IKE gateway configuration on both sides and sees matching pre-shared keys, IKE version, and encryption algorithms. What is the most likely remaining issue?

Question 5hardmultiple choice
Read the full VPN explanation →

An administrator is troubleshooting a GlobalProtect VPN where users report frequent disconnections. The administrator notices that the GlobalProtect gateway logs show 'Tunnel rekey failed' errors. What is the most likely cause?

Question 6easymultiple choice
Read the full VPN explanation →

A network engineer wants to allow remote users to access internal applications via GlobalProtect, but only for specific users. Which configuration method should be used to restrict access?

Question 7mediummultiple choice
Read the full VPN explanation →

An organization uses GlobalProtect with multiple gateways for different regions. Users in the Asia region are connecting to the wrong gateway. What is the most likely cause?

Question 8mediummulti select
Read the full VPN explanation →

Which TWO are required for a GlobalProtect gateway to establish an IPSec tunnel with a remote client?

Question 9hardmulti select
Read the full VPN explanation →

Which THREE are valid methods for configuring a site-to-site VPN on a Palo Alto Networks firewall?

Question 10hardmultiple choice
Read the full VPN explanation →

Refer to the exhibit. A site-to-site VPN is configured between two branches. The tunnel is up but traffic is not passing. What is the most likely issue?

Exhibit

Refer to the exhibit.

show vpn gateway

Name: Corp-GW
Peer IP: 203.0.113.1
Local IP: 198.51.100.1
IKE version: IKEv2
Pre-shared key: ****
IKE crypto profile: default
DPD: enabled

show vpn tunnel

Name: Corp-Tun
Tunnel interface: tunnel.1
Type: IPSec
IKE gateway: Corp-GW
IPSec crypto profile: default
Proxy IDs: local 10.0.0.0/16, remote 172.16.0.0/16

show routing route

Destination: 172.16.0.0/16
Next hop: tunnel.1
Metric: 10

show interface tunnel.1

Interface: tunnel.1
Zone: VPN-Zone
Virtual router: default
Question 11mediummultiple choice
Read the full VPN explanation →

Refer to the exhibit. A user inside the corporate network (IP: 10.1.1.5) connects to the portal. The portal detects the internal host and does not assign a gateway. However, the user still cannot access internal resources. What is the most likely issue?

Exhibit

Refer to the exhibit.

GlobalProtect Portal Configuration:
  Portal Name: corp-portal
  Authentication Profile: LDAP_Auth
  Gateway: corp-gw
  Client Authentication: Required
  Internal Host Detection: 10.0.0.0/8

GlobalProtect Gateway Configuration:
  Gateway Name: corp-gw
  Tunnel Interface: tunnel.3
  IPSec Crypto Profile: GP-default
  Client IP Pool: 192.168.1.100-192.168.1.200
  Security Rules: allow all
Question 12hardmultiple choice
Read the full VPN explanation →

A large enterprise uses a Palo Alto Networks firewall as the central hub for site-to-site VPN connections to 50 branch offices. Each branch office has a different subnet (e.g., 10.x.0.0/16 where x is the branch number). The VPN tunnels are configured using IKEv2 with pre-shared keys. Recently, the IT team decided to migrate to certificate-based authentication for improved security. They issued certificates from an internal CA to all branch firewalls and the hub firewall. After the migration, all tunnels failed to establish. The hub firewall logs show 'IKE negotiation failed' with error 'no proposal chosen'. The administrator checks the IKE gateway configuration on the hub: the IKE version is IKEv2, the authentication method is set to 'Certificate', and the certificate profile is configured with the root CA certificate. The administrator also verifies that the branch firewalls have the correct certificates and the hub's certificate is trusted. The branch firewalls' IKE gateways are configured with the hub's IP and pre-shared key (still configured as a fallback). What should the administrator do to resolve the issue?

Question 13mediumdrag order
Read the full VPN explanation →

Order the steps to capture traffic on a Palo Alto Networks firewall using the packet capture feature.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 14mediummatching
Read the full VPN explanation →

Match each security rule action to its effect.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Permits traffic matching the rule

Blocks traffic and sends a reset

Silently discards traffic without notification

Sends TCP reset to client only

Sends TCP reset to both client and server

Question 15easymultiple choice
Read the full VPN explanation →

A GlobalProtect user can successfully authenticate to the portal but cannot connect to the internal gateway. The portal and gateway are configured on the same firewall. What is the most likely cause?

Question 16mediummultiple choice
Read the full VPN explanation →

An IPSec tunnel between two PA firewalls fails to establish. On the initiator, 'show vpn ipsec-sa' shows no SAs. Which debug command would provide the most detailed information about IKE negotiation?

Question 17hardmultiple choice
Read the full VPN explanation →

A GlobalProtect user cannot connect to any resources after authenticating successfully. Portal and gateway configurations appear correct. What is the most likely issue?

Question 18easymultiple choice
Read the full VPN explanation →

When configuring GlobalProtect with certificate authentication, a user reports that the client prompts for username and password even though the certificate is installed. What is the most likely cause?

Question 19mediummultiple choice
Read the full VPN explanation →

A network engineer configures a tunnel interface for IPSec VPN. After committing, the interface is up but no traffic passes. The tunnel itself is established (IKEv2). What should the engineer check first?

Question 20hardmultiple choice
Read the full VPN explanation →

A company wants to use GlobalProtect with pre-logon (user unknown). After configuration, users report that they can authenticate but cannot access the gateway during pre-logon. Which configuration item is most likely missing?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Secure Access and VPN sessions

Start a Secure Access and VPN only practice session

Every question in these sessions is drawn from the Secure Access and VPN domain — nothing else.

Related practice questions

Related PCNSE topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PCNSE exam test about Secure Access and VPN?
Secure Access and VPN questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Secure Access and VPN questions in a focused session?
Yes — the session launcher on this page draws every question from the Secure Access and VPN domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PCNSE topics?
Use the topic links above to move to related areas, or go back to the PCNSE question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PCNSE exam covers. They are not copied from any real exam or dump site.