PCNSE Question #864: Real Exam Question with Answer & Explanation

The correct answer is A: Enable PFS under the IKE Gateway advanced options. Perfect Forward Secrecy (PFS) ensures that session keys are not derived from a static long-term key, so compromising one key does not expose past sessions. On Palo Alto Networks firewalls, PFS is enabled under the IKE Gateway advanced options (A). When troubleshooting a Phase 2 m

Submitted by takeshi77· Apr 18, 2026Configuration Troubleshooting

Question

How is Perfect Forward Secrecy (PFS) enabled when troubleshooting a VPN Phase 2 mismatch?

Options

AEnable PFS under the IKE Gateway advanced options
BEnable PFS under the IPsec Tunnel advanced options
CSelect the appropriate DH Group under the IPsec Crypto profile
DAdd an authentication algorithm in the IPsec Crypto profile

Explanation

Perfect Forward Secrecy (PFS) ensures that session keys are not derived from a static long-term key, so compromising one key does not expose past sessions. On Palo Alto Networks firewalls, PFS is enabled under the IKE Gateway advanced options (A). When troubleshooting a Phase 2 mismatch, both VPN peers must agree on whether PFS is enabled and, if so, which Diffie-Hellman group to use. A mismatch in PFS configuration between peers is a common cause of Phase 2 negotiation failure. Note: the DH Group in the IPsec Crypto profile defines the group used for PFS, but the toggle to enable PFS itself is found in the IKE Gateway advanced settings.

Topics

#VPN#IPsec#Perfect Forward Secrecy (PFS)#IKE Gateway

Community Discussion

No community discussion yet for this question.

Full PCNSE Practice Browse All PCNSE Questions