Palo Alto Networks Certified Security Engineer PAN-OS 11.0 PCNSE Exam Practice Test

Page: 1 / 14
Total 374 questions
Question 1

An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?



Answer : D


Question 2

A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panoram

a. In which section is this configured?



Answer : D


Question 3

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?



Answer : D

Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


Question 4

An engineer is pushing configuration from Panorama to a managed firewall What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?



Answer : C


Question 5

An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two.)



Answer : C, D


Question 6

Which method will dynamically register tags on the Palo Alto Networks NGFW?



Question 7

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?



Answer : C


Question 8

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?



Answer : A


Question 9

What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection'?



Answer : A


Question 10

What type of NAT is required to configure transparent proxy?



Answer : D


Question 11

Which Panorama feature protects logs against data loss if a Panorama server fails?



Answer : B

https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-log-collection/manage-collector-groups/configure-a-collector-group

'Log redundancy is available only if each Log Collector has the same number of logging disks.' (Recommended) Enable log redundancy across collectors if you are adding multiple Log Collectors to a single Collector group. Redundancy ensures that no logs are lost if any one Log Collector becomes unavailable. Each log will have two copies and each copy will reside on a different Log Collector. For example, if you have two Log Collectors in the collector group the log is written to both Log Collectors. Enabling redundancy creates more logs and therefore requires more storage capacity, reducing storage capability in half. When a Collector Group runs out of space, it deletes older logs. Redundancy also doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives.


Question 12

An existing log forwarding profile is currently configured to forward all threat logs to Panoram

a. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed.

Which set of actions should the engineer take to achieve this goal?



Answer : C


Question 13

An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)



Answer : A, D


Question 14

An administrator plans to install the Windows-Based User-ID Agent.

What type of Active Directory (AD) service account should the administrator use?



Answer : A


Question 15

Which operation will impact the performance of the management plane?



Answer : B

TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK

TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD---PART 2:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU4CAK


Question 16

Which new PAN-OS 11.0 feature supports IPv6 traffic?



Answer : A

https://docs.paloaltonetworks.com/compatibility-matrix/ipv6-support-by-feature/ipv6-support-by-feature-table


Question 17

An administrator is troubleshooting why video traffic is not being properly classified.

If this traffic does not match any QoS classes, what default class is assigned?



Answer : D

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/qos-concepts/qos-classes


Question 18

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?



Answer : A


Question 19

Four configuration choices are listed, and each could be used to block access to a specific URL.

If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?



Answer : C


Question 20

What can the Log Forwarding built-in action with tagging be used to accomplish?



Answer : B

The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.

This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.

For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.


Question 21

What is the best definition of the Heartbeat Interval?



Answer : C

The firewalls exchange hello messages and heartbeats at configurable intervals to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer. A response from the peer indicates that the firewalls are connected and responsive.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUcCAK

'A 'heartbeat-interval' CLI command was added to the election settings for HA, this interval has a 1000ms minimum for all Palo Alto Networks platforms and is an ICMP ping to the other device through the HA control link.' https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMaCAK


Question 22

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.

What must be configured in order to select users and groups for those rules from Panorama?



Answer : D

When building Security rules in a Device Group that need to allow traffic to specific users and groups defined in Active Directory, it's essential to have user and group information available in Panorama to select these entities for the rules.

D . A master device with Group Mapping configured must be set in the device group where the Security rules are configured:

The concept of a 'master device' in Panorama refers to a specific firewall that is designated to provide certain settings or information, such as user and group mappings from Active Directory, to Panorama. This information can then be used across other firewalls within the same device group.

By configuring Group Mapping on a master device, Panorama can leverage this information to populate user and group objects. These objects can then be used in Security rules within the device group, allowing for the creation of policies that are based on user identity and group membership, as defined in Active Directory.

This setup ensures that Panorama has the necessary context to apply user- and group-based policies accurately across the managed firewalls, facilitating centralized management and consistency in policy enforcement.


Question 23

An engineer needs to collect User-ID mappings from the company's existing proxies.

What two methods can be used to pull this data from third party proxies? (Choose two.)



Answer : B, C

To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.

Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies.

For further details, refer to the Palo Alto Networks documentation on User-ID integration and the 'PAN-OS Administrator's Guide'.


Question 24

An engineer is troubleshooting a traffic-routing issue.

What is the correct packet-flow sequence?



Answer : C

The correct packet-flow sequence is C. PBF > Static route > Security policy enforcement. This sequence describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic based on the source and destination addresses, application, user, or service. PBF is evaluated before the static route lookup, which is the default method of forwarding traffic based on the destination address and the longest prefix match.Security policy enforcement is the stage where the firewall applies the security policy rules to allow or block traffic based on various criteria, such as zone, address, port, user, application, etc12.Reference:Policy-Based Forwarding,Packet Flow Sequence in PAN-OS


Question 25

Given the following snippet of a WildFire submission log, did the end user successfully download a file?



Answer : D

URL profile action alert.

File Profile action alert.

AV and Wildfire action Reset-both

Policy Action Allow.

The firewall inspects the content as per all the security profiles attached to the original matching rule. If it results in threat detection, then the corresponding security profile action is taken.


Question 26

What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three



Answer : B, C, E


Question 27

What action does a firewall take when a Decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?



Answer : C


Question 28

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory. What must be configured in order to select users and groups for those rules from Panorama? The Security rules must be targeted to a firewall in the device group and have Group Mapping configured.



Answer : A

To create Security rules in Panorama that reference specific users and groups from Active Directory (AD), the Panorama-managed firewalls need access to user-to-group mapping information. This is achieved through Group Mapping, which relies on User-ID functionality. In a Panorama-managed environment, a 'master device' must be designated within the device group to provide this Group Mapping data. The master device is a firewall that retrieves user and group information from AD (via LDAP or User-ID agent) and shares it with other firewalls in the device group. This ensures consistent user-based policies across all devices in the group.

Option B (User-ID Redistribution) is incorrect because redistribution is used to share IP-to-user mappings, not group mappings, and is typically configured between firewalls or via Panorama's User-ID redistribution feature, not a requirement for selecting users/groups in rules. Option C (User-ID Certificate profile) is unrelated, as it pertains to certificate-based authentication, not AD group mapping. Official documentation specifies that a master device with Group Mapping configured is essential for this scenario.


Question 29

Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with multiple virtual systems?



Answer : B


Question 30

Which new PAN-OS 11.0 feature supports IPv6 traffic?



Answer : A

https://docs.paloaltonetworks.com/compatibility-matrix/ipv6-support-by-feature/ipv6-support-by-feature-table


Question 31

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?



Answer : B

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application


Question 32

Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?



Answer : B

The Test Policy Match tool in PAN-OS allows administrators to simulate traffic against the current security policy set to verify how it will be handled. By inputting source/destination IPs, ports, protocols, and other parameters, it shows which rule matches and whether the traffic is allowed or denied, making it ideal for ensuring unwanted traffic is blocked.

Option A (Managed Devices Health) monitors device status, not policy logic. Option C (Preview Changes) shows configuration diffs, not traffic matching. Option D (Policy Optimizer) helps refine rules but doesn't test specific traffic scenarios. Test Policy Match is the documented tool for this purpose.


Question 33

Exhibit.

Given the screenshot, how did the firewall handle the traffic?



Answer : B


Question 34

What is the benefit of the Artificial Intelligence Operations (AIOps) Plugin for Panorama?



Answer : B

The AIOps Plugin for Panorama enhances security management by proactively validating commits against best practices (Option B). It analyzes policies, provides recommendations (e.g., unused rules, misconfigurations), and advises administrators before pushing changes, improving security posture without automatic enforcement.

Option A (auto-push) overstates its role; it advises, not pushes. Option C (auto-correct) is inaccurate; it suggests, not fixes. Option D (retroactive checks) misaligns with its proactive design. Documentation highlights its advisory function.


Question 35

A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.

Which set of steps should the engineer take to accomplish this objective?



Answer : C

In Palo Alto Networks firewalls, the processing of NAT rules occurs in a top-down fashion, similar to security policies. To exclude a specific IP address from a broader source NAT rule, a more specific NAT rule must be placed above the broader rule.

C . Place a more specific NAT rule above the broader one:

Create a source NAT rule (NAT-Rule-1) to translate the broader network range (10.0.0.0/23) with dynamic IP and port translation. This rule allows the majority of the subnet to access the internet through NAT.

Create another NAT rule (NAT-Rule-2) with the source IP address in the original packet set specifically to the IP address that should not be translated (10.0.0.10/32). In this rule, set the source translation to none, indicating that this traffic should not be translated and thus not allowed to access the internet.

Place NAT-Rule-2 above NAT-Rule-1 in the NAT policy list. This ensures that the more specific rule (NAT-Rule-2) is evaluated first. If traffic matches NAT-Rule-2, it will not be translated or allowed to the internet, effectively excluding the specific server from internet access.

This configuration leverages the principle of specificity and the order of operation in NAT policies to exclude a specific IP address from source NAT translation, thereby preventing it from accessing the internet.


Question 36

Which action does a firewall take when a decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?



Answer : D


Question 37

An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors. What is the recommended order of operational steps when upgrading?



Answer : C

Palo Alto Networks best practices dictate upgrading Panorama-managed environments in this order: Panorama first, then log collectors, and finally firewalls. Panorama must be on the latest (or compatible) version to manage upgraded devices and push configurations. Log collectors follow to ensure log compatibility, and firewalls last to maintain operational continuity.

Options A, B, and D risk version mismatches or management issues. This sequence minimizes downtime and ensures compatibility, as per official upgrade guidelines.


Question 38

Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)



Answer : B, C

To configure SSL Forward Proxy decryption on a Palo Alto Networks firewall, certain key components must be set up to ensure secure and effective decryption and inspection of SSL/TLS encrypted traffic:

B . Define a Forward Trust Certificate:

A Forward Trust Certificate is essential for SSL Forward Proxy decryption. This certificate is used by the firewall to dynamically generate certificates for SSL sites that are trusted. When the firewall decrypts and inspects the traffic and then re-encrypts it, the new certificate presented to the client comes from the Forward Trust Certificate authority. This certificate must be trusted by client devices, often requiring the Forward Trust CA certificate to be distributed and installed on client devices.

C . Configure SSL decryption rules:

SSL decryption rules are the policies that determine which traffic is to be decrypted. These rules specify the source, destination, service, and URL category, among other criteria. The rules define what traffic the SSL Forward Proxy will apply to, enabling selective decryption based on security and privacy requirements.

Together, these components form the basis of the SSL Forward Proxy decryption setup, allowing for the decryption, inspection, and re-encryption of SSL/TLS encrypted traffic to identify and prevent threats hidden within encrypted sessions.


Question 39

A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:

threat type: spyware category: dns-c2 threat ID: 1000011111

Which set of steps should the administrator take to configure an exception for this signature?



Answer : A

When dealing with a false positive, particularly for a spyware threat detected through DNS queries (as indicated by the category 'dns-c2'), the correct course of action involves creating an exception in the Anti-Spyware profile, not the Vulnerability Protection profile. This is because the Anti-Spyware profile in Palo Alto Networks firewalls is designed to detect and block spyware threats, which can include command and control (C2) activities often signaled by DNS queries.

The steps to configure an exception for this specific spyware signature (threat ID: 1000011111) are as follows:

Navigate to Objects > Security Profiles > Anti-Spyware. This is where all the Anti-Spyware profiles are listed.

Select the related Anti-Spyware profile that is currently applied to the security policy which is generating the false positive.

Within the profile, go to the DNS Exceptions tab. This tab allows you to specify exceptions based on DNS signatures.

Search for the related threat ID (in this case, 1000011111) and click enable to create an exception for it. By doing this, you instruct the firewall to bypass the detection for this specific signature, effectively treating it as a false positive.

Commit the changes to make the exception active.

By following these steps, the administrator can effectively address the false positive without disabling the overall spyware protection capabilities of the firewall.


Question 40

Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?



Answer : C


Question 41

An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for authenticating users. What should the administrator be aware of regarding the authentication sequence, based on the Authentication profile in the order Kerberos LDAP, and TACACS+?



Answer : B


Question 42

An administrator is troubleshooting why video traffic is not being properly classified.

If this traffic does not match any QoS classes, what default class is assigned?



Answer : D

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/qos-concepts/qos-classes


Question 43

Which protocol is natively supported by GlobalProtect Clientless VPN?



Answer : C


Question 44

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?



Answer : A


Question 45

A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)



Answer : C, D, E


Question 46

A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules.

What is the engineer's next step?



Answer : B


Question 47

What can the Log Forwarding built-in action with tagging be used to accomplish?



Answer : B

The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.

This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.

For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.


Question 48

A firewall engineer at a company is researching the Device Telemetry feature of PAN-OS. Which two aspects of the feature require further action for the company to remain compliant with local laws regarding privacy and data storage? (Choose two.)



Answer : A, B


Question 49

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.

The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?



Answer : C


Question 50

Review the screenshots.

What is the most likely reason for this decryption error log?



Answer : D


Question 51

A company wants to use GlobalProtect as its remote access VPN solution.

Which GlobalProtect features require a Gateway license?



Answer : C


Question 52

Which is not a valid reason for receiving a decrypt-cert-validation error?



Answer : A


Question 53

An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?



Answer : D


Question 54

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)



Question 55

All firewall at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a sylog server and forward all firewall logs to the syslog server and to the log collectors. There is known logging peak time during the day, and the security team has asked the firewall engineer to determined how many logs per second the current Palo Alto Networking log processing at that particular time. Which method is the most time-efficient to complete this task?



Answer : A


Question 56

What happens when the log forwarding built-in action with tagging is used?



Answer : A

When using the log forwarding built-in action with tagging in Palo Alto Networks firewalls, the primary purpose is to dynamically respond to threats or unwanted traffic identified by the firewall's threat detection mechanisms. The action involves tagging the IP address associated with the unwanted traffic and then using that tag in dynamic security policies to block or manage the traffic.

A . Destination IP addresses of selected unwanted traffic are blocked:

When the tagging action is used, the firewall tags the IP addresses involved in the unwanted traffic (which could be the source or destination IP addresses, but in many configurations, the focus is on the source of the attack). These tags can then be referenced in Dynamic Address Groups (DAGs) within security policies. Consequently, any traffic coming from or going to these tagged IP addresses can be blocked or subjected to specific security rules, effectively mitigating the threat or unwanted behavior.

This approach allows for automated, real-time responses to identified threats, enhancing the security posture by quickly adapting to emerging threats without manual intervention.


Question 57

Which three sessions are created by a NGFW for web proxy? (Choose three.)



Answer : A, B, C


Question 58

An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.

Which three settings can be configured in this template? (Choose three.)



Answer : B, D, E

A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama.A template can include settings from the Device and Network tabs on the firewall web interface, such as login banner, SSL decryption exclusion, and dynamic updates4. These settings can be configured in a template named ''Global'' and included in all template stacks.A template stack is a group of templates that Panorama pushes to managed firewalls in an ordered hierarchy4.Reference:Manage Templates and Template Stacks, PCNSE Study Guide (page 50)


Question 59

Which are valid ACC GlobalProtect Activity tab widgets? (Choose two.)



Answer : B, D


Question 60

An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.

Which three platforms support PAN-OS 10.2? (Choose three.)



Answer : A, B, E

https://docs.paloaltonetworks.com/compatibility-matrix/supported-os-releases-by-model/palo-alto-networks-next-gen-firewalls


Question 61

Exhibit.

Review the screenshots and consider the following information

1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC

2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups

Which IP address will be pushed to the firewalls inside Address Object Server-1?



Answer : A

Device Group Hierarchy

Shared

DATACENTER_DG

DC_FW_DG

REGIONAL_DG

OFFICE_FW_DG

FW-1_DG

Analysis

Considerations:

FW-1 is assigned to the FW-1_DG device group.

FW-2 is assigned to the OFFICE_FW_DG device group.

There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.

The address object Server-1 appears in multiple device groups with different IP addresses. The device groups have a hierarchy, which means objects can be inherited from parent groups unless overridden in the child group.

FW-1_DG:

Server-1 has IP 4.4.4.4, which will be pushed to FW-1 because it is in the FW-1_DG device group.

OFFICE_FW_DG (for FW-2):

Since there are no objects in OFFICE_FW_DG and REGIONAL_DG, FW-2 will inherit from Shared.

In the Shared group, Server-1 has IP 1.1.1.1.


Question 62

An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama.

However, pre-existing logs from the firewalls are not appearing in Panorama.

Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?



Question 63

A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose TWO)



Answer : A, C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW


Question 64

Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)



Answer : B, D


Question 65

With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?



Answer : B


Question 66

An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.

Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?



Answer : A


Question 67

When you troubleshoot an SSL Decryption issue, which PAN-OS CL1 command do you use to check the details of the Forward Trust certificate. Forward Untrust certificate, and SSL Inbound Inspection certificate?



Answer : A


Question 68

Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?



Answer : A

IP flood thresholds, you can also use DoS Protection profiles to detect and prevent session exhaustion attacks in which a large number of hosts (bots) establish as many sessions as possible to consume a target's resources. On the profile's Resources Protection tab, you can set the maximum number of concurrent sessions that the device(s) defined in the DoS Protection policy rule to which you apply the profile can receive. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles.html

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles#ida42d52fa-3366-4695-bb4a-d39ebf3b6a5f


Question 69

An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when the link failed?



Answer : C


Question 70

A firewall engineer is migrating port-based rules to application-based rules by using the Policy Optimizer. The engineer needs to ensure that the new application-based rules are future-proofed, and that they will continue to match if the existing signatures for a specific application are expanded with new child applications. Which action will meet the requirement while ensuring that traffic unrelated to the specific application is not matched?



Answer : D

Using Policy Optimizer to migrate to application-based rules, adding the container application (Option D) ensures future-proofing. Container apps (e.g., 'web-browsing') include child apps (e.g., specific web services) as signatures evolve, maintaining rule accuracy without over-matching unrelated traffic.

Option A (custom app with ports) reverts to port-based logic, losing App-ID benefits. Option B (application filter) risks overbroad matching (e.g., by category). Option C (specific apps) lacks flexibility for new child apps. Documentation supports container apps for this purpose.


Question 71

What type of NAT is required to configure transparent proxy?



Answer : D


Question 72

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?



Answer : C

The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.

C . It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:

If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.

This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.


Question 73

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)



Answer : A, C, D

ttps://www.kareemccie.com/2021/05/palo-alto-firewall-packet-flow.html


Question 74

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?



Answer : B

The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.


Question 75

Given the following snippet of a WildFire submission log, did the end user successfully download a file?



Answer : D

URL profile action alert.

File Profile action alert.

AV and Wildfire action Reset-both

Policy Action Allow.

The firewall inspects the content as per all the security profiles attached to the original matching rule. If it results in threat detection, then the corresponding security profile action is taken.


Question 76

For company compliance purposes, three new contractors will be working with different device groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?



Answer : A

The Device Group and Template Admin role is tailored for managing specific device groups and templates in Panorama, allowing contractors to deploy policies and objects within their assigned scope without broader administrative access. This aligns with compliance by restricting privileges.

Option B (Dynamic Admin) is undefined in PAN-OS; Panorama Admin is too broad. Option C (Read-only Superuser) prevents configuration changes. Option D (Custom Panorama Admin) could work but requires more setup than the predefined role. Documentation recommends this role for such scenarios.


Question 77

An administrator is troubleshooting intermittent connectivity problems with a user's GlobalProtect connection. Packet captures at the firewall reveal missing UDP packets, suggesting potential packet loss on the connection. The administrator aims to resolve the issue by enforcing an SSL tunnel over TCP specifically for this user.

What configuration change is necessary to implement this troubleshooting solution for the user?



Answer : C


Question 78

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)



Question 79

Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)



Answer : A, C


Question 80

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?



Answer : A


Question 81

Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?



Answer : D

In the second image, VW ports mentioned are 1/5 and 1/7. Hence it can not be a part of any other routing. So if any traffic coming as ingress from 1/7, it has to go out via 1/5.

The egress interface for the traffic with ingress interface ethernet1/7, source 192.168.111.3, and destination 10.46.41.113 will beethernet1/5.This is because the traffic will match the virtual wire with interfaces ethernet1/5 and ethernet1/7, which is configured to allow VLAN-tagged traffic with tags 10 and 201.The traffic will also match the security policy rule that allows traffic from zone Trust to zone Untrust, which are assigned to ethernet1/7 and ethernet1/5 respectively2.Therefore, the traffic will be forwarded to the same interface from which it was received, which is ethernet1/53.


Question 82

PBF can address which two scenarios? (Choose two.)



Answer : A, B

Policy-Based Forwarding (PBF) on Palo Alto Networks firewalls allows administrators to define forwarding decisions based on criteria other than the destination IP address, such as the application, source address, or user. It can address scenarios like:

A . Routing FTP to a backup ISP link to save bandwidth on the primary ISP link: PBF can be configured to identify FTP traffic and route it through a different ISP, preserving bandwidth on the primary link for other critical applications.

B . Providing application connectivity when the primary circuit fails: PBF can be used for failover purposes, directing traffic to an alternate path if the primary connection goes down, ensuring continuous application availability.

PBF is not designed to bypass Layer 7 inspection or forward traffic based solely on source port, as these tasks are managed through different mechanisms within the firewall's operating system.


Question 83

An engineer needs to collect User-ID mappings from the company's existing proxies. What two methods can be used to pull this data from third-party proxies? (Choose two)



Answer : B, D

Palo Alto firewalls can gather User-ID mappings from proxies via Syslog (Option B), parsing log messages with user-IP data, and XFF Headers (Option D), extracting user info from HTTP headers (X-Forwarded-For) if the proxy supports it.

Option A (Client Probing) queries clients, not proxies. Option C (Server Monitoring) targets servers like AD, not proxies. Documentation lists these methods for proxy integration.


Question 84

While troubleshooting an issue, a firewall administrator performs a packet capture with a specific filter. The administrator sees drops for packets with a source IP address of 10.1.1.1.

How can the administrator further investigate these packet drops by looking at the global counters for this packet capture filter?



Answer : A


Question 85

Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)



Answer : B, C

To configure SSL Forward Proxy decryption on a Palo Alto Networks firewall, certain key components must be set up to ensure secure and effective decryption and inspection of SSL/TLS encrypted traffic:

B . Define a Forward Trust Certificate:

A Forward Trust Certificate is essential for SSL Forward Proxy decryption. This certificate is used by the firewall to dynamically generate certificates for SSL sites that are trusted. When the firewall decrypts and inspects the traffic and then re-encrypts it, the new certificate presented to the client comes from the Forward Trust Certificate authority. This certificate must be trusted by client devices, often requiring the Forward Trust CA certificate to be distributed and installed on client devices.

C . Configure SSL decryption rules:

SSL decryption rules are the policies that determine which traffic is to be decrypted. These rules specify the source, destination, service, and URL category, among other criteria. The rules define what traffic the SSL Forward Proxy will apply to, enabling selective decryption based on security and privacy requirements.

Together, these components form the basis of the SSL Forward Proxy decryption setup, allowing for the decryption, inspection, and re-encryption of SSL/TLS encrypted traffic to identify and prevent threats hidden within encrypted sessions.


Question 86

An administrator has been tasked with configuring decryption policies,

Which decryption best practice should they consider?



Answer : A

The best decryption best practice that the administrator should consider isA: Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.This is because decryption involves intercepting and inspecting encrypted traffic, which may raise privacy and compliance issues depending on the jurisdiction and the type of traffic1.Therefore, the administrator should be aware of the local, legal, and regulatory implications and how they affect which traffic can be decrypted, and follow the appropriate guidelines and policies to ensure that decryption is done in a lawful and ethical manner1.


Question 87

A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks.

The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.

What else should the administrator do to stop packet buffers from being overflowed?



Answer : C


Question 88

How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?



Answer : A


Question 89

A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:

threat type: spyware category: dns-c2 threat ID: 1000011111

Which set of steps should the administrator take to configure an exception for this signature?



Answer : A

When dealing with a false positive, particularly for a spyware threat detected through DNS queries (as indicated by the category 'dns-c2'), the correct course of action involves creating an exception in the Anti-Spyware profile, not the Vulnerability Protection profile. This is because the Anti-Spyware profile in Palo Alto Networks firewalls is designed to detect and block spyware threats, which can include command and control (C2) activities often signaled by DNS queries.

The steps to configure an exception for this specific spyware signature (threat ID: 1000011111) are as follows:

Navigate to Objects > Security Profiles > Anti-Spyware. This is where all the Anti-Spyware profiles are listed.

Select the related Anti-Spyware profile that is currently applied to the security policy which is generating the false positive.

Within the profile, go to the DNS Exceptions tab. This tab allows you to specify exceptions based on DNS signatures.

Search for the related threat ID (in this case, 1000011111) and click enable to create an exception for it. By doing this, you instruct the firewall to bypass the detection for this specific signature, effectively treating it as a false positive.

Commit the changes to make the exception active.

By following these steps, the administrator can effectively address the false positive without disabling the overall spyware protection capabilities of the firewall.


Question 90

Which two statements correctly describe Session 380280? (Choose two.)



Answer : A, C


Question 91

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?



Answer : D

Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


Question 92

Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.)



Answer : B, D, E

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-device-deployment/manage-software-and-content-updates

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-device-deployment/panorama-dynamic-updates-revert-content


Question 93

Review the screenshots.

What is the most likely reason for this decryption error log?



Answer : D


Question 94

An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.

Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?



Answer : C

Decryption can be resource-intensive, and in scenarios where the firewall is nearing its resource limits, optimizing decryption practices is crucial. One way to do this is by choosing more efficient encryption algorithms that require less computational power.

C . Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority:

Elliptic Curve Digital Signature Algorithm (ECDSA) is known for requiring smaller key sizes compared to RSA for a comparable level of security. This translates to less computational overhead during the encryption and decryption processes.

By using ECDSA for traffic that isn't sensitive or high-priority, the administrator can reduce the processing load associated with decryption on the firewall. This is particularly beneficial in scenarios where resource optimization is necessary.

It's important to note that this approach does not compromise the security of encrypted traffic. Instead, it offers a more resource-efficient way to manage decryption, thus helping to maintain firewall performance even when system resources are under significant demand.

By judiciously applying this strategy, administrators can manage the decryption workload on the firewall, ensuring continued protection and inspection of encrypted traffic without overburdening the firewall's resources.


Question 95

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK


Question 96

A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.

Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?



Answer : C

A syslog listener is the best choice for deploying User-ID to ensure maximum coverage in an environment with multiple forms of authentication. A syslog listener is a feature that enables the firewall or Panorama to receive syslog messages from other systems and parse them for IP address-to-username mappings.A syslog listener can collect user mapping information from a variety of sources, such as network access control systems, domain controllers, MDM solutions, VPN gateways, wireless controllers, proxies, and more2.A syslog listener can also support multiple platforms and operating systems, such as Windows, Linux, macOS, iOS, Android, etc3. Therefore, a syslog listener can provide a comprehensive and flexible solution for User-ID deployment in a large-scale network.Reference:Configure a Syslog Listener for User Mapping,User-ID Agent Deployment Guide, PCNSE Study Guide (page 48)


Question 97

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-mapping/globalprotect.html

GlobalProtect is a VPN solution that provides secure remote access to corporate networks. When a user connects to GlobalProtect, their identity is verified against an LDAP server. This ensures that all IP address-to-user mappings are explicitly known.


Question 98

A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects

Which type of role-based access is most appropriate for this project?



Answer : C

Custom Panorama Admin: Custom Panorama Admin roles allow you to customize the elements of Panorama that an administrator can access. You can hide tabs in the web interface, you can set specific items in Panorama to read-only, or you can limit an administrator's access to Panorama plugins. Custom Panorama Admin roles require planning and configuration, but they provide extensive flexibility because you can control what administrators can access through the web interface or the CLI. Device Group and Template Admin: Device Group and Template Admin roles also require configuration because there are no built-in examples. These Admin Roles allow you to define which Panorama templates or Panorama device groups an administrator can access and configure. You can hide tabs in the web interface or set specific items to read only to control what administrators can configure.


Question 99

Exhibit.

Review the screenshots and consider the following information

1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC

2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups

Which IP address will be pushed to the firewalls inside Address Object Server-1?



Answer : A

Device Group Hierarchy

Shared

DATACENTER_DG

DC_FW_DG

REGIONAL_DG

OFFICE_FW_DG

FW-1_DG

Analysis

Considerations:

FW-1 is assigned to the FW-1_DG device group.

FW-2 is assigned to the OFFICE_FW_DG device group.

There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.

The address object Server-1 appears in multiple device groups with different IP addresses. The device groups have a hierarchy, which means objects can be inherited from parent groups unless overridden in the child group.

FW-1_DG:

Server-1 has IP 4.4.4.4, which will be pushed to FW-1 because it is in the FW-1_DG device group.

OFFICE_FW_DG (for FW-2):

Since there are no objects in OFFICE_FW_DG and REGIONAL_DG, FW-2 will inherit from Shared.

In the Shared group, Server-1 has IP 1.1.1.1.


Question 100

Which Panorama feature protects logs against data loss if a Panorama server fails?



Answer : B

https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-log-collection/manage-collector-groups/configure-a-collector-group

'Log redundancy is available only if each Log Collector has the same number of logging disks.' (Recommended) Enable log redundancy across collectors if you are adding multiple Log Collectors to a single Collector group. Redundancy ensures that no logs are lost if any one Log Collector becomes unavailable. Each log will have two copies and each copy will reside on a different Log Collector. For example, if you have two Log Collectors in the collector group the log is written to both Log Collectors. Enabling redundancy creates more logs and therefore requires more storage capacity, reducing storage capability in half. When a Collector Group runs out of space, it deletes older logs. Redundancy also doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives.


Question 101

An administrator wants to configure the Palo Alto Networks Windows User-D agent to map IP addresses to u: 'The company uses four Microsoft Active 'servers and two Microsoft Exchange servers, which can provide logs for login events. All six servers have IP addresses assigned from the following subnet: 192.168.28.32/27. The Microsoft Active Directory in 192.168.28.22/128, and the Microsoft Exchange reside in 192,168.28 48/28. What the 0 the User



Answer : D


Question 102

After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?



Answer : C

https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-to-panorama-management Push the configuration bundle from Panorama to the newly added firewall to remove all policy rules and objects from its local configuration. This step is necessary to prevent duplicate rule or object names, which would cause commit errors when you push the device group configuration from Panorama to the firewall in the next step.


Question 103

Four configuration choices are listed, and each could be used to block access to a specific URL.

If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?



Answer : C


Question 104

Refer to the exhibit.

Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?



Answer : B

Hover over an attribute in the table below the chart and click the arrow icon to the right of the attribute. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-the-application-command-center/interact-with-the-acc#id5cc39dae-04cf-4936-9916-1a4b0f3179b9


Question 105

Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?



Answer : D

https://live.paloaltonetworks.com/t5/general-topics/wildfire-submission-entries-with-severity-high-showing-action/td-p/143516


Question 106

ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?



Answer : B

Schedule content updates so that they download-and-install automatically. Then, set a Threshold that determines the amount of time the firewall waits before installing the latest content. In a security-first network, schedule a six to twelve hour threshold. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-content-and-threat-content-updates/best-practices-security-first.html#id184AH00F06E

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/software-and-content-updates/best-practices-for-app-and-threat-content-updates/best-practices-security-first


Question 107

Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)



Answer : B, D

The two key exchange algorithms that consume the most resources when decrypting SSL traffic are ECDHE and DHE. These are both Diffie-Hellman based algorithms that enable perfect forward secrecy (PFS), which means that they generate a new and unique session key for each SSL/TLS session, and do not reuse any previous keys. This enhances the security of the encrypted communication, but also increases the computational cost and complexity of the key exchange process. ECDHE stands for Elliptic Curve Diffie-Hellman Ephemeral, which uses elliptic curve cryptography (ECC) to generate the session key. DHE stands for Diffie-Hellman Ephemeral, which uses modular arithmetic to generate the session key.Both ECDHE and DHE require more CPU and memory resources than RSA, which is a non-PFS algorithm that uses public and private keys to encrypt and decrypt the session key123.Reference:Key Exchange Algorithms,Best Practices for Enabling SSL Decryption, PCNSE Study Guide (page 60)


Question 108

Which link is responsible for synchronizing sessions between high availability (HA) peers?



Answer : D


Question 109

A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.

Which path should the engineer follow to deploy the PAN-OS images to the firewalls?



Answer : D, D

In a situation where Panorama and its managed firewalls lack internet access, updating PAN-OS requires a manual upload of the downloaded PAN-OS images. The process involves:


Question 110

A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11 0 The client currently uses RADIUS authentication in their environment

Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.)



Answer : A, D

For explicit Web Proxy deployment on PAN-OS, Palo Alto Networks currently supports Kerberos and SAML as authentication methods. RADIUS is not supported for explicit or transparent Web Proxy authentication on Palo Alto Networks appliances, which means that if the client is currently using RADIUS, they will need to configure an alternate supported authentication method. LDAP or TACACS+ authentication is not directly supported for Web Proxy authentication in PAN-OS.

For more information on supported Web Proxy authentication methods, please refer to the latest Palo Alto Networks 'PAN-OS Web Interface Reference Guide'.


Question 111

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?



Answer : B

Set the Action to take when matching a packet:

Forward---Directs the packet to the specified Egress Interface.

Forward to VSYS (On a firewall enabled for multiple virtual systems)---Select the virtual system to which to forward the packet.

Discard---Drops the packet.

No PBF---Excludes packets that match the criteria for source, destination, application, or service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the redirected port.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/policy-based-forwarding/create-a-policy-based-forwarding-rule#ideca3cc65-03d7-449d-b47a-90fabee5293c


Question 112

If a URL is in multiple custom URL categories with different actions, which action will take priority?



Answer : C

When a URL matches multiple categories, the category chosen is the one that has the most severe action defined below (block being most severe and allow least severe).

1 block

2 override

3 continue

4 alert

5 allow

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC


Question 113

Which Panorama feature protects logs against data loss if a Panorama server fails?



Answer : B

https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-log-collection/manage-collector-groups/configure-a-collector-group

'Log redundancy is available only if each Log Collector has the same number of logging disks.' (Recommended) Enable log redundancy across collectors if you are adding multiple Log Collectors to a single Collector group. Redundancy ensures that no logs are lost if any one Log Collector becomes unavailable. Each log will have two copies and each copy will reside on a different Log Collector. For example, if you have two Log Collectors in the collector group the log is written to both Log Collectors. Enabling redundancy creates more logs and therefore requires more storage capacity, reducing storage capability in half. When a Collector Group runs out of space, it deletes older logs. Redundancy also doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives.


Question 114

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.

What must be configured in order to select users and groups for those rules from Panorama?



Answer : D

When building Security rules in a Device Group that need to allow traffic to specific users and groups defined in Active Directory, it's essential to have user and group information available in Panorama to select these entities for the rules.

D . A master device with Group Mapping configured must be set in the device group where the Security rules are configured:

The concept of a 'master device' in Panorama refers to a specific firewall that is designated to provide certain settings or information, such as user and group mappings from Active Directory, to Panorama. This information can then be used across other firewalls within the same device group.

By configuring Group Mapping on a master device, Panorama can leverage this information to populate user and group objects. These objects can then be used in Security rules within the device group, allowing for the creation of policies that are based on user identity and group membership, as defined in Active Directory.

This setup ensures that Panorama has the necessary context to apply user- and group-based policies accurately across the managed firewalls, facilitating centralized management and consistency in policy enforcement.


Question 115

Which statement regarding HA timer settings is true?



Answer : A

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers


Question 116

Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)



Answer : B, C

When implementing an application override in a Palo Alto Networks firewall, the primary goal is to explicitly define how specific traffic is identified and processed by the firewall, bypassing the regular App-ID process. This is particularly useful for traffic that might be misidentified by App-ID or for applications that require special handling for performance reasons.

To successfully implement application override, the following items must be configured:

B . Application override policy rule:

This is a specialized policy rule that you create to specify the criteria for the traffic you want to override. In this rule, you define the source and destination zones, addresses, and ports. Instead of relying on the App-ID engine to identify the application, the firewall uses the criteria defined in the application override policy to classify the traffic.

C . Security policy rule:

After defining an application override policy, you must also configure a security policy rule to allow the overridden traffic through the firewall. This rule specifies the action (allow, deny, drop, etc.) for the traffic that matches the application override policy. It's essential to ensure that the security policy rule matches the traffic defined in the application override policy to ensure that the intended traffic is allowed through the firewall.

For detailed guidance on configuring application override and the necessary security policies, refer to the official Palo Alto Networks documentation. This resource provides step-by-step instructions and best practices for effectively managing traffic using application overrides.


Question 117

Which source is the most reliable for collecting User-ID user mapping?



Answer : D


Question 118

An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an internal syslog server.

Where can the firewall engineer define the data to be added into each forwarded log?



Answer : A

To facilitate the integration with external log parsing systems, the firewall allows you to customize the log format; it also allows you to add custom Key: Value attribute pairs. Custom message formats can be configured under DeviceServer ProfilesSyslogSyslog Server ProfileCustom Log Format. https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/custom-logevent-format

Step-by-Step

Understanding Log Forwarding in PAN-OS:

Palo Alto Networks firewalls allow forwarding logs to external systems like syslog servers, SNMP servers, or email systems for external analysis or compliance.

Traffic logs can be customized to include additional information that meets the audit or operational requirements.

Syslog Server Profiles:

Syslog Server Profiles specify the format and destination of the log data sent to the syslog server.

These profiles allow customization through the Custom Log Format option, where the firewall engineer can add or modify log fields (e.g., source address, destination address, URL category).

Custom Log Format:

Navigate to Device > Server Profiles > Syslog.

Within the Syslog Server Profile, define a Custom Log Format for traffic logs.

Using this feature, the engineer can include additional fields requested by the internal audit team, such as threat severity, application details, or user ID.

Field Specification:

In the Custom Log Format, fields are defined using variables corresponding to the log fields in PAN-OS.

Example:

$receive_time,$src,$dst,$app,$action,$rule

The engineer can include specific details as requested by the audit team.

Comparison of Other Options:

Option B: Built-in Actions within Objects > Log Forwarding Profile

Log Forwarding Profiles are used to specify what logs are forwarded based on security policy matches. However, they do not control the format of logs.

Log Forwarding Profiles define actions (e.g., forwarding to syslog, SNMP), but customization of log data happens within Syslog Server Profiles.

Option C: Logging and Reporting Settings within Device > Setup > Management

These settings control general logging behavior and settings but do not allow customization of log data for syslog forwarding.

Option D: Data Patterns within Objects > Custom Objects

Data Patterns are used for identifying sensitive data or patterns in data filtering. They are unrelated to log customization.

Why A is Correct?

The Custom Log Format under Device > Server Profiles > Syslog is the only place where additional information can be defined and added to forwarded traffic logs.

This flexibility allows the firewall engineer to meet specific compliance or audit requirements.

Documentation Reference:

PCNSA Study Guide: Logging and Monitoring section discusses Syslog Server Profiles and log forwarding configurations.

PAN-OS Admin Guide: Covers Custom Log Format configuration under the Syslog Server Profile.


Question 119

Which action does a firewall take when a decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?



Answer : D


Question 120

An administrator wants to add User-ID information for their Citrix MetaFrame Presentation Server (MPS) users.

Which option should the administrator use?



Answer : A

If you have clients running multi-user systems in a Windows environment, such as Microsoft Terminal Server or Citrix Metaframe Presentation Server or XenApp, Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping


Question 121

What happens when the log forwarding built-in action with tagging is used?



Answer : A

When using the log forwarding built-in action with tagging in Palo Alto Networks firewalls, the primary purpose is to dynamically respond to threats or unwanted traffic identified by the firewall's threat detection mechanisms. The action involves tagging the IP address associated with the unwanted traffic and then using that tag in dynamic security policies to block or manage the traffic.

A . Destination IP addresses of selected unwanted traffic are blocked:

When the tagging action is used, the firewall tags the IP addresses involved in the unwanted traffic (which could be the source or destination IP addresses, but in many configurations, the focus is on the source of the attack). These tags can then be referenced in Dynamic Address Groups (DAGs) within security policies. Consequently, any traffic coming from or going to these tagged IP addresses can be blocked or subjected to specific security rules, effectively mitigating the threat or unwanted behavior.

This approach allows for automated, real-time responses to identified threats, enhancing the security posture by quickly adapting to emerging threats without manual intervention.


Question 122

Refer to exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.

How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?



Question 123

Based on the image, what caused the commit warning?



Answer : D


Question 124

Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?



Answer : D


Question 125

An administrator needs to identify which NAT policy is being used for internet traffic.

From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?



Answer : A

Traffic view in the Monitor tab of the firewall GUI can display the information about the NAT policy that is in use for a traffic flow, if the Source or Destination NAT columns are included and reviewed in the detailed log view1.The Source NAT column shows the translated source IP address and port, and the Destination NAT column shows the translated destination IP address and port2. These columns can help the administrator identify which NAT policy is applied to the traffic flow based on the pre-NAT and post-NAT addresses and ports.


Question 126

An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?



Answer : B

In an active/active high availability (HA) firewall pair, when a firewall experiences a failure of a monitored path, it enters the ''Tentative'' state1. This state indicates that the firewall is synchronizing sessions and configurations from its peer due to a failure or a change in monitored objects such as a link or path. The firewall in this state is not fully functional but is working towards resuming normal operations by syncing with its peer. Therefore, the correct answer is B. Tentative.


Question 127

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers Traffic to these sites will therefore be blocked if decrypted.

How should the engineer proceed?



Answer : C

If some sites cannot be decrypted due to technical reasons, such as unsupported ciphers, and blocking them is not an option, then the engineer should add the sites to the SSL Decryption Exclusion list to exempt them from decryption. The SSL Decryption Exclusion list is a predefined list of sites that are not subject to SSL decryption by the firewall. The list includes sites that use certificate pinning, mutual authentication, or unsupported cipher suites.The engineer can also add custom sites to the list if they have a valid business reason or technical limitation for not decrypting them34. Adding the sites to the SSL Decryption Exclusion list will allow the traffic to pass through without being decrypted or blocked by the firewall.Reference:SSL Decryption Exclusion,Troubleshoot Unsupported Cipher Suites


Question 128

An administrator configures HA on a customer's Palo Alto Networks firewalls with path monitoring by using the default configuration values.

What are the default values for ping interval and ping count before a failover is triggered?



Answer : C

Ping Interval---Specify the interval between pings that are sent to the destination IP address (range is 200 to 60,000ms; default is 200ms).

Ping Count---Specify the number of failed pings before declaring a failure (range is 3 to 10; default is 10).


Question 129

An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy

Which PAN-OS proxy method should be configured to maintain this type of traffic flow?



Answer : D

For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP). https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy


Question 130

Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?



Answer : C


Question 131

For company compliance purposes, three new contractors will be working with different device groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?



Answer : A

The Device Group and Template Admin role is tailored for managing specific device groups and templates in Panorama, allowing contractors to deploy policies and objects within their assigned scope without broader administrative access. This aligns with compliance by restricting privileges.

Option B (Dynamic Admin) is undefined in PAN-OS; Panorama Admin is too broad. Option C (Read-only Superuser) prevents configuration changes. Option D (Custom Panorama Admin) could work but requires more setup than the predefined role. Documentation recommends this role for such scenarios.


Question 132

'SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted'' warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

1. End-users must not get the warning for the https:///www.very-import-website.com/ website.

2. End-users should get the warning for any other untrusted website.

Which approach meets the two customer requirements?



Answer : A


Question 133

An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration.

What type of service route can be used for this configuration?



Answer : A


Question 134

Which link is responsible for synchronizing sessions between high availability (HA) peers?



Answer : D


Question 135

A company wants to implement threat prevention to take action without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)



Answer : B, D


Question 136

An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?



Answer : D

Palo Alto NetworksPanorama 7.0 Administrator's Guide *77Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.

https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management


Question 137

An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.

What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)



Answer : C, D

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy


Question 138

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?



Answer : A


Question 139

An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)



Answer : B, C, D


Question 140

An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity.

Which two objects can Dynamic User Groups use as match conditions for group membership? (Choose two.)



Answer : B, C


Question 141

An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover event.

Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?



Answer : D

The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000 ms for all platforms, and the range is 8000-60000 ms.If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12.Reference:HA Timers,Layer 3 High Availability with Optimal Failover Times Best Practices


Question 142

A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11 0 The client currently uses RADIUS authentication in their environment

Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.)



Answer : A, D

For explicit Web Proxy deployment on PAN-OS, Palo Alto Networks currently supports Kerberos and SAML as authentication methods. RADIUS is not supported for explicit or transparent Web Proxy authentication on Palo Alto Networks appliances, which means that if the client is currently using RADIUS, they will need to configure an alternate supported authentication method. LDAP or TACACS+ authentication is not directly supported for Web Proxy authentication in PAN-OS.

For more information on supported Web Proxy authentication methods, please refer to the latest Palo Alto Networks 'PAN-OS Web Interface Reference Guide'.


Question 143

Which two statements correctly describe Session 380280? (Choose two.)



Answer : A, C


Question 144

A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.

How does the firewall identify the New App-ID characteristic?



Answer : B

The New App-ID characteristic enables the firewall to monitor new applications on the network, so that the engineer can better assess the security policy updates they might want to make. The New App-ID characteristic always matches to only the new App-IDs in the most recently installed content releases. When a new content release is installed, the New App-ID characteristic automatically begins to match only to the new App-IDs in that content release version. This way, the engineer can see how the newly-categorized applications might impact security policy enforcement and make any necessary adjustments.Reference:Monitor New App-IDs


Question 145

A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.

Which path should the engineer follow to deploy the PAN-OS images to the firewalls?



Answer : D, D

In a situation where Panorama and its managed firewalls lack internet access, updating PAN-OS requires a manual upload of the downloaded PAN-OS images. The process involves:


Question 146

What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)



Answer : A, B


Question 147

A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.

What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?



Answer : B

Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.

B . The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:

First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.

Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.

Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.

This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.


Question 148

What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-address-object-to-represent-ip-addresses/address-objects


Question 149

Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?



Answer : A

IP flood thresholds, you can also use DoS Protection profiles to detect and prevent session exhaustion attacks in which a large number of hosts (bots) establish as many sessions as possible to consume a target's resources. On the profile's Resources Protection tab, you can set the maximum number of concurrent sessions that the device(s) defined in the DoS Protection policy rule to which you apply the profile can receive. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles.html

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles#ida42d52fa-3366-4695-bb4a-d39ebf3b6a5f


Question 150

In which two scenarios would it be necessary to use Proxy IDs when configuring site-to-site VPN Tunnels? (Choose two.)



Answer : A, B


Question 151

What can the Log Forwarding built-in action with tagging be used to accomplish?



Answer : B

The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.

This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.

For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.


Question 152

For company compliance purposes, three new contractors will be working with different device groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?



Answer : A

The Device Group and Template Admin role is tailored for managing specific device groups and templates in Panorama, allowing contractors to deploy policies and objects within their assigned scope without broader administrative access. This aligns with compliance by restricting privileges.

Option B (Dynamic Admin) is undefined in PAN-OS; Panorama Admin is too broad. Option C (Read-only Superuser) prevents configuration changes. Option D (Custom Panorama Admin) could work but requires more setup than the predefined role. Documentation recommends this role for such scenarios.


Question 153

An administrator plans to install the Windows User-ID agent on a domain member system.

What is a best practice for choosing where to install the User-ID agent?



Answer : C


Question 154

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-mapping/globalprotect.html

GlobalProtect is a VPN solution that provides secure remote access to corporate networks. When a user connects to GlobalProtect, their identity is verified against an LDAP server. This ensures that all IP address-to-user mappings are explicitly known.


Question 155

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow. Upon opening the newly created packet capture, the administrator still sees traffic for the previous filter.

What can the administrator do to limit the captured traffic to the newly configured filter?



Answer : B


Question 156

An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?



Answer : B

In an active/active high availability (HA) firewall pair, when a firewall experiences a failure of a monitored path, it enters the ''Tentative'' state1. This state indicates that the firewall is synchronizing sessions and configurations from its peer due to a failure or a change in monitored objects such as a link or path. The firewall in this state is not fully functional but is working towards resuming normal operations by syncing with its peer. Therefore, the correct answer is B. Tentative.


Question 157

A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?



Answer : B


Question 158

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?



Answer : B

Set the Action to take when matching a packet:

Forward---Directs the packet to the specified Egress Interface.

Forward to VSYS (On a firewall enabled for multiple virtual systems)---Select the virtual system to which to forward the packet.

Discard---Drops the packet.

No PBF---Excludes packets that match the criteria for source, destination, application, or service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the redirected port.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/policy-based-forwarding/create-a-policy-based-forwarding-rule#ideca3cc65-03d7-449d-b47a-90fabee5293c


Question 159

An administrator wants to add User-ID information for their Citrix MetaFrame Presentation Server (MPS) users.

Which option should the administrator use?



Answer : A

If you have clients running multi-user systems in a Windows environment, such as Microsoft Terminal Server or Citrix Metaframe Presentation Server or XenApp, Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping


Question 160

An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)



Answer : A, B, D


Question 161

A customer wants to enhance the protection provided by their Palo Alto Networks NGFW deployment to cover public-facing company-owned domains from misconfigurations that point records to third-party sources. Which two actions should the network administrator perform to achieve this goal? (Choose two)



Answer : C, D

To protect against DNS misconfigurations, Advanced DNS Security and Advanced URL Filtering licenses (Option C) enable DNS sinkholing and domain monitoring. In an Anti-Spyware profile (Option D), the DNS Policies section allows adding specific domains to detect and block misconfigured records pointing to third-party sources.

Option A (Threat Prevention) lacks DNS-specific features for this use case. Option B (Vulnerability Protection) doesn't include DNS misconfiguration settings. Documentation confirms Anti-Spyware with DNS Security for this purpose.


Question 162

Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?



Answer : C

The type of policy in Palo Alto Networks firewalls that can use Device-ID as a match condition is QoS. This is because Device-ID is a feature that allows the firewall to identify and classify devices on the network based on their characteristics, such as vendor, model, OS, and role1. QoS policies are used to allocate bandwidth and prioritize traffic based on various criteria, such as application, user, source, destination, and device2. By using Device-ID as a match condition in QoS policies, the firewall can apply different QoS actions to different types of devices, such as IoT devices, laptops, smartphones, etc3. This can help optimize the network performance and ensure the quality of service for critical applications and devices.


Question 163

Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.

What part of the configuration should the engineer verify?



Answer : C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS https://live.paloaltonetworks.com/t5/general-topics/phase-2-tunnel-is-not-up/td-p/424789


Question 164

Which translated port number should be used when configuring a NAT rule for transparent proxy?



Answer : C


Question 165

An existing log forwarding profile is currently configured to forward all threat logs to Panoram

a. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed.

Which set of actions should the engineer take to achieve this goal?



Answer : C


Question 166

An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?



Answer : D


Question 167

Which two actions can the administrative role called "vsysadmin" perform? (Choose two)



Answer : B, C

The vsysadmin role in Palo Alto Networks firewalls is a virtual system (vsys)-specific administrative role with limited privileges. It can commit changes to the candidate configuration of the assigned vsys (Option B) and create/edit Security policies and profiles specific to that vsys (Option C). This role is designed for multi-tenant environments where administrators manage only their assigned virtual systems.

Option A (configure resource limits) is a superuser or device-level task, not within vsysadmin's scope. Option D (configure interfaces) is also outside vsysadmin's permissions, as interface management is a device-wide function. Official documentation defines these privileges clearly.


Question 168

An administrator has purchased WildFire subscriptions for 90 firewalls globally.

What should the administrator consider with regards to the WildFire infra-structure?



Answer : C

https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts

Each WildFire cloud---global (U.S.), regional, and private---analyzes samples and generates WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data. https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html


Question 169

A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed.

How should email log forwarding be configured to achieve this goal?



Answer : C

To generate email alerts when decryption rules are changed in a Palo Alto Networks firewall, you would configure email log forwarding based on specific system logs that capture changes to decryption policies. This is done by setting up log forwarding profiles with filters that match events related to decryption rule modifications. These profiles are then applied to the relevant log types within the firewall's log settings.

To specifically monitor for changes to decryption rules, you would navigate to the Device > Log Settings section of the firewall's web interface. Here, you can configure log forwarding for system logs, which capture configuration changes among other system-level events. By creating a filter that looks for logs associated with decryption rule changes, and associating this filter with an email server profile, the firewall can automatically send out email alerts whenever a decryption rule is modified.

This setup ensures that the security team is promptly notified of any changes to the decryption policies, allowing for quick review and action if the changes were unauthorized or unintended. It is an essential part of maintaining the security posture of the network and ensuring compliance with organizational policies on encrypted traffic inspection.


Question 170

An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?



Answer : B

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0

A device group is a logical grouping of firewalls that share the same security policy rules. A device group can contain multiple vsys and firewalls, including multi-vsys firewalls. A multi-vsys firewall can have each vsys in a different device group, depending on the desired security policy for each vsys.This allows for granular control and flexibility in managing multi-vsys firewalls with Panorama1.Reference:Device Group Push to a Multi-VSYS Firewall,Configure Virtual Systems, PCNSE Study Guide (page 50)


Question 171

A network security engineer is going to enable Zone Protection on several security zones How can the engineer ensure that Zone Protection events appear in the firewall's logs?



Answer : A


Question 172

What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain?



Answer : A

For a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain, the most effective method is to use an Authentication policy targeting users not yet identified by the system.

A . an Authentication policy with 'unknown' selected in the Source User field:

An Authentication policy allows the firewall to challenge unidentified users for credentials. By selecting 'unknown' in the Source User field, the policy targets users who have not yet been identified by the firewall, which would include users on new BYOD devices not joined to the domain.

Once the user provides valid credentials, the firewall can authenticate the user and map their identity to subsequent sessions, enabling the application of user-based policy rules and monitoring.

This approach ensures that new and unknown devices can be properly authenticated and identified without compromising security or requiring the device to be part of the corporate domain.


Question 173

A company has recently migrated their branch office's PA-220S to a centralized Panoram

a. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama

They notice that commit times have drastically increased for the PA-220S after the migration

What can they do to reduce commit times?



Answer : A

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS


Question 174

Which GloDalProtecI gateway setting is required to enable split-tunneting by access route, destination domain and application?



Answer : A

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application


Question 175

A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows



Answer : A


Question 176

Which two components are required to configure certificate-based authentication to the web UI when firewall access is needed on a trusted interface? (Choose two.)



Answer : B, D


Question 177

A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall

What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)



Answer : B, C

For HIP match logs to be visible on the data center firewall, the following conditions must be met:

HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.

User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.

The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.


Question 178

Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)



Answer : A, B


Question 179

PBF can address which two scenarios? (Choose two.)



Answer : A, B

Policy-Based Forwarding (PBF) on Palo Alto Networks firewalls allows administrators to define forwarding decisions based on criteria other than the destination IP address, such as the application, source address, or user. It can address scenarios like:

A . Routing FTP to a backup ISP link to save bandwidth on the primary ISP link: PBF can be configured to identify FTP traffic and route it through a different ISP, preserving bandwidth on the primary link for other critical applications.

B . Providing application connectivity when the primary circuit fails: PBF can be used for failover purposes, directing traffic to an alternate path if the primary connection goes down, ensuring continuous application availability.

PBF is not designed to bypass Layer 7 inspection or forward traffic based solely on source port, as these tasks are managed through different mechanisms within the firewall's operating system.


Question 180

Which protocol is supported by GlobalProtect Clientless VPN?



Answer : D

Virtual Desktop Infrastructure (VDI) and Virtual Machine (VM) environments, such as Citrix XenApp and XenDesktop or VMWare Horizon and Vcenter, support access natively through HTML5. You can RDP, VNC, or SSH to these machines through Clientless VPN without requiring additional third-party middleware. In environments that do not include native support for HTML5 or other web application technologies supported by Clientless VPN, you can use third-party vendors, such as Thinfinity, to RDP through Clientless VPN. Reference: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vpn/supported-technologies

https://networkwiki.blogspot.com/2017/03/palo-alto-networks-clientless-vpn-and.html


Question 181

An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram

Which template values will be configured on the firewall If each template has an SSL/TLS Service profile configured named Management?



Question 182

In which two scenarios is it necessary to use Proxy IDs when configuring site-to-site VPN tunnels? (Choose two.)



Answer : A, C


Question 183

A network security administrator has been tasked with deploying User-ID in their organization.

What are three valid methods of collecting User-ID information in a network? (Choose three.)



Answer : A, B, C

User-ID is a feature that allows the firewall to identify and classify users and groups on the network based on their usernames, IP addresses, and other attributes1. User-ID information can be collected from various sources, such as:

A: Windows User-ID agent: A software agent that runs on a Windows server and collects user information from Active Directory domain controllers, Exchange servers, or eDirectory servers2.The agent then sends the user information to the firewall or Panorama for user mapping2.

B: GlobalProtect: A software agent that runs on the endpoints and provides secure VPN access to the network3.GlobalProtect also collects user information from the endpoints and sends it to the firewall or Panorama for user mapping4.

C: XMLAPI: An application programming interface that allows external systems or scripts to send user information to the firewall or Panorama in XML format. The XMLAPI can be used to integrate with third-party systems, such as identity providers, captive portals, or custom applications.


Question 184

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow. Upon opening the newly created packet capture, the administrator still sees traffic for the previous filter.

What can the administrator do to limit the captured traffic to the newly configured filter?



Answer : B


Question 185

Which CLI command displays the physical media that are connected to ethernet1/8?



Answer : B

The CLI command 'show system state filter-pretty sys.sl.p8.phy' is used to display detailed physical layer information, which would include the physical media connected to a specific interface such as ethernet1/8. This command is designed to filter the output to show relevant physical layer information for the specified interface.

For more information on Palo Alto Networks CLI commands and their outputs, refer to the 'PAN-OS CLI Reference Guide'.


Question 186

Which is not a valid reason for receiving a decrypt-cert-validation error?



Answer : A


Question 187

An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when the link failed?



Answer : C


Question 188

When an engineer configures an active/active high availability pair, which two links can they use? (Choose two)



Answer : C, D

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha/prerequisites-for-activeactive-ha

These are the two links that can be used to configure an active/active high availability pair.An active/active high availability pair consists of two firewalls that are both active and share the traffic load between them1.To configure an active/active high availability pair, the following links are required2:

HA1: This is the control link that is used for exchanging heartbeat messages and configuration synchronization between the firewalls. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy.

HA2: This is the data link that is used for forwarding sessions from one firewall to another in case of failover or load balancing. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy.

HA3: This is the session owner synchronization link that is used for synchronizing session information between the firewalls in different virtual systems. It can be a dedicated interface or a subinterface. It is only required for active/active high availability pairs, not for active/passive pairs.


Question 189

A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known

What can the administrator configure to establish the VPN connection?



Answer : B

When the peer device will act as the initiator and none of the peer addresses are known, the administrator can enable Passive Mode to establish the VPN connection. Passive Mode tells the firewall to wait for the peer device to initiate the VPN connection. The other options are incorrect. Option A, setting up certificate authentication, would require the administrator to know the peer device's certificate. Option C, using the Dynamic IP address type, would require the administrator to know the peer device's dynamic IP address. Option D, configuring the peer address as an FQDN, would require the administrator to know the peer device's fully qualified domain name.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0


Question 190

In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?



Answer : B

The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This helps the administrator to identify any new applications that are not explicitly defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured applications.The compare option also shows the usage statistics and risk levels of the applications, and provides suggestions for optimizing the rule by adding, removing, or replacing applications12.Reference:New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)


Question 191

With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?



Answer : B


Question 192

An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?



Answer : D


Question 193

For company compliance purposes, three new contractors will be working with different device-groups in their hierarchy to deploy policies and objects.

Which type of role-based access is most appropriate for this project?



Answer : A


Question 194

Users are intermittently being cut off from local resources whenever they connect to GlobalProtect. After researching, it is determined that this is caused by an incorrect setting on one of the NGFWs. Which action will resolve this issue?



Answer : C

The 'No direct access to local network' setting in the GlobalProtect Gateway's Client Settings under Split Tunnel (Option C) prevents local resource access when enabled. Disabling it allows split tunneling to permit local traffic, resolving the issue.

Option A (Network Services) is a mispath. Option B (Satellite) applies to different configs. Option D (Portal App) doesn't control this behavior. Documentation confirms this Gateway setting.


Question 195

An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two.)



Answer : C, D


Question 196

An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.

Which priority is correct for the passive firewall?



Answer : D


Question 197

Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)



Answer : A, C

When sizing a decryption firewall deployment, two factors that should be considered are the encryption algorithm and the TLS protocol version. These factors affect the amount of resources and processing power that the firewall needs to decrypt and inspect SSL/TLS traffic.

The encryption algorithm is the method that the server and the client use to encrypt and decrypt the data exchanged in an SSL/TLS session. Different encryption algorithms have different levels of security and performance. For example, AES is a symmetric encryption algorithm that is faster and more efficient than RSA, which is an asymmetric encryption algorithm. However, RSA is more secure than AES because it uses public and private keys to encrypt and decrypt data, while AES uses a single shared key.The firewall must support the encryption algorithms that are used by the servers and clients that it decrypts, and it must have enough CPU and memory resources to handle the decryption workload12.

The TLS protocol version is the standard that defines how the server and the client establish and maintain an SSL/TLS session. Different TLS protocol versions have different features and requirements for encryption algorithms, cipher suites, certificates, handshake messages, etc. For example, TLS 1.3 is the latest and most secure version of TLS, which supports only strong encryption algorithms and cipher suites, such as AES-GCM and ChaCha20-Poly1305, and requires elliptic curve certificates.The firewall must support the TLS protocol versions that are used by the servers and clients that it decrypts, and it must have enough hardware acceleration resources to handle the decryption speed34.

The number of security zones in decryption policies and the number of blocked sessions are not relevant factors for sizing a decryption firewall deployment. The number of security zones in decryption policies only affects how the firewall matches traffic to decryption rules based on source and destination zones, but it does not affect the decryption performance or resource consumption.The number of blocked sessions only indicates how many sessions are denied by the firewall based on security policy or decryption policy rules, but it does not affect the decryption capacity or throughput56.

Encryption Algorithms,TLS Protocol Versions,Decryption Policy, PCNSE Study Guide (page 60)


Question 198

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?



Answer : B

To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls in an HA pair to synchronize their configurations and maintain consistency. However, when you import the configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until you verify and commit the imported configuration on Panorama.Therefore, you should disable config sync before importing the configuration, and re-enable it after committing the changes on Panorama12.Reference:Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page 50)


Question 199

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?



Answer : B

The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.


Question 200

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?



Answer : A


Question 201

A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time. How can they achieve this?



Answer : A


Question 202

An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover event.

Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?



Answer : D

The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000 ms for all platforms, and the range is 8000-60000 ms.If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12.Reference:HA Timers,Layer 3 High Availability with Optimal Failover Times Best Practices


Question 203

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?



Answer : D

Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


Question 204

A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)



Answer : A, B


Question 205

A company configures its WildFire analysis profile to forward any file type to the WildFire public cloud. A company employee receives an email containing an unknown link that downloads a malicious Portable Executable (PE) file.

What does Advanced WildFire do when the link is clicked?



Answer : B

Advanced WildFire analyzes both the webpage linked by the URL and any files (like PE files) that are downloaded as a result of clicking that link. This includes checking the linked webpage for malicious content and sending any downloaded files for further analysis to determine their behavior and potential malicious intent.

The PCNSA Study Guide outlines that WildFire inspects and analyzes both content downloaded and webpages involved when integrated into the organization's security profile. This dual-layered approach ensures comprehensive protection against threats from both the webpage and its payloads.

Step-by-Step Explanation

Link Clicked and File Download Triggered:

When the user clicks the link, their action initiates the download of a file, in this case, a Portable Executable (PE) file.

URL Inspection by WildFire:

The URL is immediately inspected for potential threats. This involves analyzing the webpage associated with the link to detect:

Known malicious indicators.

Suspicious elements like embedded scripts, links, or calls to external resources.

Forwarding the PE File for Analysis:

The PE file downloaded as a result of clicking the link is sent to the WildFire cloud or on-premises appliance for detailed behavior-based analysis.

Dynamic and Static Analysis:

Static Analysis: WildFire examines the PE file's attributes without executing it, looking for:

Suspicious code patterns.

Known malicious signatures.

Anomalous PE header details (e.g., timestamp irregularities, unexpected sections).

Dynamic Analysis: The file is executed in a controlled virtual environment to observe:

Behavioral anomalies, like privilege escalation attempts.

Network communication, such as connections to Command and Control (C2) servers.

File system modifications or registry changes indicative of malicious intent.

Threat Verdict:

Based on its findings, WildFire classifies the URL and PE file into one of the following categories:

Benign.

Grayware.

Malware.

Phishing.

Automated Response:

If either the webpage or the PE file is deemed malicious, the firewall takes predefined actions:

Blocking access to the webpage.

Quarantining or blocking the downloaded file.

Generating a detailed alert or log entry for administrators.

Signature Update:

WildFire automatically creates a signature for the detected threat and distributes it globally. This ensures that other systems in the WildFire network are protected against the same threat.

Advanced WildFire Configuration and Behavior

Forwarding File Types:

The WildFire analysis profile must be configured to forward relevant file types. In this case:

PE files are commonly forwarded by default since they are a known vector for malware.

Administrators can define custom forwarding rules based on file type and traffic.

Integration with the Security Profile:

WildFire integrates with other security profiles (e.g., Antivirus, Anti-Spyware, URL Filtering).

URL Filtering ensures that the link itself is categorized and blocked if malicious.

WildFire's output informs and updates the threat prevention database dynamically.

Why the Answer is B?

WildFire performs dual analysis:

The linked webpage is checked for malicious scripts or phishing attempts.

The PE file downloaded is analyzed for malware through both static and dynamic methods.

This layered analysis ensures robust protection against modern threats, which often combine malicious webpages with harmful payloads.

Document Reference:

PCNSA Study Guide: Domain 4, Section 4.1.5 ('WildFire Analysis') explains the WildFire analysis process in detail, emphasizing its role in inspecting files and URLs for malicious behavior.

Palo Alto Networks WildFire Admin Guide:

This guide details file forwarding configurations, supported file types, and the global signature distribution process.

PAN-OS Admin Guide:

Sections on Security Profiles and URL Filtering elaborate on how WildFire integrates with other threat prevention mechanisms.


Question 206

An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?



Answer : A, C


Question 207

An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.

Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?



Answer : A


Question 208

Which sessions does Packet Buffer Protection apply to when used on ingress zones to protect against single-session DoS attacks?



Answer : D


Question 209

What must be configured to apply tags automatically based on User-ID logs?



Answer : D

To apply tags automatically based on User-ID logs, the engineer must configure a Log Forwarding profile that specifies the criteria for matching the logs and the tags to apply. The Log Forwarding profile can be attached to a security policy rule or a decryption policy rule to enable auto-tagging for the traffic that matches the rule.The tags can then be used for dynamic address groups, policy enforcement, or reporting1.Reference:Use Auto-Tagging to Automate Security Actions, PCNSE Study Guide (page 49)


Question 210

An administrator needs to identify which NAT policy is being used for internet traffic.

From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?



Answer : A

Traffic view in the Monitor tab of the firewall GUI can display the information about the NAT policy that is in use for a traffic flow, if the Source or Destination NAT columns are included and reviewed in the detailed log view1.The Source NAT column shows the translated source IP address and port, and the Destination NAT column shows the translated destination IP address and port2. These columns can help the administrator identify which NAT policy is applied to the traffic flow based on the pre-NAT and post-NAT addresses and ports.


Question 211

In the following image from Panorama, why are some values shown in red?



Answer : C


Question 212

A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.

What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?



Answer : B

Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.

B . The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:

First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.

Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.

Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.

This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.


Question 213

Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)



Answer : B, C

>Threat logs, create a log forwarding profile to define how you want the firewall or Panorama to handle logs. >Configure an HTTP server profile to forward logs to a remote User-ID agent. > Select the log forwarding profile you created then select this server profile as the HTTP server profile https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions


Question 214

An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors. What is the recommended order of operational steps when upgrading?



Answer : C

Palo Alto Networks best practices dictate upgrading Panorama-managed environments in this order: Panorama first, then log collectors, and finally firewalls. Panorama must be on the latest (or compatible) version to manage upgraded devices and push configurations. Log collectors follow to ensure log compatibility, and firewalls last to maintain operational continuity.

Options A, B, and D risk version mismatches or management issues. This sequence minimizes downtime and ensures compatibility, as per official upgrade guidelines.


Question 215

What should an engineer consider when setting up the DNS proxy for web proxy?



Answer : A


Question 216

Which translated port number should be used when configuring a NAT rule for a transparent proxy?



Answer : C

A transparent proxy operates by intercepting traffic without client configuration, typically redirecting HTTP (port 80) or HTTPS (port 443) to a proxy port on the firewall. In Palo Alto Networks NGFWs, when configuring a NAT rule for a transparent proxy, the standard translated port is 8080 (Option C), commonly used for proxy services. This port is where the firewall redirects client traffic for processing (e.g., URL filtering or decryption) before forwarding it to the destination.

Option A (80) is the original HTTP port, not a proxy port. Option B (443) is for HTTPS, not transparent proxy redirection. Option D (4443) is non-standard and unrelated. Documentation and best practices confirm 8080 for this use case.


Question 217

The vulnerability protection profile of an on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and it has been determined to be a false positive. The issue causes an outage of a critical service. When the vulnerability protection profile is opened to add the exception, the Threat ID is missing. Which action will most efficiently find and implement the exception?



Answer : B

When a Threat ID isn't visible in the Vulnerability Protection profile's Exceptions tab, selecting 'Show all signatures' (Option B) reveals all available threat signatures, including those not recently triggered, allowing the administrator to add an exception efficiently. This is the fastest way to resolve false positives without external assistance.

Option A (system logs) may explain the absence but doesn't implement the fix. Option C (traffic logs) allows rule-based workarounds, not profile exceptions. Option D (support case) is slower and unnecessary. Documentation confirms this method.


Question 218

An engineer reviews high availability (HA) settings to understand a recent HA failover event Review the screenshot below.

Which tuner determines how long the passive firewall will wart before taking over as the active firewall after losing communications with the HA peer?



Answer : B


Question 219

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."

Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?'



Answer : D


Question 220

To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?



Answer : B


Question 221

A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)



Answer : B, C, D


Question 222

Which is not a valid reason for receiving a decrypt-cert-validation error?



Answer : A


Question 223

A standalone firewall with local objects and policies needs to be migrated into Panoram

a. What procedure should you use so Panorama is fully managing the firewall?



Answer : C


Question 224

Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?



Answer : C


Question 225

A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an interface Management profile to secure management access? (Choose three)



Answer : A, B, C


Question 226

During a routine security audit, the risk and compliance team notices a series of WildFire logs that contain a "malicious" verdict and the action "allow." Upon further inspection, the team confirms that these same threats are automatically blocked by the firewalls the following day. How can the existing configuration be adjusted to ensure that new threats are blocked within minutes instead of having to wait until the following day?



Answer : B

WildFire logs showing a 'malicious' verdict with an 'allow' action indicate that the initial traffic wasn't blocked in real-time, likely because the Antivirus profile isn't configured to act immediately on WildFire verdicts. By default, WildFire submits files for analysis, and signatures may take up to 24 hours to propagate globally unless real-time blocking is enabled. Configuring the Antivirus security profile (Option B) to 'block' on malicious WildFire verdicts ensures that threats are blocked within minutes once the verdict is returned (typically 5-15 minutes), leveraging WildFire's real-time signature updates.

Option A (WildFire analysis profile) defines what files are sent to WildFire but doesn't control blocking actions. Option C (File Blocking profile) manages file type blocking, not threat verdicts. Option D (file size limits) affects submission eligibility, not blocking behavior. The Antivirus profile is the key to real-time WildFire enforcement, as per Palo Alto Networks documentation.


Question 227

An administrator configures HA on a customer's Palo Alto Networks firewalls with path monitoring by using the default configuration values.

What are the default values for ping interval and ping count before a failover is triggered?



Answer : C

Ping Interval---Specify the interval between pings that are sent to the destination IP address (range is 200 to 60,000ms; default is 200ms).

Ping Count---Specify the number of failed pings before declaring a failure (range is 3 to 10; default is 10).


Question 228

What happens when the log forwarding built-in action with tagging is used?



Answer : A

When using the log forwarding built-in action with tagging in Palo Alto Networks firewalls, the primary purpose is to dynamically respond to threats or unwanted traffic identified by the firewall's threat detection mechanisms. The action involves tagging the IP address associated with the unwanted traffic and then using that tag in dynamic security policies to block or manage the traffic.

A . Destination IP addresses of selected unwanted traffic are blocked:

When the tagging action is used, the firewall tags the IP addresses involved in the unwanted traffic (which could be the source or destination IP addresses, but in many configurations, the focus is on the source of the attack). These tags can then be referenced in Dynamic Address Groups (DAGs) within security policies. Consequently, any traffic coming from or going to these tagged IP addresses can be blocked or subjected to specific security rules, effectively mitigating the threat or unwanted behavior.

This approach allows for automated, real-time responses to identified threats, enhancing the security posture by quickly adapting to emerging threats without manual intervention.


Question 229

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67



Answer : C

https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD


Question 230

Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?



Answer : C


Question 231

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?



Answer : C

The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.

C . It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:

If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.

This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.


Question 232

An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.

What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)



Answer : C, D

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy


Question 233

Which are valid ACC GlobalProtect Activity tab widgets? (Choose two.)



Answer : B, D


Question 234

A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)



Answer : B, C, D


Question 235

An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?



Answer : B


Question 236

An administrator is troubleshooting application traffic that has a valid business use case, and observes the following decryption log message: "Received fatal alert UnknownCA from client."

How should the administrator remediate this issue?



Answer : C


Question 237

An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity.

Which two objects can Dynamic User Groups use as match conditions for group membership? (Choose two.)



Answer : B, C


Question 238

A security engineer needs to mitigate packet floods that occur on a RSF servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?



Answer : A


Question 239

Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application?



Answer : B


Question 240

An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)



Answer : B, C, D


Question 241

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections

What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?



Answer : B

Cisco TrustSec technology uses Security Group Tags (SGTs) to enforce access controls on Layer 2 traffic. When implementing Zone Protection on a Palo Alto Networks firewall in an environment with Cisco TrustSec, you should configure Ethernet SGT Protection. This setting ensures that the firewall can recognize SGTs in Ethernet frames and apply the appropriate actions based on the configured policies.

The use of Ethernet SGT Protection in conjunction with TrustSec is covered in advanced firewall configuration documentation and in interoperability guides between Palo Alto Networks and Cisco systems.


Question 242

An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?



Answer : B

In an active/active high availability (HA) firewall pair, when a firewall experiences a failure of a monitored path, it enters the ''Tentative'' state1. This state indicates that the firewall is synchronizing sessions and configurations from its peer due to a failure or a change in monitored objects such as a link or path. The firewall in this state is not fully functional but is working towards resuming normal operations by syncing with its peer. Therefore, the correct answer is B. Tentative.


Question 243

Which two profiles should be configured when sharing tags from threat logs with a User-ID agent? (Choose two.)



Answer : A, D


Question 244

What is the benefit of the Artificial Intelligence Operations (AIOps) Plugin for Panorama?



Answer : B

The AIOps Plugin for Panorama enhances security management by proactively validating commits against best practices (Option B). It analyzes policies, provides recommendations (e.g., unused rules, misconfigurations), and advises administrators before pushing changes, improving security posture without automatic enforcement.

Option A (auto-push) overstates its role; it advises, not pushes. Option C (auto-correct) is inaccurate; it suggests, not fixes. Option D (retroactive checks) misaligns with its proactive design. Documentation highlights its advisory function.


Question 245

Which two actions can the administrative role called "vsysadmin" perform? (Choose two)



Answer : B, C

The vsysadmin role in Palo Alto Networks firewalls is a virtual system (vsys)-specific administrative role with limited privileges. It can commit changes to the candidate configuration of the assigned vsys (Option B) and create/edit Security policies and profiles specific to that vsys (Option C). This role is designed for multi-tenant environments where administrators manage only their assigned virtual systems.

Option A (configure resource limits) is a superuser or device-level task, not within vsysadmin's scope. Option D (configure interfaces) is also outside vsysadmin's permissions, as interface management is a device-wide function. Official documentation defines these privileges clearly.


Question 246

PBF can address which two scenarios? (Choose two.)



Answer : A, B

Policy-Based Forwarding (PBF) on Palo Alto Networks firewalls allows administrators to define forwarding decisions based on criteria other than the destination IP address, such as the application, source address, or user. It can address scenarios like:

A . Routing FTP to a backup ISP link to save bandwidth on the primary ISP link: PBF can be configured to identify FTP traffic and route it through a different ISP, preserving bandwidth on the primary link for other critical applications.

B . Providing application connectivity when the primary circuit fails: PBF can be used for failover purposes, directing traffic to an alternate path if the primary connection goes down, ensuring continuous application availability.

PBF is not designed to bypass Layer 7 inspection or forward traffic based solely on source port, as these tasks are managed through different mechanisms within the firewall's operating system.


Question 247

An organization wants to begin decrypting guest and BYOD traffic.

Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?



Answer : A

An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An authentication portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet. The authentication portal can be customized to include a welcome message, a login prompt, a disclaimer, a certificate download link, and a logout button.The authentication portal can also be configured to use different authentication methods, such as local database, RADIUS, LDAP, Kerberos, or SAML1.By using an authentication portal, the firewall can redirect BYOD users to a web page where they can learn about the decryption policy, download and install the CA certificate, and agree to the terms of use before accessing the network or the internet2.

An SSL decryption profile is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption profile is a set of options that define how the firewall handles SSL/TLS traffic that it decrypts.An SSL decryption profile can include settings such as certificate verification, unsupported protocol handling, session caching, session resumption, algorithm selection, etc3. An SSL decryption profile does not provide any user identification or notification functions.

An SSL decryption policy is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption policy is a set of rules that determine which traffic the firewall decrypts based on various criteria, such as source and destination zones, addresses, users, applications, services, etc.An SSL decryption policy can also specify which type of decryption to apply to the traffic, such as SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy4. An SSL decryption policy does not provide any user identification or notification functions.

Comfort pages are not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. Comfort pages are web pages that the firewall displays to users when it blocks or fails to decrypt certain traffic due to security policy or technical reasons.Comfort pages can include information such as the reason for blocking or failing to decrypt the traffic, the URL of the original site, the firewall serial number, etc5. Comfort pages do not provide any user identification or notification functions before decrypting the traffic.

Configure an Authentication Portal,Redirect Users Through an Authentication Portal,SSL Decryption Profile,Decryption Policy,Comfort Pages


Question 248

Exhibit.

Given the screenshot, how did the firewall handle the traffic?



Answer : B


Question 249

A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.

Which two mandatory options are used to configure a VLAN interface? (Choose two.)



Answer : A, B


Question 250

Which source is the most reliable for collecting User-ID user mapping?



Answer : D


Question 251

An administrator is building Security rules within a device group to block traffic to and from malicious locations.

How should those rules be configured to ensure that they are evaluated with a high priority?



Answer : A

In Palo Alto Networks firewalls, the order of rule evaluation is critical for traffic enforcement. To ensure high priority evaluation, rules should be configured at the top of the rulebase so they are matched before others. The Security Pre-Rules are designed for shared policies across multiple device groups in Panorama, and by placing the block action rules at the top of the Pre-Rules, it guarantees that these rules are evaluated first, before any device-specific or post-rules.

For verification, please refer to the Palo Alto Networks 'PAN-OS Administrator's Guide' or the official configuration documentation for Panorama and device group rules.


Question 252

A company has recently migrated their branch office's PA-220S to a centralized Panoram

a. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama

They notice that commit times have drastically increased for the PA-220S after the migration

What can they do to reduce commit times?



Answer : A

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS


Question 253

Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?



Answer : C

Palo Alto Networks Device Telemetry data, collected from firewalls with a device certificate installed, is stored on Palo Alto Networks Update Servers. This telemetry data includes information about threats, device health, and other operational metrics that are crucial for the continuous improvement of security services and threat intelligence. The collected data is anonymized and securely transmitted to Palo Alto Networks, where it is used to enhance the overall effectiveness of threat identification and prevention capabilities across all deployed devices. This collaborative approach helps in keeping the security ecosystem updated and resilient against emerging threats.


Question 254

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?



Answer : B


Question 255

Users have reported an issue when they are trying to access a server on your network. The requests aren't taking the expected route. You discover that there are two different static routes on the firewall for the server. What is used to determine which route has priority?



Answer : B

In Palo Alto Networks firewalls, when multiple static routes exist for the same destination, the firewall uses the administrative distance (AD) to determine route priority. The AD is a metric that indicates the trustworthiness of a route, with lower values indicating higher priority. For static routes, the default AD is 10, but this can be manually adjusted. The route with the lowest AD is preferred and added to the routing table. If AD values are equal, the firewall then considers the metric (default 10), but AD is the primary differentiator.

Option A (first route installed) is incorrect, as route installation order does not determine priority. Option C (Bidirectional Forwarding Detection) is a protocol for detecting link failures, not route priority. Option D (highest AD) is the opposite of the correct behavior. This aligns with standard routing principles and Palo Alto's implementation.


Question 256

Why would a traffic log list an application as "not-applicable''?



Answer : A

traffic log would list an application as ''not-applicable'' if the firewall denied the traffic before the application match could be performed.This can happen if the traffic matches a security rule that is set to deny based on any parameter other than the application, such as source, destination, port, service, etc1.In this case, the firewall does not inspect the application data and discards the traffic, resulting in a ''not-applicable'' entry in the application field of the traffic log1.


Question 257

Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?



Answer : A

IP flood thresholds, you can also use DoS Protection profiles to detect and prevent session exhaustion attacks in which a large number of hosts (bots) establish as many sessions as possible to consume a target's resources. On the profile's Resources Protection tab, you can set the maximum number of concurrent sessions that the device(s) defined in the DoS Protection policy rule to which you apply the profile can receive. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles.html

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles#ida42d52fa-3366-4695-bb4a-d39ebf3b6a5f


Question 258

Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application?



Answer : B


Question 259

An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.

What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?



Answer : B

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS


Question 260

When you troubleshoot an SSL Decryption issue, which PAN-OS CL1 command do you use to check the details of the Forward Trust certificate. Forward Untrust certificate, and SSL Inbound Inspection certificate?



Answer : A


Question 261

An engineer configures a destination NAT policy to allow inbound access to an internal server in the DMZ. The NAT policy is configured with the following values:

- Source zone: Outside and source IP address 1.2.2.2

- Destination zone: Outside and destination IP address 2.2.2.1

The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone.

Which destination IP address and zone should the engineer use to configure the security policy?



Answer : C


Question 262

A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?



Answer : D


Question 263

A firewall engineer at a company is researching the Device Telemetry feature of PAN-OS. Which two aspects of the feature require further action for the company to remain compliant with local laws regarding privacy and data storage? (Choose two.)



Answer : A, B


Question 264

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.

What must be configured in order to select users and groups for those rules from Panorama?



Answer : D

When building Security rules in a Device Group that need to allow traffic to specific users and groups defined in Active Directory, it's essential to have user and group information available in Panorama to select these entities for the rules.

D . A master device with Group Mapping configured must be set in the device group where the Security rules are configured:

The concept of a 'master device' in Panorama refers to a specific firewall that is designated to provide certain settings or information, such as user and group mappings from Active Directory, to Panorama. This information can then be used across other firewalls within the same device group.

By configuring Group Mapping on a master device, Panorama can leverage this information to populate user and group objects. These objects can then be used in Security rules within the device group, allowing for the creation of policies that are based on user identity and group membership, as defined in Active Directory.

This setup ensures that Panorama has the necessary context to apply user- and group-based policies accurately across the managed firewalls, facilitating centralized management and consistency in policy enforcement.


Question 265

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?



Answer : C


Question 266

What is the best definition of the Heartbeat Interval?



Answer : C

The firewalls exchange hello messages and heartbeats at configurable intervals to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer. A response from the peer indicates that the firewalls are connected and responsive.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUcCAK

'A 'heartbeat-interval' CLI command was added to the election settings for HA, this interval has a 1000ms minimum for all Palo Alto Networks platforms and is an ICMP ping to the other device through the HA control link.' https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMaCAK


Question 267

What are three prerequisites for credential phishing prevention to function? (Choose three.)



Answer : A, D, E


Question 268

What happens when an A/P firewall pair synchronizes IPsec tunnel security associations (SAs)?



Answer : B

In a High Availability (HA) setup with Palo Alto Networks firewalls, the synchronization of IPsec tunnel Security Associations (SAs) is an important aspect to ensure seamless failover and continued secure communication. Specifically, for Phase 2 SAs, they are synchronized over the HA2 links. The HA2 link is dedicated to synchronizing sessions, forwarding tables, IPSec SA, ARP tables, and other critical information between the active and passive firewalls in an HA pair. This ensures that the passive unit can immediately take over in case the active unit fails, without the need for re-establishing IPsec tunnels, thereby maintaining secure communications without interruption. It's important to note that Phase 1 SAs, which are responsible for establishing the secure tunnel itself, are not synchronized between the HA pair, as these need to be re-established upon failover to ensure secure key exchange.


Question 269

Which method will dynamically register tags on the Palo Alto Networks NGFW?



Question 270

An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.

Which three platforms support PAN-OS 10.2? (Choose three.)



Answer : A, B, E

https://docs.paloaltonetworks.com/compatibility-matrix/supported-os-releases-by-model/palo-alto-networks-next-gen-firewalls


Question 271

Which source is the most reliable for collecting User-ID user mapping?



Answer : D


Question 272

Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.

What part of the configuration should the engineer verify?



Answer : C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS https://live.paloaltonetworks.com/t5/general-topics/phase-2-tunnel-is-not-up/td-p/424789


Question 273

A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.

What should the NAT rule destination zone be set to?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping


Question 274

An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?



Answer : D


Question 275

In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?



Answer : B

The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This helps the administrator to identify any new applications that are not explicitly defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured applications.The compare option also shows the usage statistics and risk levels of the applications, and provides suggestions for optimizing the rule by adding, removing, or replacing applications12.Reference:New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)


Question 276

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?



Answer : C


Question 277

What is the best description of the Cluster Synchronization Timeout (min)?



Answer : A

The best description of the Cluster Synchronization Timeout (min) is the maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing. This is a parameter that can be configured in an HA cluster, which is a group of firewalls that share session state and provide high availability and scalability. The Cluster Synchronization Timeout (min) determines how long the local firewall will wait for the cluster to reach a stable state before it decides to become Active and process traffic. A stable state means that all cluster members are either Active or Passive, and have synchronized their sessions with each other. If there is another cluster member that is in an unknown or unstable state, such as Initializing, Non-functional, or Suspended, then it may prevent the cluster from fully synchronizing and cause a delay in traffic processing. The Cluster Synchronization Timeout (min) can be set to a value between 0 and 30 minutes, with a default of 0. If it is set to 0, then the local firewall will not wait for any other cluster member and will immediately go to Active state.If it is set to a positive value, then the local firewall will wait for that amount of time before going to Active state, unless the cluster reaches a stable state earlier12.Reference:Configure HA Clustering, PCNSE Study Guide (page 53)


Question 278

Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?



Answer : C


Question 279

A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.

What should the engineer do to complete the configuration?



Answer : B

If the DNS response matches the Original Destination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/source-nat-and-destination-nat/destination-nat-dns-rewrite-use-cases#id0d85db1b-05b9-4956-a467-f71d558263bb


Question 280

Which statement applies to HA timer settings?



Answer : D

High Availability (HA) timer settings in PAN-OS control failover speed and stability. The Recommended profile (Option D) is the default and provides balanced timers (e.g., 1000ms heartbeat interval) suitable for typical deployments, ensuring reliable failover without excessive sensitivity.

Option A (Critical profile) uses faster timers (e.g., 100ms) for critical environments, not typical ones. Option B (Moderate) isn't a predefined profile. Option C (Aggressive) uses fast timers (e.g., 200ms), not slower ones. Documentation specifies 'Recommended' for standard use.


Question 281

A company wants to add threat prevention to the network without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)



Answer : A, D

A and D are the best practice deployment modes for the firewall if the company wants to add threat prevention to the network without redesigning the network routing.This is because these modes allow the firewall to act as a transparent device that does not affect the existing network topology or routing1.

A: VirtualWire mode allows the firewall to be inserted into any existing network segment without changing the IP addressing or routing of that segment2. The firewall inspects traffic between two interfaces that are configured as a pair, called a virtual wire.The firewall applies security policies to the traffic and forwards it to the same interface from which it was received2.

D: Layer 2 mode allows the firewall to act as a switch that forwards traffic based on MAC addresses3. The firewall inspects traffic between interfaces that are configured as Layer 2 interfaces and belong to the same VLAN.The firewall applies security policies to the traffic and forwards it to the appropriate interface based on the MAC address table3.

Verified Reference:

1: https://www.garlandtechnology.com/blog/whats-your-palo-alto-ngfw-deployment-plan

2: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure-interfaces/virtual-wire.html

3: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure-interfaces/layer-2.html


Question 282

The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.

When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?



Answer : A

One of the potential causes of a failed install when upgrading Panorama to PAN-OS is having outdated plugins. Plugins are software extensions that enable Panorama to interact with Palo Alto Networks cloud services and third-party services.Plugins have dependencies on specific PAN-OS versions, so they must be updated before or after upgrading Panorama, depending on the plugin compatibility matrix2.If the plugins are not updated accordingly, the upgrade process may fail or cause issues with Panorama functionality3.Reference:Panorama Plugins Upgrade/Downgrade Considerations,Troubleshoot Your Panorama Upgrade, PCNSE Study Guide (page 54)


Question 283

As a best practice, logging at session start should be used in which case?



Answer : A


Question 284

Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.

In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhwCAC

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat


Question 285

A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed.

How should email log forwarding be configured to achieve this goal?



Answer : C

To generate email alerts when decryption rules are changed in a Palo Alto Networks firewall, you would configure email log forwarding based on specific system logs that capture changes to decryption policies. This is done by setting up log forwarding profiles with filters that match events related to decryption rule modifications. These profiles are then applied to the relevant log types within the firewall's log settings.

To specifically monitor for changes to decryption rules, you would navigate to the Device > Log Settings section of the firewall's web interface. Here, you can configure log forwarding for system logs, which capture configuration changes among other system-level events. By creating a filter that looks for logs associated with decryption rule changes, and associating this filter with an email server profile, the firewall can automatically send out email alerts whenever a decryption rule is modified.

This setup ensures that the security team is promptly notified of any changes to the decryption policies, allowing for quick review and action if the changes were unauthorized or unintended. It is an essential part of maintaining the security posture of the network and ensuring compliance with organizational policies on encrypted traffic inspection.


Question 286

A security engineer has configured a GlobalProtect portal agent with four gateways Which GlobalProtect Gateway will users connect to based on the chart provided?



Answer : A


Question 287

A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.

What should the NAT rule destination zone be set to?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping


Question 288

Which statement regarding HA timer settings is true?



Answer : A

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers


Question 289

What action does a firewall take when a Decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?



Answer : C


Question 290

Which three statements accurately describe Decryption Mirror? (Choose three.)



Answer : B, D, E

Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.

Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.

The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' 'PAN-OS Administrator's Guide' and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.


Question 291

Which two components are required to configure certificate-based authentication to the web Ul when an administrator needs firewall access on a trusted interface'? (Choose two.)



Answer : C, D


Question 292

An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy

Which PAN-OS proxy method should be configured to maintain this type of traffic flow?



Answer : D

For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP). https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy


Question 293

Refer to Exhibit:

An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?

A)

B)

C)

D)



Answer : A


Question 294

An administrator plans to install the Windows-Based User-ID Agent.

What type of Active Directory (AD) service account should the administrator use?



Answer : A


Question 295

An administrator needs to identify which NAT policy is being used for internet traffic.

From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?



Answer : A

Traffic view in the Monitor tab of the firewall GUI can display the information about the NAT policy that is in use for a traffic flow, if the Source or Destination NAT columns are included and reviewed in the detailed log view1.The Source NAT column shows the translated source IP address and port, and the Destination NAT column shows the translated destination IP address and port2. These columns can help the administrator identify which NAT policy is applied to the traffic flow based on the pre-NAT and post-NAT addresses and ports.


Question 296

An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)



Answer : B, C, D


Question 297

Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?



Answer : C

The type of policy in Palo Alto Networks firewalls that can use Device-ID as a match condition is QoS. This is because Device-ID is a feature that allows the firewall to identify and classify devices on the network based on their characteristics, such as vendor, model, OS, and role1. QoS policies are used to allocate bandwidth and prioritize traffic based on various criteria, such as application, user, source, destination, and device2. By using Device-ID as a match condition in QoS policies, the firewall can apply different QoS actions to different types of devices, such as IoT devices, laptops, smartphones, etc3. This can help optimize the network performance and ensure the quality of service for critical applications and devices.


Question 298

A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.

Which VPN configuration would adapt to changes when deployed to the future site?



Answer : A


Question 299

An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover event.

Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?



Answer : D

The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000 ms for all platforms, and the range is 8000-60000 ms.If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12.Reference:HA Timers,Layer 3 High Availability with Optimal Failover Times Best Practices


Question 300

A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?



Answer : B


Question 301

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?



Answer : A


Question 302

A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules.

What is the engineer's next step?



Answer : B


Question 303

Based on the image, what caused the commit warning?



Answer : D


Question 304

A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.

Which path should the engineer follow to deploy the PAN-OS images to the firewalls?



Answer : D, D

In a situation where Panorama and its managed firewalls lack internet access, updating PAN-OS requires a manual upload of the downloaded PAN-OS images. The process involves:


Question 305

An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.

Which priority is correct for the passive firewall?



Answer : D


Question 306

A firewall engineer is investigating high dataplane CPU utilization. To decrease the load on this CPU, what should be reduced?



Answer : A


Question 307

An administrator is tasked to provide secure access to applications running on a server in the company's on-premises datacenter.

What must the administrator consider as they prepare to configure the decryption policy?



Answer : B


Question 308

A firewall administrator wants to be able at to see all NAT sessions that are going 'through a firewall with source NAT. Which CLI command can the administrator use?



Answer : D


Question 309

Which sessions does Packet Buffer Protection apply to when used on ingress zones to protect against single-session DoS attacks?



Answer : D


Question 310

An administrator wants to add User-ID information for their Citrix MetaFrame Presentation Server (MPS) users.

Which option should the administrator use?



Answer : A

If you have clients running multi-user systems in a Windows environment, such as Microsoft Terminal Server or Citrix Metaframe Presentation Server or XenApp, Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping


Question 311

A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is configure an applications and Threats update schedule with a new App-ID threshold of 48 hours. Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.)



Answer : B, C


Question 312

In which two scenarios would it be necessary to use Proxy IDs when configuring site-to-site VPN Tunnels? (Choose two.)



Answer : A, B


Question 313

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)



Answer : A, D

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy


Question 314

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.



Answer : B


Question 315

A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates.

What must occur to have Antivirus signatures update?



Answer : D


Question 316

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?



Answer : B

To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls in an HA pair to synchronize their configurations and maintain consistency. However, when you import the configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until you verify and commit the imported configuration on Panorama.Therefore, you should disable config sync before importing the configuration, and re-enable it after committing the changes on Panorama12.Reference:Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page 50)


Question 317

When using certificate authentication for firewall administration, which method is used for authorization?



Answer : A

When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.


Question 318

An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)



Answer : B, C, D


Question 319

An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes?



Answer : C

When an administrator needs to evaluate recent policy changes that were committed and pushed to a firewall device group in Panorama, the most direct approach is to use the 'Preview Changes' feature.

A . Click Preview Changes under Push Scope:

The 'Preview Changes' option is available under the 'Push Scope' in Panorama. This feature allows administrators to see a detailed comparison of the changes that are about to be pushed to the managed firewalls or that have been recently pushed. It highlights the differences between the current configuration and the previous one, making it easier to identify exactly what changes were made, including modifications to policies, objects, and other settings.

This is particularly useful for auditing and verifying that the intended changes match the actual changes being deployed, enhancing transparency and reducing the risk of unintended configuration modifications.

This approach provides a clear and concise way to review configuration changes before and after they are applied, ensuring that policy modifications are intentional and accurately reflect the administrator's objectives.


Question 320

Which Panorama feature protects logs against data loss if a Panorama server fails?



Answer : B

https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-log-collection/manage-collector-groups/configure-a-collector-group

'Log redundancy is available only if each Log Collector has the same number of logging disks.' (Recommended) Enable log redundancy across collectors if you are adding multiple Log Collectors to a single Collector group. Redundancy ensures that no logs are lost if any one Log Collector becomes unavailable. Each log will have two copies and each copy will reside on a different Log Collector. For example, if you have two Log Collectors in the collector group the log is written to both Log Collectors. Enabling redundancy creates more logs and therefore requires more storage capacity, reducing storage capability in half. When a Collector Group runs out of space, it deletes older logs. Redundancy also doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives.


Question 321

An engineer reviews high availability (HA) settings to understand a recent HA failover event Review the screenshot below.

Which tuner determines how long the passive firewall will wart before taking over as the active firewall after losing communications with the HA peer?



Answer : B


Question 322

Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)



Answer : B, C

When implementing an application override in a Palo Alto Networks firewall, the primary goal is to explicitly define how specific traffic is identified and processed by the firewall, bypassing the regular App-ID process. This is particularly useful for traffic that might be misidentified by App-ID or for applications that require special handling for performance reasons.

To successfully implement application override, the following items must be configured:

B . Application override policy rule:

This is a specialized policy rule that you create to specify the criteria for the traffic you want to override. In this rule, you define the source and destination zones, addresses, and ports. Instead of relying on the App-ID engine to identify the application, the firewall uses the criteria defined in the application override policy to classify the traffic.

C . Security policy rule:

After defining an application override policy, you must also configure a security policy rule to allow the overridden traffic through the firewall. This rule specifies the action (allow, deny, drop, etc.) for the traffic that matches the application override policy. It's essential to ensure that the security policy rule matches the traffic defined in the application override policy to ensure that the intended traffic is allowed through the firewall.

For detailed guidance on configuring application override and the necessary security policies, refer to the official Palo Alto Networks documentation. This resource provides step-by-step instructions and best practices for effectively managing traffic using application overrides.


Question 323

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?



Answer : B

https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG


Question 324

An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover event.

Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?



Answer : D

The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000 ms for all platforms, and the range is 8000-60000 ms.If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12.Reference:HA Timers,Layer 3 High Availability with Optimal Failover Times Best Practices


Question 325

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?



Answer : A


Question 326

Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?



Answer : B

The Test Policy Match tool in PAN-OS allows administrators to simulate traffic against the current security policy set to verify how it will be handled. By inputting source/destination IPs, ports, protocols, and other parameters, it shows which rule matches and whether the traffic is allowed or denied, making it ideal for ensuring unwanted traffic is blocked.

Option A (Managed Devices Health) monitors device status, not policy logic. Option C (Preview Changes) shows configuration diffs, not traffic matching. Option D (Policy Optimizer) helps refine rules but doesn't test specific traffic scenarios. Test Policy Match is the documented tool for this purpose.


Question 327

An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.

Which three settings can be configured in this template? (Choose three.)



Answer : B, D, E

A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama.A template can include settings from the Device and Network tabs on the firewall web interface, such as login banner, SSL decryption exclusion, and dynamic updates4. These settings can be configured in a template named ''Global'' and included in all template stacks.A template stack is a group of templates that Panorama pushes to managed firewalls in an ordered hierarchy4.Reference:Manage Templates and Template Stacks, PCNSE Study Guide (page 50)


Question 328

A company has recently migrated their branch office's PA-220S to a centralized Panoram

a. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama

They notice that commit times have drastically increased for the PA-220S after the migration

What can they do to reduce commit times?



Answer : A

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS


Question 329

Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?



Answer : C


Question 330

Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.

In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhwCAC

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat


Question 331

What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-address-object-to-represent-ip-addresses/address-objects


Question 332

A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.

How does the firewall identify the New App-ID characteristic?



Answer : B

The New App-ID characteristic enables the firewall to monitor new applications on the network, so that the engineer can better assess the security policy updates they might want to make. The New App-ID characteristic always matches to only the new App-IDs in the most recently installed content releases. When a new content release is installed, the New App-ID characteristic automatically begins to match only to the new App-IDs in that content release version. This way, the engineer can see how the newly-categorized applications might impact security policy enforcement and make any necessary adjustments.Reference:Monitor New App-IDs


Question 333

Which translated port number should be used when configuring a NAT rule for a transparent proxy?



Answer : C

A transparent proxy operates by intercepting traffic without client configuration, typically redirecting HTTP (port 80) or HTTPS (port 443) to a proxy port on the firewall. In Palo Alto Networks NGFWs, when configuring a NAT rule for a transparent proxy, the standard translated port is 8080 (Option C), commonly used for proxy services. This port is where the firewall redirects client traffic for processing (e.g., URL filtering or decryption) before forwarding it to the destination.

Option A (80) is the original HTTP port, not a proxy port. Option B (443) is for HTTPS, not transparent proxy redirection. Option D (4443) is non-standard and unrelated. Documentation and best practices confirm 8080 for this use case.


Question 334

What is the purpose of the firewall decryption broker?



Answer : A


Question 335

Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)



Question 336

What happens when the log forwarding built-in action with tagging is used?



Answer : A

When using the log forwarding built-in action with tagging in Palo Alto Networks firewalls, the primary purpose is to dynamically respond to threats or unwanted traffic identified by the firewall's threat detection mechanisms. The action involves tagging the IP address associated with the unwanted traffic and then using that tag in dynamic security policies to block or manage the traffic.

A . Destination IP addresses of selected unwanted traffic are blocked:

When the tagging action is used, the firewall tags the IP addresses involved in the unwanted traffic (which could be the source or destination IP addresses, but in many configurations, the focus is on the source of the attack). These tags can then be referenced in Dynamic Address Groups (DAGs) within security policies. Consequently, any traffic coming from or going to these tagged IP addresses can be blocked or subjected to specific security rules, effectively mitigating the threat or unwanted behavior.

This approach allows for automated, real-time responses to identified threats, enhancing the security posture by quickly adapting to emerging threats without manual intervention.


Question 337

An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?



Answer : D


Question 338

How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?



Answer : B

To block users dynamically based on threat log activity, dynamic user groups (DUGs) with tagging provide an automated solution. Option B configures a DUG with a 'malicious' tag, a Log Forwarding profile to tag users in the threat log (e.g., via threat intelligence), and a Security policy to block the tagged group. This leverages User-ID and is ideal for user-based blocking.

Option A uses dynamic address groups (DAGs), which block IPs, not users. Option C (security profiles) can block traffic but not dynamically tag/block users without additional configuration. Documentation supports DUGs for this use case.


Question 339

A security engineer needs firewall management access on a trusted interface.

Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)



Answer : A, B, D

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile


Question 340

A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.

What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?



Answer : B

Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.

B . The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:

First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.

Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.

Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.

This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.


Question 341

Which log type is supported in the Log Forwarding profile?



Answer : C


Question 342

The UDP-4501 protocol-port is to between which two GlobalProtect components?



Answer : B


Question 343

How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?



Question 344

Which is not a valid reason for receiving a decrypt-cert-validation error?



Answer : A


Question 345

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.

What must be configured in order to select users and groups for those rules from Panorama?



Answer : D

When building Security rules in a Device Group that need to allow traffic to specific users and groups defined in Active Directory, it's essential to have user and group information available in Panorama to select these entities for the rules.

D . A master device with Group Mapping configured must be set in the device group where the Security rules are configured:

The concept of a 'master device' in Panorama refers to a specific firewall that is designated to provide certain settings or information, such as user and group mappings from Active Directory, to Panorama. This information can then be used across other firewalls within the same device group.

By configuring Group Mapping on a master device, Panorama can leverage this information to populate user and group objects. These objects can then be used in Security rules within the device group, allowing for the creation of policies that are based on user identity and group membership, as defined in Active Directory.

This setup ensures that Panorama has the necessary context to apply user- and group-based policies accurately across the managed firewalls, facilitating centralized management and consistency in policy enforcement.


Question 346

Which feature can provide NGFWs with User-ID mapping information?



Answer : C


Question 347

A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall

What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)



Answer : B, C

For HIP match logs to be visible on the data center firewall, the following conditions must be met:

HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.

User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.

The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.


Question 348

If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?



Answer : A


Question 349

A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)



Answer : C, D, E


Question 350

During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.

Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


Question 351

Which new PAN-OS 11.0 feature supports IPv6 traffic?



Answer : A

https://docs.paloaltonetworks.com/compatibility-matrix/ipv6-support-by-feature/ipv6-support-by-feature-table


Question 352

An administrator has been tasked with configuring decryption policies,

Which decryption best practice should they consider?



Answer : A

The best decryption best practice that the administrator should consider isA: Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.This is because decryption involves intercepting and inspecting encrypted traffic, which may raise privacy and compliance issues depending on the jurisdiction and the type of traffic1.Therefore, the administrator should be aware of the local, legal, and regulatory implications and how they affect which traffic can be decrypted, and follow the appropriate guidelines and policies to ensure that decryption is done in a lawful and ethical manner1.


Question 353

Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.)



Answer : B, D, E

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-device-deployment/manage-software-and-content-updates

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-device-deployment/panorama-dynamic-updates-revert-content


Question 354

What is the purpose of the firewall decryption broker?



Answer : A


Question 355

Which protocol is natively supported by GlobalProtect Clientless VPN?



Answer : C


Question 356

An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?



Answer : C

The Exceptions settings allows you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The Exception tab supports filtering functions.

If you not believed, then login the firewall go to Vulnerability > Exceptions and select 'Show all signatures'. From there you will see all threat information including specific actions.

More detail: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC


Question 357

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?



Answer : C


Question 358

Which tool can gather information about the application patterns when defining a signature for a custom application?



Answer : C

Wireshark (Option C) is a packet capture tool that provides detailed application traffic patterns (e.g., ports, protocols, payloads), essential for defining custom application signatures in PAN-OS.

Option A (Policy Optimizer) analyzes existing rules, not raw traffic. Option B (Data Filtering Log) shows data patterns, not app behavior. Option D (Expedition) is for migration, not signature creation. Documentation recommends packet captures for this task.


Question 359

View the screenshots

A QoS profile and policy rules are configured as shown. Based on this information which two statements are correct?



Answer : B, D


Question 360

An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is currently processing traffic?



Answer : C


Question 361

The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong?



Answer : D


Question 362

A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?



Answer : B


Question 363

Given the following snippet of a WildFire submission log, did the end user successfully download a file?



Answer : D

URL profile action alert.

File Profile action alert.

AV and Wildfire action Reset-both

Policy Action Allow.

The firewall inspects the content as per all the security profiles attached to the original matching rule. If it results in threat detection, then the corresponding security profile action is taken.


Question 364

What is the best definition of the Heartbeat Interval?



Answer : C

The firewalls exchange hello messages and heartbeats at configurable intervals to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer. A response from the peer indicates that the firewalls are connected and responsive.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUcCAK

'A 'heartbeat-interval' CLI command was added to the election settings for HA, this interval has a 1000ms minimum for all Palo Alto Networks platforms and is an ICMP ping to the other device through the HA control link.' https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMaCAK


Question 365

Which statement accurately describes how web proxy is run on a firewall with multiple virtual systems?



Answer : A


Question 366

A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.

Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?



Answer : C

A syslog listener is the best choice for deploying User-ID to ensure maximum coverage in an environment with multiple forms of authentication. A syslog listener is a feature that enables the firewall or Panorama to receive syslog messages from other systems and parse them for IP address-to-username mappings.A syslog listener can collect user mapping information from a variety of sources, such as network access control systems, domain controllers, MDM solutions, VPN gateways, wireless controllers, proxies, and more2.A syslog listener can also support multiple platforms and operating systems, such as Windows, Linux, macOS, iOS, Android, etc3. Therefore, a syslog listener can provide a comprehensive and flexible solution for User-ID deployment in a large-scale network.Reference:Configure a Syslog Listener for User Mapping,User-ID Agent Deployment Guide, PCNSE Study Guide (page 48)


Question 367

A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.

How does the firewall identify the New App-ID characteristic?



Answer : B

The New App-ID characteristic enables the firewall to monitor new applications on the network, so that the engineer can better assess the security policy updates they might want to make. The New App-ID characteristic always matches to only the new App-IDs in the most recently installed content releases. When a new content release is installed, the New App-ID characteristic automatically begins to match only to the new App-IDs in that content release version. This way, the engineer can see how the newly-categorized applications might impact security policy enforcement and make any necessary adjustments.Reference:Monitor New App-IDs


Question 368

An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.

What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)



Answer : C, D

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy


Question 369

Which configuration change will improve network reliability and ensure minimal disruption during tunnel failures?



Answer : B

For IPsec VPN reliability, Option B enhances failover speed by adding a backup tunnel and tuning tunnel monitoring. Reducing the interval (e.g., to 2 seconds) and threshold (e.g., to 3 retries) ensures quick detection and failover to the backup tunnel, minimizing disruption.

Option A (HA and rekey interval) addresses session continuity, not tunnel failure detection. Option C (disable monitoring) risks missing real failures. Option D (Fail Over profile) helps but lacks the proactive tuning of B. Documentation recommends this approach.


Question 370

A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)



Answer : C, D, E


Question 371

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-mapping/globalprotect.html

GlobalProtect is a VPN solution that provides secure remote access to corporate networks. When a user connects to GlobalProtect, their identity is verified against an LDAP server. This ensures that all IP address-to-user mappings are explicitly known.


Question 372

A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access only for hosts that have antivirus or anti-spyware enabled?



Answer : D


Question 373

What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three



Answer : B, C, E


Question 374

Which rule type controls end user SSL traffic to external websites?



Answer : B

The SSL Forward Proxy rule type is designed to control and inspect SSL traffic from internal users to external websites. When an internal user attempts to access an HTTPS site, the Palo Alto Networks firewall, acting as an SSL Forward Proxy, intercepts the SSL request. It then establishes an SSL connection with the requested website on behalf of the user. Simultaneously, the firewall establishes a separate SSL connection with the user. This setup allows the firewall to decrypt and inspect the traffic for threats and compliance with security policies before re-encrypting and forwarding the traffic to its destination.

This process is transparent to the end user and ensures that potentially harmful content delivered over encrypted SSL connections can be identified and blocked. SSL Forward Proxy is a critical component of a comprehensive security strategy, allowing organizations to enforce security policies and protect against threats in encrypted traffic.


Question 375

An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.

What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?



Answer : B

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS


Question 376

During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.

Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


Question 377

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?



Answer : A


Question 378

An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic.

Which three elements should the administrator configure to address this issue? (Choose three.)



Answer : B, D, E

To address the issue of application performance degradation due to excessive VoIP traffic, the administrator should configure QoS on the egress interface for the traffic flows and a QoS profile defining traffic classes. QoS stands for Quality of Service, which is a feature that allows the firewall to manage bandwidth usage and prioritize traffic based on various criteria, such as application, user, service, etc.QoS can help improve the performance and quality of latency-sensitive applications, such as VoIP, by guaranteeing them sufficient bandwidth and priority over other traffic1.

To enable QoS on the firewall, the administrator needs to create a QoS profile and a QoS policy. A QoS profile defines the eight classes of service that traffic can receive, including priority, guaranteed bandwidth, maximum bandwidth, and weight.A QoS policy identifies the traffic that matches a specific class of service based on source and destination zones, addresses, users, applications, services, etc2. The administrator can also create a custom QoS profile or use the default one.

The administrator should apply QoS on the egress interface for the traffic flows, which is the interface where the traffic leaves the firewall. This is because QoS can only shape outbound traffic and not inbound traffic. The egress interface can be either internal or external, depending on the direction of the VoIP traffic. For example, if the VoIP traffic is from internal users to external servers, then the egress interface is the untrust interface facing the ISP.If the VoIP traffic is from external users to internal servers, then the egress interface is the trust interface facing the LAN3.

The administrator should assign a high priority and a sufficient guaranteed bandwidth to the VoIP traffic in the QoS profile. This will ensure that the VoIP packets are processed first by the firewall and are not dropped or delayed due to congestion.The administrator can also limit or block other applications that consume too much bandwidth or pose security risks in the same or different QoS classes4.

An Application Override policy for SIP traffic is not necessary to address this issue. An Application Override policy is used to change or customize the App-ID of certain traffic based on port and protocol criteria. This can be useful for optimizing performance or security for some applications that are difficult to identify or have non-standard behaviors. However, SIP is a predefined App-ID that identifies Session Initiation Protocol (SIP) traffic, which is commonly used for VoIP signaling.The firewall can recognize SIP traffic without an Application Override policy5.

QoS on the ingress interface for the traffic flows is not effective to address this issue. As mentioned earlier, QoS can only shape outbound traffic and not inbound traffic.Applying QoS on the ingress interface will not have any impact on how the firewall handles or prioritizes the incoming packets6.

A QoS policy for each application is not required to address this issue. A QoS policy can match multiple applications in a single rule by using application filters or application groups. This can simplify and consolidate the QoS policy configuration and management.The administrator does not need to create a separate QoS policy for each application unless there is a specific need to assign different classes of service or parameters to each application7.

QoS Overview,Configure QoS,QoS Use Cases,QoS Best Practices,Application Override,QoS FAQ,Create a QoS Policy Rule


Question 379

Four configuration choices are listed, and each could be used to block access to a specific URL.

If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?



Answer : C


Question 380

Which type of zone will allow different virtual systems to communicate with each other?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/virtual-systems/communication-between-virtual-systems/inter-vsys-traffic-that-remains-within-the-firewall/external-zone


Question 381

Which two actions can the administrative role called "vsysadmin" perform? (Choose two)



Answer : B, C

The vsysadmin role in Palo Alto Networks firewalls is a virtual system (vsys)-specific administrative role with limited privileges. It can commit changes to the candidate configuration of the assigned vsys (Option B) and create/edit Security policies and profiles specific to that vsys (Option C). This role is designed for multi-tenant environments where administrators manage only their assigned virtual systems.

Option A (configure resource limits) is a superuser or device-level task, not within vsysadmin's scope. Option D (configure interfaces) is also outside vsysadmin's permissions, as interface management is a device-wide function. Official documentation defines these privileges clearly.


Question 382

An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)



Answer : B, C, D


Question 383

Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?



Answer : D


Question 384

An administrator is troubleshooting intermittent connectivity problems with a user's GlobalProtect connection. Packet captures at the firewall reveal missing UDP packets, suggesting potential packet loss on the connection. The administrator aims to resolve the issue by enforcing an SSL tunnel over TCP specifically for this user.

What configuration change is necessary to implement this troubleshooting solution for the user?



Answer : C


Question 385

Why would a traffic log list an application as "not-applicable''?



Answer : A

traffic log would list an application as ''not-applicable'' if the firewall denied the traffic before the application match could be performed.This can happen if the traffic matches a security rule that is set to deny based on any parameter other than the application, such as source, destination, port, service, etc1.In this case, the firewall does not inspect the application data and discards the traffic, resulting in a ''not-applicable'' entry in the application field of the traffic log1.


Question 386

An existing log forwarding profile is currently configured to forward all threat logs to Panoram

a. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed.

Which set of actions should the engineer take to achieve this goal?



Answer : C


Question 387

Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)



Answer : B, C

When implementing an application override in a Palo Alto Networks firewall, the primary goal is to explicitly define how specific traffic is identified and processed by the firewall, bypassing the regular App-ID process. This is particularly useful for traffic that might be misidentified by App-ID or for applications that require special handling for performance reasons.

To successfully implement application override, the following items must be configured:

B . Application override policy rule:

This is a specialized policy rule that you create to specify the criteria for the traffic you want to override. In this rule, you define the source and destination zones, addresses, and ports. Instead of relying on the App-ID engine to identify the application, the firewall uses the criteria defined in the application override policy to classify the traffic.

C . Security policy rule:

After defining an application override policy, you must also configure a security policy rule to allow the overridden traffic through the firewall. This rule specifies the action (allow, deny, drop, etc.) for the traffic that matches the application override policy. It's essential to ensure that the security policy rule matches the traffic defined in the application override policy to ensure that the intended traffic is allowed through the firewall.

For detailed guidance on configuring application override and the necessary security policies, refer to the official Palo Alto Networks documentation. This resource provides step-by-step instructions and best practices for effectively managing traffic using application overrides.


Question 388

A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:

threat type: spyware category: dns-c2 threat ID: 1000011111

Which set of steps should the administrator take to configure an exception for this signature?



Answer : A

When dealing with a false positive, particularly for a spyware threat detected through DNS queries (as indicated by the category 'dns-c2'), the correct course of action involves creating an exception in the Anti-Spyware profile, not the Vulnerability Protection profile. This is because the Anti-Spyware profile in Palo Alto Networks firewalls is designed to detect and block spyware threats, which can include command and control (C2) activities often signaled by DNS queries.

The steps to configure an exception for this specific spyware signature (threat ID: 1000011111) are as follows:

Navigate to Objects > Security Profiles > Anti-Spyware. This is where all the Anti-Spyware profiles are listed.

Select the related Anti-Spyware profile that is currently applied to the security policy which is generating the false positive.

Within the profile, go to the DNS Exceptions tab. This tab allows you to specify exceptions based on DNS signatures.

Search for the related threat ID (in this case, 1000011111) and click enable to create an exception for it. By doing this, you instruct the firewall to bypass the detection for this specific signature, effectively treating it as a false positive.

Commit the changes to make the exception active.

By following these steps, the administrator can effectively address the false positive without disabling the overall spyware protection capabilities of the firewall.


Question 389

For company compliance purposes, three new contractors will be working with different device groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?



Answer : A

The Device Group and Template Admin role is tailored for managing specific device groups and templates in Panorama, allowing contractors to deploy policies and objects within their assigned scope without broader administrative access. This aligns with compliance by restricting privileges.

Option B (Dynamic Admin) is undefined in PAN-OS; Panorama Admin is too broad. Option C (Read-only Superuser) prevents configuration changes. Option D (Custom Panorama Admin) could work but requires more setup than the predefined role. Documentation recommends this role for such scenarios.


Question 390

An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration.

What type of service route can be used for this configuration?



Answer : A


Question 391

As a best practice, which URL category should you target first for SSL decryption?



Answer : B

Palo Alto Networks recommends starting SSL decryption with High Risk categories (Option B) because they're more likely to contain threats (e.g., malware, phishing) that require visibility for inspection, balancing security and resource use.

Options A, C, and D (Online Storage, Health, Financial) are less risky or privacy-sensitive, making them lower priorities. Best practice guides prioritize High Risk for initial decryption.


Question 392

A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)



Answer : B, C, D


Question 393

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.



Answer : B


Question 394

A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)



Answer : B, D

The two attributes that a forward trust certificate should have for SSL Forward Proxy decryption are:

B: A private key. This is the key that the firewall uses to sign the certificates that it generates for the decrypted sessions.The private key must be securely stored on the firewall and not shared with anyone1.

D: A certificate authority (CA) certificate. This is the certificate that the firewall uses to issue the certificates for the decrypted sessions.The CA certificate must be trusted by the client browsers and devices that receive the certificates from the firewall1.


Question 395

SAML SLO is supported for which two firewall features? (Choose two.)



Answer : A, B


Question 396

When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)



Answer : A, D


Question 397

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?



Answer : B

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application


Question 398

An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?



Answer : D

Palo Alto NetworksPanorama 7.0 Administrator's Guide *77Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.

https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management


Question 399

An administrator needs to identify which NAT policy is being used for internet traffic.

From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?



Answer : A

Traffic view in the Monitor tab of the firewall GUI can display the information about the NAT policy that is in use for a traffic flow, if the Source or Destination NAT columns are included and reviewed in the detailed log view1.The Source NAT column shows the translated source IP address and port, and the Destination NAT column shows the translated destination IP address and port2. These columns can help the administrator identify which NAT policy is applied to the traffic flow based on the pre-NAT and post-NAT addresses and ports.


Question 400

Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)



Answer : B, C

To configure SSL Forward Proxy decryption on a Palo Alto Networks firewall, certain key components must be set up to ensure secure and effective decryption and inspection of SSL/TLS encrypted traffic:

B . Define a Forward Trust Certificate:

A Forward Trust Certificate is essential for SSL Forward Proxy decryption. This certificate is used by the firewall to dynamically generate certificates for SSL sites that are trusted. When the firewall decrypts and inspects the traffic and then re-encrypts it, the new certificate presented to the client comes from the Forward Trust Certificate authority. This certificate must be trusted by client devices, often requiring the Forward Trust CA certificate to be distributed and installed on client devices.

C . Configure SSL decryption rules:

SSL decryption rules are the policies that determine which traffic is to be decrypted. These rules specify the source, destination, service, and URL category, among other criteria. The rules define what traffic the SSL Forward Proxy will apply to, enabling selective decryption based on security and privacy requirements.

Together, these components form the basis of the SSL Forward Proxy decryption setup, allowing for the decryption, inspection, and re-encryption of SSL/TLS encrypted traffic to identify and prevent threats hidden within encrypted sessions.


Question 401

Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the firewall? (Choose three.)



Answer : A, B, E

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication#:~:text=The%20administrative%20accounts%20are%20defined,attributes%20on%20the%20SAML%20server.


Question 402

An administrator plans to install the Windows-Based User-ID Agent to prevent credential phishing.

Which installer package file should the administrator download from the support site?



Answer : A


Question 403

Based on the images below, and with no configuration inside the Template Stack itself, what access will the device permit on its management port?



Answer : D


Question 404

An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.

Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)



Question 405

An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.

Which three dynamic routing protocols support BFD? (Choose three.)



Answer : A, B, C

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/bfd/bfd-overview/bfd-for-dynamic-routing-protocols


Question 406

A network security engineer is going to enable Zone Protection on several security zones How can the engineer ensure that Zone Protection events appear in the firewall's logs?



Answer : A


Question 407

In which two scenarios would it be necessary to use Proxy IDs when configuring site-to-site VPN Tunnels? (Choose two.)



Answer : A, B


Question 408

A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.

Which action is the most operationally efficient for the security engineer to find and implement the exception?



Answer : D


Question 409

An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?



Answer : D


Question 410

A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.

What should the NAT rule destination zone be set to?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping


Question 411

An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.

The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.

Which profile is the engineer configuring?



Answer : D

The engineer is configuring a DoS Protection profile to defend specific endpoints and resources against malicious activity. A DoS Protection profile is a feature that enables the firewall to detect and prevent denial-of-service (DoS) attacks that attempt to overwhelm network resources or disrupt services. A DoS Protection profile can provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet, such as web servers, DNS servers, or VPN gateways.A DoS Protection profile can be applied to a security policy rule that matches the traffic to and from the protected systems, and can specify the thresholds and actions for different types of flood attacks, such as SYN, UDP, ICMP, or other IP floods12.Reference:DoS Protection, PCNSE Study Guide (page 58)


Question 412

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?



Answer : A


Question 413

An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)



Answer : A, D


Question 414

After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.

The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.

The engineer reviews the following CLI output for ethernet1/1.

Which setting should be modified on ethernet1/1 to remedy this problem?



Answer : D


Question 415

An engineer needs to collect User-ID mappings from the company's existing proxies.

What two methods can be used to pull this data from third party proxies? (Choose two.)



Answer : B, C

To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.

Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies.

For further details, refer to the Palo Alto Networks documentation on User-ID integration and the 'PAN-OS Administrator's Guide'.


Question 416

Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.

In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhwCAC

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat


Question 417

A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.

What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?



Answer : B

Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.

B . The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:

First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.

Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.

Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.

This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.


Question 418

A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11 0 The client currently uses RADIUS authentication in their environment

Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.)



Answer : A, D

For explicit Web Proxy deployment on PAN-OS, Palo Alto Networks currently supports Kerberos and SAML as authentication methods. RADIUS is not supported for explicit or transparent Web Proxy authentication on Palo Alto Networks appliances, which means that if the client is currently using RADIUS, they will need to configure an alternate supported authentication method. LDAP or TACACS+ authentication is not directly supported for Web Proxy authentication in PAN-OS.

For more information on supported Web Proxy authentication methods, please refer to the latest Palo Alto Networks 'PAN-OS Web Interface Reference Guide'.


Question 419

A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks.

The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.

What else should the administrator do to stop packet buffers from being overflowed?



Answer : C


Question 420

During a routine security audit, the risk and compliance team notices a series of WildFire logs that contain a "malicious" verdict and the action "allow." Upon further inspection, the team confirms that these same threats are automatically blocked by the firewalls the following day. How can the existing configuration be adjusted to ensure that new threats are blocked within minutes instead of having to wait until the following day?



Answer : B

WildFire logs showing a 'malicious' verdict with an 'allow' action indicate that the initial traffic wasn't blocked in real-time, likely because the Antivirus profile isn't configured to act immediately on WildFire verdicts. By default, WildFire submits files for analysis, and signatures may take up to 24 hours to propagate globally unless real-time blocking is enabled. Configuring the Antivirus security profile (Option B) to 'block' on malicious WildFire verdicts ensures that threats are blocked within minutes once the verdict is returned (typically 5-15 minutes), leveraging WildFire's real-time signature updates.

Option A (WildFire analysis profile) defines what files are sent to WildFire but doesn't control blocking actions. Option C (File Blocking profile) manages file type blocking, not threat verdicts. Option D (file size limits) affects submission eligibility, not blocking behavior. The Antivirus profile is the key to real-time WildFire enforcement, as per Palo Alto Networks documentation.


Question 421

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.

Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)



Answer : A, D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG2CAK


Question 422

Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?



Answer : C


Question 423

When using certificate authentication for firewall administration, which method is used for authorization?



Answer : A

When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.


Question 424

Which protocol is natively supported by GlobalProtect Clientless VPN?



Answer : C


Question 425

Which statement regarding HA timer settings is true?



Answer : A

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers


Question 426

A threat intelligence team has requested more than a dozen Short signatures to be deployed on all perimeter Palo Alto Networks firewalls. How does the firewall engineer fulfill this request with the least time to implement?



Answer : C


Question 427

An engineer is troubleshooting a traffic-routing issue.

What is the correct packet-flow sequence?



Answer : C

The correct packet-flow sequence is C. PBF > Static route > Security policy enforcement. This sequence describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic based on the source and destination addresses, application, user, or service. PBF is evaluated before the static route lookup, which is the default method of forwarding traffic based on the destination address and the longest prefix match.Security policy enforcement is the stage where the firewall applies the security policy rules to allow or block traffic based on various criteria, such as zone, address, port, user, application, etc12.Reference:Policy-Based Forwarding,Packet Flow Sequence in PAN-OS


Question 428

An organization wants to begin decrypting guest and BYOD traffic.

Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?



Answer : A

An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An authentication portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet. The authentication portal can be customized to include a welcome message, a login prompt, a disclaimer, a certificate download link, and a logout button.The authentication portal can also be configured to use different authentication methods, such as local database, RADIUS, LDAP, Kerberos, or SAML1.By using an authentication portal, the firewall can redirect BYOD users to a web page where they can learn about the decryption policy, download and install the CA certificate, and agree to the terms of use before accessing the network or the internet2.

An SSL decryption profile is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption profile is a set of options that define how the firewall handles SSL/TLS traffic that it decrypts.An SSL decryption profile can include settings such as certificate verification, unsupported protocol handling, session caching, session resumption, algorithm selection, etc3. An SSL decryption profile does not provide any user identification or notification functions.

An SSL decryption policy is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption policy is a set of rules that determine which traffic the firewall decrypts based on various criteria, such as source and destination zones, addresses, users, applications, services, etc.An SSL decryption policy can also specify which type of decryption to apply to the traffic, such as SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy4. An SSL decryption policy does not provide any user identification or notification functions.

Comfort pages are not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. Comfort pages are web pages that the firewall displays to users when it blocks or fails to decrypt certain traffic due to security policy or technical reasons.Comfort pages can include information such as the reason for blocking or failing to decrypt the traffic, the URL of the original site, the firewall serial number, etc5. Comfort pages do not provide any user identification or notification functions before decrypting the traffic.

Configure an Authentication Portal,Redirect Users Through an Authentication Portal,SSL Decryption Profile,Decryption Policy,Comfort Pages


Question 429

A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)



Answer : C, D, E


Question 430

An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)



Answer : A, D


Question 431

If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?



Answer : A


Question 432

When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)



Answer : A, D


Question 433

Which protocol is supported by Global Protect clientless VPN



Answer : C


Question 434

A company has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a phishing campaign against the organization prompts a search for more controls to secure access to critical assets. For users who need to access these systems, the company decides to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What must the company do in order to use PAN-OS MFA?



Answer : D


Question 435

Which three statements accurately describe Decryption Mirror? (Choose three.)



Answer : B, D, E

Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.

Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.

The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' 'PAN-OS Administrator's Guide' and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.


Question 436

A standalone firewall with local objects and policies needs to be migrated into Panoram

a. What procedure should you use so Panorama is fully managing the firewall?



Answer : C


Question 437

An administrator is tasked to provide secure access to applications running on a server in the company's on-premises datacenter.

What must the administrator consider as they prepare to configure the decryption policy?



Answer : B


Question 438

After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.

The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.

The engineer reviews the following CLI output for ethernet1/1.

Which setting should be modified on ethernet1/1 to remedy this problem?



Answer : D


Question 439

A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.

How can this be achieved?



Answer : D


Question 440

Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)



Answer : B, D


Question 441

Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)



Answer : A, B


Question 442

Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?



Answer : A

https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-force-template-value-option/td-p/496620 '- Force Template Value will as the name suggest remove any local configuratio and apply the value define the panorama template. But this is valid only for overlapping configuration' 'You need to be careful, what is actually defined in the template. For example - if you decide to enable HA in the template, but after that you decide to not push it with template and just disable it again (remove the check from the 'Enable HA' checkbox). This still will be part of the template, because now your template is explicitely defining HA disabled. If you made a change in the template, and later decide that you don't want to control this setting with template, you need to revert the config by clicking the green bar next to the changed value'


Question 443

Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?



Answer : B

The Test Policy Match tool in PAN-OS allows administrators to simulate traffic against the current security policy set to verify how it will be handled. By inputting source/destination IPs, ports, protocols, and other parameters, it shows which rule matches and whether the traffic is allowed or denied, making it ideal for ensuring unwanted traffic is blocked.

Option A (Managed Devices Health) monitors device status, not policy logic. Option C (Preview Changes) shows configuration diffs, not traffic matching. Option D (Policy Optimizer) helps refine rules but doesn't test specific traffic scenarios. Test Policy Match is the documented tool for this purpose.


Question 444

An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic.

Which three elements should the administrator configure to address this issue? (Choose three.)



Answer : B, D, E

To address the issue of application performance degradation due to excessive VoIP traffic, the administrator should configure QoS on the egress interface for the traffic flows and a QoS profile defining traffic classes. QoS stands for Quality of Service, which is a feature that allows the firewall to manage bandwidth usage and prioritize traffic based on various criteria, such as application, user, service, etc.QoS can help improve the performance and quality of latency-sensitive applications, such as VoIP, by guaranteeing them sufficient bandwidth and priority over other traffic1.

To enable QoS on the firewall, the administrator needs to create a QoS profile and a QoS policy. A QoS profile defines the eight classes of service that traffic can receive, including priority, guaranteed bandwidth, maximum bandwidth, and weight.A QoS policy identifies the traffic that matches a specific class of service based on source and destination zones, addresses, users, applications, services, etc2. The administrator can also create a custom QoS profile or use the default one.

The administrator should apply QoS on the egress interface for the traffic flows, which is the interface where the traffic leaves the firewall. This is because QoS can only shape outbound traffic and not inbound traffic. The egress interface can be either internal or external, depending on the direction of the VoIP traffic. For example, if the VoIP traffic is from internal users to external servers, then the egress interface is the untrust interface facing the ISP.If the VoIP traffic is from external users to internal servers, then the egress interface is the trust interface facing the LAN3.

The administrator should assign a high priority and a sufficient guaranteed bandwidth to the VoIP traffic in the QoS profile. This will ensure that the VoIP packets are processed first by the firewall and are not dropped or delayed due to congestion.The administrator can also limit or block other applications that consume too much bandwidth or pose security risks in the same or different QoS classes4.

An Application Override policy for SIP traffic is not necessary to address this issue. An Application Override policy is used to change or customize the App-ID of certain traffic based on port and protocol criteria. This can be useful for optimizing performance or security for some applications that are difficult to identify or have non-standard behaviors. However, SIP is a predefined App-ID that identifies Session Initiation Protocol (SIP) traffic, which is commonly used for VoIP signaling.The firewall can recognize SIP traffic without an Application Override policy5.

QoS on the ingress interface for the traffic flows is not effective to address this issue. As mentioned earlier, QoS can only shape outbound traffic and not inbound traffic.Applying QoS on the ingress interface will not have any impact on how the firewall handles or prioritizes the incoming packets6.

A QoS policy for each application is not required to address this issue. A QoS policy can match multiple applications in a single rule by using application filters or application groups. This can simplify and consolidate the QoS policy configuration and management.The administrator does not need to create a separate QoS policy for each application unless there is a specific need to assign different classes of service or parameters to each application7.

QoS Overview,Configure QoS,QoS Use Cases,QoS Best Practices,Application Override,QoS FAQ,Create a QoS Policy Rule


Question 445

An administrator wants to configure the Palo Alto Networks Windows User-D agent to map IP addresses to u: 'The company uses four Microsoft Active 'servers and two Microsoft Exchange servers, which can provide logs for login events. All six servers have IP addresses assigned from the following subnet: 192.168.28.32/27. The Microsoft Active Directory in 192.168.28.22/128, and the Microsoft Exchange reside in 192,168.28 48/28. What the 0 the User



Answer : D


Question 446

View the screenshots

A QoS profile and policy rules are configured as shown. Based on this information which two statements are correct?



Answer : B, D


Question 447

An administrator is attempting to create policies tor deployment of a device group and template stack. When creating the policies, the zone drop down list does not include the required zone.

What must the administrator do to correct this issue?



Answer : C

In order to see what is in a template, the device-group needs the template referenced. Even if you add the firewall to both the template and device-group, the device-group will not see what is in the template. The following link has a video that demonstrates that B is the correct answer. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNfeCAG


Question 448

In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?



Answer : B

The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This helps the administrator to identify any new applications that are not explicitly defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured applications.The compare option also shows the usage statistics and risk levels of the applications, and provides suggestions for optimizing the rule by adding, removing, or replacing applications12.Reference:New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)


Question 449

A security engineer needs to mitigate packet floods that occur on a RSF servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?



Answer : A


Question 450

An administrator troubleshoots an issue that causes packet drops.

Which log type will help the engineer verify whether packet buffer protection was activated?



Answer : C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNGFCA4


Question 451

An organization uses the User-ID agent to control access to sensitive internal resources. A firewall engineer adds Security policies to ensure only User A has access to a specific resource. User A was able to access the resource without issue before the updated policies, but now is having intermittent connectivity issues. What is the most likely resolution to this issue?



Answer : A


Question 452

A network security engineer needs to ensure that virtual systems can communicate with one another within a Palo Alto Networks firewall. Separate virtual routers (VRs) are created for each virtual system.

In addition to confirming security policies, which three configuration details should the engineer focus on to ensure communication between virtual systems? (Choose three.)



Answer : A, D, E

For virtual systems (vSys) on a Palo Alto Networks firewall to communicate with each other, especially when separate virtual routers (VRs) are used for each vSys, the configuration must facilitate proper routing and security policy enforcement. The key aspects to focus on include:

A . External zones with the virtual systems added:

External zones are special types of zones that are used to facilitate traffic flow between virtual systems within the same physical firewall. By adding virtual systems to an external zone, you enable them to communicate with each other, effectively bypassing the need for traffic to exit and re-enter the firewall.

D . Add a route with next hop next-vr by using the VR configured in the virtual system:

When using separate VRs for each vSys, it's essential to configure inter-VR routing. This is done by adding routes in each VR with the next hop set to 'next-vr', specifying the VR of the destination vSys. This setup enables traffic to be routed from one virtual system's VR to another, facilitating communication between them.

E . Ensure the virtual systems are visible to one another:

Visibility between virtual systems is a prerequisite for inter-vSys communication. This involves configuring the virtual systems in a way that they are aware of each other's existence. This is typically managed in the vSys settings, where you can specify which virtual systems can communicate with each other.

By focusing on these configuration details, the network security engineer can ensure that the virtual systems can communicate effectively, maintaining the necessary isolation while allowing the required traffic flow.


Question 453

An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.)



Answer : B, C, D


Question 454

Based on the images below, and with no configuration inside the Template Stack itself, what access will the device permit on its management port?



Answer : D


Question 455

A company has recently migrated their branch office's PA-220S to a centralized Panoram

a. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama

They notice that commit times have drastically increased for the PA-220S after the migration

What can they do to reduce commit times?



Answer : A

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS


Question 456

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK


Question 457

A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.

How can this be achieved?



Answer : D


Question 458

Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?



Answer : C


Question 459

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)



Answer : A, D

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy


Question 460

Which action can be taken to immediately remediate the issue of application traffic with a valid use case triggering the decryption log message, "Received fatal alert UnknownCA from client"?



Answer : B

The 'Received fatal alert UnknownCA from client' log indicates the client rejects the firewall's decryption certificate because it doesn't trust the CA. For a valid use case, adding the certificate's Common Name (CN) to the SSL Decryption Exclusion List (Option B) bypasses decryption for that site, allowing traffic to proceed without interruption. This is an immediate fix within the firewall's control.

Option A (revocation checking) addresses different issues. Option C (check expired certificates) is diagnostic, not immediate. Option D (contact site admin) is external and slow. Documentation recommends exclusions for such errors.


Question 461

A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows



Answer : A


Question 462

An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?



Answer : D


Question 463

An administrator configures two VPN tunnels to provide for failover and uninterrupted VPN service. What should an administrator configure to enable automatic failover to the backup tunnel?



Answer : C


Question 464

How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?



Answer : B

To block users dynamically based on threat log activity, dynamic user groups (DUGs) with tagging provide an automated solution. Option B configures a DUG with a 'malicious' tag, a Log Forwarding profile to tag users in the threat log (e.g., via threat intelligence), and a Security policy to block the tagged group. This leverages User-ID and is ideal for user-based blocking.

Option A uses dynamic address groups (DAGs), which block IPs, not users. Option C (security profiles) can block traffic but not dynamically tag/block users without additional configuration. Documentation supports DUGs for this use case.


Question 465

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?



Answer : B

Set the Action to take when matching a packet:

Forward---Directs the packet to the specified Egress Interface.

Forward to VSYS (On a firewall enabled for multiple virtual systems)---Select the virtual system to which to forward the packet.

Discard---Drops the packet.

No PBF---Excludes packets that match the criteria for source, destination, application, or service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the redirected port.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/policy-based-forwarding/create-a-policy-based-forwarding-rule#ideca3cc65-03d7-449d-b47a-90fabee5293c


Question 466

Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?



Answer : C

Palo Alto Networks Device Telemetry data, collected from firewalls with a device certificate installed, is stored on Palo Alto Networks Update Servers. This telemetry data includes information about threats, device health, and other operational metrics that are crucial for the continuous improvement of security services and threat intelligence. The collected data is anonymized and securely transmitted to Palo Alto Networks, where it is used to enhance the overall effectiveness of threat identification and prevention capabilities across all deployed devices. This collaborative approach helps in keeping the security ecosystem updated and resilient against emerging threats.


Question 467

Which type of zone will allow different virtual systems to communicate with each other?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/virtual-systems/communication-between-virtual-systems/inter-vsys-traffic-that-remains-within-the-firewall/external-zone


Question 468

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67



Answer : C

https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD


Question 469

Exhibit.

Given the screenshot, how did the firewall handle the traffic?



Answer : B


Question 470

An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.

The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.

Which profile is the engineer configuring?



Answer : D

The engineer is configuring a DoS Protection profile to defend specific endpoints and resources against malicious activity. A DoS Protection profile is a feature that enables the firewall to detect and prevent denial-of-service (DoS) attacks that attempt to overwhelm network resources or disrupt services. A DoS Protection profile can provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet, such as web servers, DNS servers, or VPN gateways.A DoS Protection profile can be applied to a security policy rule that matches the traffic to and from the protected systems, and can specify the thresholds and actions for different types of flood attacks, such as SYN, UDP, ICMP, or other IP floods12.Reference:DoS Protection, PCNSE Study Guide (page 58)


Question 471

Which CLI command displays the physical media that are connected to ethernet1/8?



Answer : B

The CLI command 'show system state filter-pretty sys.sl.p8.phy' is used to display detailed physical layer information, which would include the physical media connected to a specific interface such as ethernet1/8. This command is designed to filter the output to show relevant physical layer information for the specified interface.

For more information on Palo Alto Networks CLI commands and their outputs, refer to the 'PAN-OS CLI Reference Guide'.


Question 472

An administrator plans to install the Windows-Based User-ID Agent.

What type of Active Directory (AD) service account should the administrator use?



Answer : A


Question 473

An administrator is troubleshooting intermittent connectivity problems with a user's GlobalProtect connection. Packet captures at the firewall reveal missing UDP packets, suggesting potential packet loss on the connection. The administrator aims to resolve the issue by enforcing an SSL tunnel over TCP specifically for this user.

What configuration change is necessary to implement this troubleshooting solution for the user?



Answer : C


Question 474

Refer to exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.

How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?



Question 475

Which three split tunnel methods are supported by a globalProtect gateway? (Choose three.)



Answer : A, B, C


Question 476

What happens when the log forwarding built-in action with tagging is used?



Answer : A

When using the log forwarding built-in action with tagging in Palo Alto Networks firewalls, the primary purpose is to dynamically respond to threats or unwanted traffic identified by the firewall's threat detection mechanisms. The action involves tagging the IP address associated with the unwanted traffic and then using that tag in dynamic security policies to block or manage the traffic.

A . Destination IP addresses of selected unwanted traffic are blocked:

When the tagging action is used, the firewall tags the IP addresses involved in the unwanted traffic (which could be the source or destination IP addresses, but in many configurations, the focus is on the source of the attack). These tags can then be referenced in Dynamic Address Groups (DAGs) within security policies. Consequently, any traffic coming from or going to these tagged IP addresses can be blocked or subjected to specific security rules, effectively mitigating the threat or unwanted behavior.

This approach allows for automated, real-time responses to identified threats, enhancing the security posture by quickly adapting to emerging threats without manual intervention.


Question 477

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)



Answer : A, C, D

ttps://www.kareemccie.com/2021/05/palo-alto-firewall-packet-flow.html


Question 478

A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any dat

a. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.

Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?



Answer : C

For an application that is currently identified as unknown-tcp and has sessions that often remain idle for long periods, creating a custom application and using an application override rule is the most time-efficient solution.

C . The process involves:

Creating a custom application in the Palo Alto Networks firewall and configuring it with specific timeouts to accommodate the application's idle session behavior. This step ensures that the firewall does not prematurely close the application's sessions due to inactivity.

Next, creating an application override rule that references the custom application. This rule directs the firewall to identify traffic matching the rule criteria (such as source, destination, and port information) as the custom application, bypassing the App-ID engine's regular identification process.

This approach allows for the quick implementation of a solution that ensures the application is properly identified in traffic logs without undergoing threat scanning, meeting the requirements for both identification and reporting.


Question 479

Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.

What part of the configuration should the engineer verify?



Answer : C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS https://live.paloaltonetworks.com/t5/general-topics/phase-2-tunnel-is-not-up/td-p/424789


Question 480

A company CISO updates the business Security policy to identify vulnerable assets and services and deploy protection for quantum-related attacks. As a part of this update, the firewall team is reviewing the cryptography used by any devices they manage. The firewall architect is reviewing the Palo Alto Networks NGFWs for their VPN tunnel configurations. It is noted in the review that the NGFWs are running PAN-OS 11.2. Which two NGFW settings could the firewall architect recommend to deploy protections per the new policy? (Choose two)



Answer : B, C

Quantum-related attack protection requires cryptography resistant to quantum computing, such as post-quantum algorithms. In PAN-OS 11.2, IKEv2 with Hybrid Key Exchange (Option B) combines classical and quantum-resistant algorithms for key exchange, enhancing VPN security. IKEv2 with Post-Quantum Pre-shared Keys (PPK) (Option C) uses pre-shared keys designed to resist quantum attacks, supported in IKEv2 configurations.

Option A (IKEv1 only) weakens security by avoiding PFS and modern cryptography. Option D (IPsec with Hybrid ID exchange) is not a valid PAN-OS feature. Documentation confirms IKEv2 enhancements for quantum resistance.


Question 481

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?



Answer : A


Question 482

Which administrative authentication method supports authorization by an external service?



Answer : C


Question 483

The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.

When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?



Answer : A

One of the potential causes of a failed install when upgrading Panorama to PAN-OS is having outdated plugins. Plugins are software extensions that enable Panorama to interact with Palo Alto Networks cloud services and third-party services.Plugins have dependencies on specific PAN-OS versions, so they must be updated before or after upgrading Panorama, depending on the plugin compatibility matrix2.If the plugins are not updated accordingly, the upgrade process may fail or cause issues with Panorama functionality3.Reference:Panorama Plugins Upgrade/Downgrade Considerations,Troubleshoot Your Panorama Upgrade, PCNSE Study Guide (page 54)


Question 484

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?



Answer : B

The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.


Question 485

An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.

Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?



Answer : A


Question 486

An administrator needs to identify which NAT policy is being used for internet traffic.

From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?



Answer : A

Traffic view in the Monitor tab of the firewall GUI can display the information about the NAT policy that is in use for a traffic flow, if the Source or Destination NAT columns are included and reviewed in the detailed log view1.The Source NAT column shows the translated source IP address and port, and the Destination NAT column shows the translated destination IP address and port2. These columns can help the administrator identify which NAT policy is applied to the traffic flow based on the pre-NAT and post-NAT addresses and ports.


Question 487

Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?



Answer : A


Question 488

Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)



Answer : A, C

When sizing a decryption firewall deployment, two factors that should be considered are the encryption algorithm and the TLS protocol version. These factors affect the amount of resources and processing power that the firewall needs to decrypt and inspect SSL/TLS traffic.

The encryption algorithm is the method that the server and the client use to encrypt and decrypt the data exchanged in an SSL/TLS session. Different encryption algorithms have different levels of security and performance. For example, AES is a symmetric encryption algorithm that is faster and more efficient than RSA, which is an asymmetric encryption algorithm. However, RSA is more secure than AES because it uses public and private keys to encrypt and decrypt data, while AES uses a single shared key.The firewall must support the encryption algorithms that are used by the servers and clients that it decrypts, and it must have enough CPU and memory resources to handle the decryption workload12.

The TLS protocol version is the standard that defines how the server and the client establish and maintain an SSL/TLS session. Different TLS protocol versions have different features and requirements for encryption algorithms, cipher suites, certificates, handshake messages, etc. For example, TLS 1.3 is the latest and most secure version of TLS, which supports only strong encryption algorithms and cipher suites, such as AES-GCM and ChaCha20-Poly1305, and requires elliptic curve certificates.The firewall must support the TLS protocol versions that are used by the servers and clients that it decrypts, and it must have enough hardware acceleration resources to handle the decryption speed34.

The number of security zones in decryption policies and the number of blocked sessions are not relevant factors for sizing a decryption firewall deployment. The number of security zones in decryption policies only affects how the firewall matches traffic to decryption rules based on source and destination zones, but it does not affect the decryption performance or resource consumption.The number of blocked sessions only indicates how many sessions are denied by the firewall based on security policy or decryption policy rules, but it does not affect the decryption capacity or throughput56.

Encryption Algorithms,TLS Protocol Versions,Decryption Policy, PCNSE Study Guide (page 60)


Question 489

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls.

The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration.

Which two solutions can the administrator use to scale this configuration? (Choose two.)



Answer : B, D

When deploying a large number of firewalls, such as 15 GlobalProtect gateways around the world, it's crucial to have a scalable configuration approach. Panorama offers several features to help scale configurations efficiently:

B . Template stacks:

Template stacks in Panorama allow administrators to create a collection of configuration templates that can be applied to multiple firewalls or device groups. This enables the consistent deployment of shared settings (such as network configurations, security profiles, etc.) across all managed firewalls, ensuring uniformity and reducing the effort required to manage individual firewall configurations.

D . Variables:

Variables in Panorama provide a way to customize template configurations for individual firewalls or device groups without altering the overall template. For example, a variable can be used to define a unique IP address, hostname, or other specific settings within a shared template. When the template is applied, Panorama replaces the variables with the actual values specified for each device or device group, allowing for customization within a standardized framework.

By using template stacks and variables, an administrator can rapidly deploy and manage configurations across multiple GlobalProtect gateways, ensuring consistency while still accommodating site-specific requirements. This approach streamlines the deployment process and enhances the manageability of a widespread GlobalProtect infrastructure.


Question 490

When using certificate authentication for firewall administration, which method is used for authorization?



Answer : A

When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.


Question 491

If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?



Answer : A


Question 492

An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)



Answer : A, B, D


Question 493

Which log type is supported in the Log Forwarding profile?



Answer : C


Question 494

An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI Which CLI command can the engineer use?



Answer : A


Question 495

An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets. For users that need to access these systems. Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What should the enterprise do to use PAN-OS MFA?



Answer : C


Question 496

When configuring explicit proxy on a firewall, which interface should be selected under the Listening interface option?



Answer : D


Question 497

Which three statements accurately describe Decryption Mirror? (Choose three.)



Answer : B, D, E

Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.

Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.

The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' 'PAN-OS Administrator's Guide' and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.


Question 498

When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port?



Answer : D

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-clustering-overview


Question 499

Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)



Answer : A, C


Question 500

A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.

Which VPN configuration would adapt to changes when deployed to the future site?



Answer : A


Question 501

An engineer configures SSL decryption in order to have more visibility to the internal users' traffic when it is regressing the firewall.

Which three types of interfaces support SSL Forward Proxy? (Choose three.)



Answer : B, C, E

PAN-OS can decrypt and inspect SSL inbound and outbound connections going through the firewall. SSL decryption can occur on interfaces in virtual wire, Layer 2 or Layer 3 mode https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC


Question 502

Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)



Answer : B, C

>Threat logs, create a log forwarding profile to define how you want the firewall or Panorama to handle logs. >Configure an HTTP server profile to forward logs to a remote User-ID agent. > Select the log forwarding profile you created then select this server profile as the HTTP server profile https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions


Question 503

Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?



Answer : A


Question 504

An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover event.

Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?



Answer : D

The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000 ms for all platforms, and the range is 8000-60000 ms.If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12.Reference:HA Timers,Layer 3 High Availability with Optimal Failover Times Best Practices


Question 505

A security team has enabled real-time WildFire signature lookup on all its firewalls. Which additional action will further reduce the likelihood of newly discovered malware being allowed through the firewalls?



Answer : B


Question 506

An engineer must configure a new SSL decryption deployment.

Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?



Answer : D


Question 507

Which statement applies to HA timer settings?



Answer : D

High Availability (HA) timer settings in PAN-OS control failover speed and stability. The Recommended profile (Option D) is the default and provides balanced timers (e.g., 1000ms heartbeat interval) suitable for typical deployments, ensuring reliable failover without excessive sensitivity.

Option A (Critical profile) uses faster timers (e.g., 100ms) for critical environments, not typical ones. Option B (Moderate) isn't a predefined profile. Option C (Aggressive) uses fast timers (e.g., 200ms), not slower ones. Documentation specifies 'Recommended' for standard use.


Question 508

What should an engineer consider when setting up the DNS proxy for web proxy?



Answer : A


Question 509

Which log type is supported in the Log Forwarding profile?



Answer : C


Question 510

An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.

Which priority is correct for the passive firewall?



Answer : D


Question 511

Which two profiles should be configured when sharing tags from threat logs with a User-ID agent? (Choose two.)



Answer : A, D


Question 512

An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.

Which three parts of a template an engineer can configure? (Choose three.)



Answer : A, C, D

A, C, and D are the correct answers because they are the parts of a template that an engineer can configure in Panorama.A template is a collection of device and network settings that can be pushed to multiple firewalls from Panorama1.A template can contain settings such as2:

A: NTP Server Address: This is the address of the Network Time Protocol server that synchronizes the time on the firewall.

C: Authentication Profile: This is the profile that defines how the firewall authenticates users and administrators.

D: Service Route Configuration: This is the configuration that specifies which interface and source IP address the firewall uses to access external services, such as DNS, email, syslog, etc.


Question 513

An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.

Which configuration will enable this HA scenario?



Answer : A


Question 514

A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose TWO)



Answer : A, C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW


Question 515

With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?



Answer : B


Question 516

A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any dat

a. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.

Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?



Answer : C

For an application that is currently identified as unknown-tcp and has sessions that often remain idle for long periods, creating a custom application and using an application override rule is the most time-efficient solution.

C . The process involves:

Creating a custom application in the Palo Alto Networks firewall and configuring it with specific timeouts to accommodate the application's idle session behavior. This step ensures that the firewall does not prematurely close the application's sessions due to inactivity.

Next, creating an application override rule that references the custom application. This rule directs the firewall to identify traffic matching the rule criteria (such as source, destination, and port information) as the custom application, bypassing the App-ID engine's regular identification process.

This approach allows for the quick implementation of a solution that ensures the application is properly identified in traffic logs without undergoing threat scanning, meeting the requirements for both identification and reporting.


Question 517

A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.

Which VPN configuration would adapt to changes when deployed to the future site?



Answer : A


Question 518

What happens when the log forwarding built-in action with tagging is used?



Answer : A

When using the log forwarding built-in action with tagging in Palo Alto Networks firewalls, the primary purpose is to dynamically respond to threats or unwanted traffic identified by the firewall's threat detection mechanisms. The action involves tagging the IP address associated with the unwanted traffic and then using that tag in dynamic security policies to block or manage the traffic.

A . Destination IP addresses of selected unwanted traffic are blocked:

When the tagging action is used, the firewall tags the IP addresses involved in the unwanted traffic (which could be the source or destination IP addresses, but in many configurations, the focus is on the source of the attack). These tags can then be referenced in Dynamic Address Groups (DAGs) within security policies. Consequently, any traffic coming from or going to these tagged IP addresses can be blocked or subjected to specific security rules, effectively mitigating the threat or unwanted behavior.

This approach allows for automated, real-time responses to identified threats, enhancing the security posture by quickly adapting to emerging threats without manual intervention.


Question 519

What type of NAT is required to configure transparent proxy?



Answer : D


Question 520

An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy

Which PAN-OS proxy method should be configured to maintain this type of traffic flow?



Answer : D

For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP). https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy


Question 521

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?



Answer : D

Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


Question 522

A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11 0 The client currently uses RADIUS authentication in their environment

Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.)



Answer : A, D

For explicit Web Proxy deployment on PAN-OS, Palo Alto Networks currently supports Kerberos and SAML as authentication methods. RADIUS is not supported for explicit or transparent Web Proxy authentication on Palo Alto Networks appliances, which means that if the client is currently using RADIUS, they will need to configure an alternate supported authentication method. LDAP or TACACS+ authentication is not directly supported for Web Proxy authentication in PAN-OS.

For more information on supported Web Proxy authentication methods, please refer to the latest Palo Alto Networks 'PAN-OS Web Interface Reference Guide'.


Question 523

An administrator plans to install the Windows-Based User-ID Agent.

What type of Active Directory (AD) service account should the administrator use?



Answer : A


Question 524

Which two statements correctly describe Session 380280? (Choose two.)



Answer : A, C


Question 525

A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.

How does the firewall identify the New App-ID characteristic?



Answer : B

The New App-ID characteristic enables the firewall to monitor new applications on the network, so that the engineer can better assess the security policy updates they might want to make. The New App-ID characteristic always matches to only the new App-IDs in the most recently installed content releases. When a new content release is installed, the New App-ID characteristic automatically begins to match only to the new App-IDs in that content release version. This way, the engineer can see how the newly-categorized applications might impact security policy enforcement and make any necessary adjustments.Reference:Monitor New App-IDs


Question 526

If a URL is in multiple custom URL categories with different actions, which action will take priority?



Answer : C

When a URL matches multiple categories, the category chosen is the one that has the most severe action defined below (block being most severe and allow least severe).

1 block

2 override

3 continue

4 alert

5 allow

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC


Question 527

Which three sessions are created by a NGFW for web proxy? (Choose three.)



Answer : A, B, C


Question 528

Which are valid ACC GlobalProtect Activity tab widgets? (Choose two.)



Answer : B, D


Question 529

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?



Answer : A


Question 530

A firewall administrator needs to check which egress interface the firewall will use to route the IP 10.2.5.3.

Which command should they use?



Answer : D

To determine the egress interface a Palo Alto Networks firewall will use to route a specific IP address, the appropriate command is test routing fib-lookup ip 10.2.5.3 virtual-router default. This command performs a Forwarding Information Base (FIB) lookup for the specified IP address within the context of the specified virtual router, which in this case is the default virtual router. The FIB lookup process checks the routing table and the associated forwarding information to determine the next-hop and the egress interface for the given IP address. This command is instrumental for troubleshooting and verifying routing decisions made by the firewall to ensure that traffic is routed as expected through the network infrastructure.


Question 531

An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 sub-interface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.

Without changing the existing access to the management interface, how can the engineer fulfill this request?



Answer : C

To enable XML API access to a firewall for automation from a network segment routed through a Layer 3 sub-interface, the most straightforward approach is to use an Interface Management profile.

C . This can be achieved by:

Configuring an Interface Management profile and enabling HTTPS access on it. This profile defines management services that are permitted on the interface, including HTTPS, which is required for XML API access.

Applying this Interface Management profile to the desired Layer 3 sub-interface. This action enables HTTPS access (and thus XML API access) on the sub-interface, allowing devices on the connected network segment to communicate with the firewall for automation purposes.

This solution allows for the secure extension of management capabilities to network segments without direct access to the dedicated management interface, facilitating automation and operational efficiency without necessitating changes to existing access configurations.


Question 532

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?



Answer : C


Question 533

An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram

Which template values will be configured on the firewall If each template has an SSL/TLS Service profile configured named Management?



Question 534

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67



Answer : C

https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD


Question 535

After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?



Answer : D


Question 536

Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)



Answer : A, C


Question 537

Four configuration choices are listed, and each could be used to block access to a specific URL.

If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?



Answer : C


Question 538

A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?



Answer : B


Question 539

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?



Answer : D

Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


Question 540

Which log type is supported in the Log Forwarding profile?



Answer : C


Question 541

After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?



Answer : C

https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-to-panorama-management Push the configuration bundle from Panorama to the newly added firewall to remove all policy rules and objects from its local configuration. This step is necessary to prevent duplicate rule or object names, which would cause commit errors when you push the device group configuration from Panorama to the firewall in the next step.


Question 542

How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?



Answer : B

To block users dynamically based on threat log activity, dynamic user groups (DUGs) with tagging provide an automated solution. Option B configures a DUG with a 'malicious' tag, a Log Forwarding profile to tag users in the threat log (e.g., via threat intelligence), and a Security policy to block the tagged group. This leverages User-ID and is ideal for user-based blocking.

Option A uses dynamic address groups (DAGs), which block IPs, not users. Option C (security profiles) can block traffic but not dynamically tag/block users without additional configuration. Documentation supports DUGs for this use case.


Question 543

A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)



Answer : C, D, E


Question 544

A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:

threat type: spyware category: dns-c2 threat ID: 1000011111

Which set of steps should the administrator take to configure an exception for this signature?



Answer : A

When dealing with a false positive, particularly for a spyware threat detected through DNS queries (as indicated by the category 'dns-c2'), the correct course of action involves creating an exception in the Anti-Spyware profile, not the Vulnerability Protection profile. This is because the Anti-Spyware profile in Palo Alto Networks firewalls is designed to detect and block spyware threats, which can include command and control (C2) activities often signaled by DNS queries.

The steps to configure an exception for this specific spyware signature (threat ID: 1000011111) are as follows:

Navigate to Objects > Security Profiles > Anti-Spyware. This is where all the Anti-Spyware profiles are listed.

Select the related Anti-Spyware profile that is currently applied to the security policy which is generating the false positive.

Within the profile, go to the DNS Exceptions tab. This tab allows you to specify exceptions based on DNS signatures.

Search for the related threat ID (in this case, 1000011111) and click enable to create an exception for it. By doing this, you instruct the firewall to bypass the detection for this specific signature, effectively treating it as a false positive.

Commit the changes to make the exception active.

By following these steps, the administrator can effectively address the false positive without disabling the overall spyware protection capabilities of the firewall.


Question 545

An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.

Which configuration will enable this HA scenario?



Answer : A


Question 546

A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed.

How should email log forwarding be configured to achieve this goal?



Answer : C

To generate email alerts when decryption rules are changed in a Palo Alto Networks firewall, you would configure email log forwarding based on specific system logs that capture changes to decryption policies. This is done by setting up log forwarding profiles with filters that match events related to decryption rule modifications. These profiles are then applied to the relevant log types within the firewall's log settings.

To specifically monitor for changes to decryption rules, you would navigate to the Device > Log Settings section of the firewall's web interface. Here, you can configure log forwarding for system logs, which capture configuration changes among other system-level events. By creating a filter that looks for logs associated with decryption rule changes, and associating this filter with an email server profile, the firewall can automatically send out email alerts whenever a decryption rule is modified.

This setup ensures that the security team is promptly notified of any changes to the decryption policies, allowing for quick review and action if the changes were unauthorized or unintended. It is an essential part of maintaining the security posture of the network and ensuring compliance with organizational policies on encrypted traffic inspection.


Question 547

An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity.

Which two objects can Dynamic User Groups use as match conditions for group membership? (Choose two.)



Answer : B, C


Question 548

Which administrative authentication method supports authorization by an external service?



Answer : C


Question 549

A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects

Which type of role-based access is most appropriate for this project?



Answer : C

Custom Panorama Admin: Custom Panorama Admin roles allow you to customize the elements of Panorama that an administrator can access. You can hide tabs in the web interface, you can set specific items in Panorama to read-only, or you can limit an administrator's access to Panorama plugins. Custom Panorama Admin roles require planning and configuration, but they provide extensive flexibility because you can control what administrators can access through the web interface or the CLI. Device Group and Template Admin: Device Group and Template Admin roles also require configuration because there are no built-in examples. These Admin Roles allow you to define which Panorama templates or Panorama device groups an administrator can access and configure. You can hide tabs in the web interface or set specific items to read only to control what administrators can configure.


Question 550

Which three statements accurately describe Decryption Mirror? (Choose three.)



Answer : B, D, E

Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.

Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.

The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' 'PAN-OS Administrator's Guide' and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.


Question 551

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?



Answer : B

The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.


Question 552

What must be configured to apply tags automatically based on User-ID logs?



Answer : D

To apply tags automatically based on User-ID logs, the engineer must configure a Log Forwarding profile that specifies the criteria for matching the logs and the tags to apply. The Log Forwarding profile can be attached to a security policy rule or a decryption policy rule to enable auto-tagging for the traffic that matches the rule.The tags can then be used for dynamic address groups, policy enforcement, or reporting1.Reference:Use Auto-Tagging to Automate Security Actions, PCNSE Study Guide (page 49)


Question 553

Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?



Answer : C

Palo Alto Networks Device Telemetry data, collected from firewalls with a device certificate installed, is stored on Palo Alto Networks Update Servers. This telemetry data includes information about threats, device health, and other operational metrics that are crucial for the continuous improvement of security services and threat intelligence. The collected data is anonymized and securely transmitted to Palo Alto Networks, where it is used to enhance the overall effectiveness of threat identification and prevention capabilities across all deployed devices. This collaborative approach helps in keeping the security ecosystem updated and resilient against emerging threats.


Question 554

When using certificate authentication for firewall administration, which method is used for authorization?



Answer : A

When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.


Question 555

When configuring explicit proxy on a firewall, which interface should be selected under the Listening interface option?



Answer : D


Question 556

An administrator plans to install the Windows-Based User-ID Agent to prevent credential phishing.

Which installer package file should the administrator download from the support site?



Answer : A


Question 557

If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?



Answer : A


Question 558

ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?



Answer : B

Schedule content updates so that they download-and-install automatically. Then, set a Threshold that determines the amount of time the firewall waits before installing the latest content. In a security-first network, schedule a six to twelve hour threshold. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-content-and-threat-content-updates/best-practices-security-first.html#id184AH00F06E

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/software-and-content-updates/best-practices-for-app-and-threat-content-updates/best-practices-security-first


Question 559

For company compliance purposes, three new contractors will be working with different device-groups in their hierarchy to deploy policies and objects.

Which type of role-based access is most appropriate for this project?



Answer : A


Question 560

A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two)



Answer : A, D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRdCAK

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/configure-url-filtering

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/allow-password-access-to-certain-sites#id7e63ce07-8b30-4506-a1e3-5800303954e8


Question 561

A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.

Which path should the engineer follow to deploy the PAN-OS images to the firewalls?



Answer : D, D

In a situation where Panorama and its managed firewalls lack internet access, updating PAN-OS requires a manual upload of the downloaded PAN-OS images. The process involves:


Question 562

Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)



Answer : A, C

When sizing a decryption firewall deployment, two factors that should be considered are the encryption algorithm and the TLS protocol version. These factors affect the amount of resources and processing power that the firewall needs to decrypt and inspect SSL/TLS traffic.

The encryption algorithm is the method that the server and the client use to encrypt and decrypt the data exchanged in an SSL/TLS session. Different encryption algorithms have different levels of security and performance. For example, AES is a symmetric encryption algorithm that is faster and more efficient than RSA, which is an asymmetric encryption algorithm. However, RSA is more secure than AES because it uses public and private keys to encrypt and decrypt data, while AES uses a single shared key.The firewall must support the encryption algorithms that are used by the servers and clients that it decrypts, and it must have enough CPU and memory resources to handle the decryption workload12.

The TLS protocol version is the standard that defines how the server and the client establish and maintain an SSL/TLS session. Different TLS protocol versions have different features and requirements for encryption algorithms, cipher suites, certificates, handshake messages, etc. For example, TLS 1.3 is the latest and most secure version of TLS, which supports only strong encryption algorithms and cipher suites, such as AES-GCM and ChaCha20-Poly1305, and requires elliptic curve certificates.The firewall must support the TLS protocol versions that are used by the servers and clients that it decrypts, and it must have enough hardware acceleration resources to handle the decryption speed34.

The number of security zones in decryption policies and the number of blocked sessions are not relevant factors for sizing a decryption firewall deployment. The number of security zones in decryption policies only affects how the firewall matches traffic to decryption rules based on source and destination zones, but it does not affect the decryption performance or resource consumption.The number of blocked sessions only indicates how many sessions are denied by the firewall based on security policy or decryption policy rules, but it does not affect the decryption capacity or throughput56.

Encryption Algorithms,TLS Protocol Versions,Decryption Policy, PCNSE Study Guide (page 60)


Question 563

Refer to the exhibit.

Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?



Answer : B

Hover over an attribute in the table below the chart and click the arrow icon to the right of the attribute. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-the-application-command-center/interact-with-the-acc#id5cc39dae-04cf-4936-9916-1a4b0f3179b9


Question 564

A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time. How can they achieve this?



Answer : A


Question 565

In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?



Answer : B

The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This helps the administrator to identify any new applications that are not explicitly defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured applications.The compare option also shows the usage statistics and risk levels of the applications, and provides suggestions for optimizing the rule by adding, removing, or replacing applications12.Reference:New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)


Question 566

An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?



Answer : B

In an active/active high availability (HA) firewall pair, when a firewall experiences a failure of a monitored path, it enters the ''Tentative'' state1. This state indicates that the firewall is synchronizing sessions and configurations from its peer due to a failure or a change in monitored objects such as a link or path. The firewall in this state is not fully functional but is working towards resuming normal operations by syncing with its peer. Therefore, the correct answer is B. Tentative.


Question 567

A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.

Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)

Site A configuration:



Answer : C, D

The image shows an IKE Gateway configuration where Site B is set to IKEv1 only mode, and passive mode is not enabled. For dynamic peering to work when Site A is using a DHCP assigned address:

Passive mode on Site A needs to be disabled. In passive mode, the firewall will not initiate the IKE negotiation and will only respond to negotiation requests from the peer. Since Site A has a dynamic IP, it must be able to initiate the connection to Site B, which has a static IP.

Matching the IKE version between Site A and Site B is also necessary for successful IPSec tunnel establishment. Since Site B is set to IKEv1 only mode, Site A also needs to be configured to use IKEv1 to ensure that both sites are using the same version for the IKE negotiation process.

NAT Traversal is used when there are NAT devices between the two endpoints, but there's no indication that this is the case here. Additionally, local identification on Site A is not necessarily related to the issue with dynamic peering not working.


Question 568

Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?



Answer : C

Palo Alto Networks Device Telemetry data, collected from firewalls with a device certificate installed, is stored on Palo Alto Networks Update Servers. This telemetry data includes information about threats, device health, and other operational metrics that are crucial for the continuous improvement of security services and threat intelligence. The collected data is anonymized and securely transmitted to Palo Alto Networks, where it is used to enhance the overall effectiveness of threat identification and prevention capabilities across all deployed devices. This collaborative approach helps in keeping the security ecosystem updated and resilient against emerging threats.


Question 569

An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an internal syslog server.

Where can the firewall engineer define the data to be added into each forwarded log?



Answer : A

To facilitate the integration with external log parsing systems, the firewall allows you to customize the log format; it also allows you to add custom Key: Value attribute pairs. Custom message formats can be configured under DeviceServer ProfilesSyslogSyslog Server ProfileCustom Log Format. https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/custom-logevent-format

Step-by-Step

Understanding Log Forwarding in PAN-OS:

Palo Alto Networks firewalls allow forwarding logs to external systems like syslog servers, SNMP servers, or email systems for external analysis or compliance.

Traffic logs can be customized to include additional information that meets the audit or operational requirements.

Syslog Server Profiles:

Syslog Server Profiles specify the format and destination of the log data sent to the syslog server.

These profiles allow customization through the Custom Log Format option, where the firewall engineer can add or modify log fields (e.g., source address, destination address, URL category).

Custom Log Format:

Navigate to Device > Server Profiles > Syslog.

Within the Syslog Server Profile, define a Custom Log Format for traffic logs.

Using this feature, the engineer can include additional fields requested by the internal audit team, such as threat severity, application details, or user ID.

Field Specification:

In the Custom Log Format, fields are defined using variables corresponding to the log fields in PAN-OS.

Example:

$receive_time,$src,$dst,$app,$action,$rule

The engineer can include specific details as requested by the audit team.

Comparison of Other Options:

Option B: Built-in Actions within Objects > Log Forwarding Profile

Log Forwarding Profiles are used to specify what logs are forwarded based on security policy matches. However, they do not control the format of logs.

Log Forwarding Profiles define actions (e.g., forwarding to syslog, SNMP), but customization of log data happens within Syslog Server Profiles.

Option C: Logging and Reporting Settings within Device > Setup > Management

These settings control general logging behavior and settings but do not allow customization of log data for syslog forwarding.

Option D: Data Patterns within Objects > Custom Objects

Data Patterns are used for identifying sensitive data or patterns in data filtering. They are unrelated to log customization.

Why A is Correct?

The Custom Log Format under Device > Server Profiles > Syslog is the only place where additional information can be defined and added to forwarded traffic logs.

This flexibility allows the firewall engineer to meet specific compliance or audit requirements.

Documentation Reference:

PCNSA Study Guide: Logging and Monitoring section discusses Syslog Server Profiles and log forwarding configurations.

PAN-OS Admin Guide: Covers Custom Log Format configuration under the Syslog Server Profile.


Question 570

The UDP-4501 protocol-port is to between which two GlobalProtect components?



Answer : B


Question 571

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?



Answer : B


Question 572

Which translated port number should be used when configuring a NAT rule for transparent proxy?



Answer : C


Question 573

Four configuration choices are listed, and each could be used to block access to a specific URL.

If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?



Answer : C


Question 574

Which statement applies to HA timer settings?



Answer : D

High Availability (HA) timer settings in PAN-OS control failover speed and stability. The Recommended profile (Option D) is the default and provides balanced timers (e.g., 1000ms heartbeat interval) suitable for typical deployments, ensuring reliable failover without excessive sensitivity.

Option A (Critical profile) uses faster timers (e.g., 100ms) for critical environments, not typical ones. Option B (Moderate) isn't a predefined profile. Option C (Aggressive) uses fast timers (e.g., 200ms), not slower ones. Documentation specifies 'Recommended' for standard use.


Question 575

Which type of zone will allow different virtual systems to communicate with each other?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/virtual-systems/communication-between-virtual-systems/inter-vsys-traffic-that-remains-within-the-firewall/external-zone


Question 576

When creating a Policy-Based Forwarding (PBF) rule, which two components can be used? (Choose two.)



Answer : C, D


Question 577

An engineer needs to collect User-ID mappings from the company's existing proxies.

What two methods can be used to pull this data from third party proxies? (Choose two.)



Answer : B, C

To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.

Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies.

For further details, refer to the Palo Alto Networks documentation on User-ID integration and the 'PAN-OS Administrator's Guide'.


Question 578

A firewall engineer is migrating port-based rules to application-based rules by using the Policy Optimizer. The engineer needs to ensure that the new application-based rules are future-proofed, and that they will continue to match if the existing signatures for a specific application are expanded with new child applications. Which action will meet the requirement while ensuring that traffic unrelated to the specific application is not matched?



Answer : D

Using Policy Optimizer to migrate to application-based rules, adding the container application (Option D) ensures future-proofing. Container apps (e.g., 'web-browsing') include child apps (e.g., specific web services) as signatures evolve, maintaining rule accuracy without over-matching unrelated traffic.

Option A (custom app with ports) reverts to port-based logic, losing App-ID benefits. Option B (application filter) risks overbroad matching (e.g., by category). Option C (specific apps) lacks flexibility for new child apps. Documentation supports container apps for this purpose.


Question 579

A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.

Which two mandatory options are used to configure a VLAN interface? (Choose two.)



Answer : A, B


Question 580

An administrator plans to install the Windows-Based User-ID Agent.

What type of Active Directory (AD) service account should the administrator use?



Answer : A


Question 581

An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.

What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)



Answer : C, D

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy


Question 582

A firewall administrator to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply security rules on segment X after getting the visibility. There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes. What is the best option for the administrator to take?



Answer : D


Question 583

Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)



Answer : B, D


Question 584

A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.

Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)

Site A configuration:



Answer : C, D

The image shows an IKE Gateway configuration where Site B is set to IKEv1 only mode, and passive mode is not enabled. For dynamic peering to work when Site A is using a DHCP assigned address:

Passive mode on Site A needs to be disabled. In passive mode, the firewall will not initiate the IKE negotiation and will only respond to negotiation requests from the peer. Since Site A has a dynamic IP, it must be able to initiate the connection to Site B, which has a static IP.

Matching the IKE version between Site A and Site B is also necessary for successful IPSec tunnel establishment. Since Site B is set to IKEv1 only mode, Site A also needs to be configured to use IKEv1 to ensure that both sites are using the same version for the IKE negotiation process.

NAT Traversal is used when there are NAT devices between the two endpoints, but there's no indication that this is the case here. Additionally, local identification on Site A is not necessarily related to the issue with dynamic peering not working.


Question 585

In which two scenarios is it necessary to use Proxy IDs when configuring site-to-site VPN tunnels? (Choose two.)



Answer : A, C


Question 586

An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.

Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?



Answer : C

Decryption can be resource-intensive, and in scenarios where the firewall is nearing its resource limits, optimizing decryption practices is crucial. One way to do this is by choosing more efficient encryption algorithms that require less computational power.

C . Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority:

Elliptic Curve Digital Signature Algorithm (ECDSA) is known for requiring smaller key sizes compared to RSA for a comparable level of security. This translates to less computational overhead during the encryption and decryption processes.

By using ECDSA for traffic that isn't sensitive or high-priority, the administrator can reduce the processing load associated with decryption on the firewall. This is particularly beneficial in scenarios where resource optimization is necessary.

It's important to note that this approach does not compromise the security of encrypted traffic. Instead, it offers a more resource-efficient way to manage decryption, thus helping to maintain firewall performance even when system resources are under significant demand.

By judiciously applying this strategy, administrators can manage the decryption workload on the firewall, ensuring continued protection and inspection of encrypted traffic without overburdening the firewall's resources.


Question 587

An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 sub-interface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.

Without changing the existing access to the management interface, how can the engineer fulfill this request?



Answer : C

To enable XML API access to a firewall for automation from a network segment routed through a Layer 3 sub-interface, the most straightforward approach is to use an Interface Management profile.

C . This can be achieved by:

Configuring an Interface Management profile and enabling HTTPS access on it. This profile defines management services that are permitted on the interface, including HTTPS, which is required for XML API access.

Applying this Interface Management profile to the desired Layer 3 sub-interface. This action enables HTTPS access (and thus XML API access) on the sub-interface, allowing devices on the connected network segment to communicate with the firewall for automation purposes.

This solution allows for the secure extension of management capabilities to network segments without direct access to the dedicated management interface, facilitating automation and operational efficiency without necessitating changes to existing access configurations.


Question 588

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?



Answer : C

The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.

C . It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:

If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.

This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.


Question 589

A network security engineer needs to ensure that virtual systems can communicate with one another within a Palo Alto Networks firewall. Separate virtual routers (VRs) are created for each virtual system.

In addition to confirming security policies, which three configuration details should the engineer focus on to ensure communication between virtual systems? (Choose three.)



Answer : A, D, E

For virtual systems (vSys) on a Palo Alto Networks firewall to communicate with each other, especially when separate virtual routers (VRs) are used for each vSys, the configuration must facilitate proper routing and security policy enforcement. The key aspects to focus on include:

A . External zones with the virtual systems added:

External zones are special types of zones that are used to facilitate traffic flow between virtual systems within the same physical firewall. By adding virtual systems to an external zone, you enable them to communicate with each other, effectively bypassing the need for traffic to exit and re-enter the firewall.

D . Add a route with next hop next-vr by using the VR configured in the virtual system:

When using separate VRs for each vSys, it's essential to configure inter-VR routing. This is done by adding routes in each VR with the next hop set to 'next-vr', specifying the VR of the destination vSys. This setup enables traffic to be routed from one virtual system's VR to another, facilitating communication between them.

E . Ensure the virtual systems are visible to one another:

Visibility between virtual systems is a prerequisite for inter-vSys communication. This involves configuring the virtual systems in a way that they are aware of each other's existence. This is typically managed in the vSys settings, where you can specify which virtual systems can communicate with each other.

By focusing on these configuration details, the network security engineer can ensure that the virtual systems can communicate effectively, maintaining the necessary isolation while allowing the required traffic flow.


Question 590

A security engineer needs firewall management access on a trusted interface.

Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)



Answer : A, B, D

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile


Question 591

A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)



Answer : C, D, E


Question 592

During a routine security audit, the risk and compliance team notices a series of WildFire logs that contain a "malicious" verdict and the action "allow." Upon further inspection, the team confirms that these same threats are automatically blocked by the firewalls the following day. How can the existing configuration be adjusted to ensure that new threats are blocked within minutes instead of having to wait until the following day?



Answer : B

WildFire logs showing a 'malicious' verdict with an 'allow' action indicate that the initial traffic wasn't blocked in real-time, likely because the Antivirus profile isn't configured to act immediately on WildFire verdicts. By default, WildFire submits files for analysis, and signatures may take up to 24 hours to propagate globally unless real-time blocking is enabled. Configuring the Antivirus security profile (Option B) to 'block' on malicious WildFire verdicts ensures that threats are blocked within minutes once the verdict is returned (typically 5-15 minutes), leveraging WildFire's real-time signature updates.

Option A (WildFire analysis profile) defines what files are sent to WildFire but doesn't control blocking actions. Option C (File Blocking profile) manages file type blocking, not threat verdicts. Option D (file size limits) affects submission eligibility, not blocking behavior. The Antivirus profile is the key to real-time WildFire enforcement, as per Palo Alto Networks documentation.


Question 593

An administrator has purchased WildFire subscriptions for 90 firewalls globally.

What should the administrator consider with regards to the WildFire infra-structure?



Answer : C

https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts

Each WildFire cloud---global (U.S.), regional, and private---analyzes samples and generates WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data. https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html


Question 594

Which statement explains the difference between using the PAN-OS integrated User-ID agent and the standalone User-ID agent when using Active Directory for user-to-IP mapping?



Answer : C

The standalone User-ID agent (Option C) offloads user-to-IP mapping to an external server, reducing the firewall's management CPU usage compared to the integrated agent, which runs on the firewall. Option A is false; neither requires domain membership. Option B is incorrect; the integrated agent uses more resources. Option D is false; the standalone agent can run on any server. The original answer (B) was incorrect, contributing to the 83% Core Concepts score.


Question 595

A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?



Answer : B


Question 596

A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.

Which action is the most operationally efficient for the security engineer to find and implement the exception?



Answer : D


Question 597

What happens when an A/P firewall pair synchronizes IPsec tunnel security associations (SAs)?



Answer : B

In a High Availability (HA) setup with Palo Alto Networks firewalls, the synchronization of IPsec tunnel Security Associations (SAs) is an important aspect to ensure seamless failover and continued secure communication. Specifically, for Phase 2 SAs, they are synchronized over the HA2 links. The HA2 link is dedicated to synchronizing sessions, forwarding tables, IPSec SA, ARP tables, and other critical information between the active and passive firewalls in an HA pair. This ensures that the passive unit can immediately take over in case the active unit fails, without the need for re-establishing IPsec tunnels, thereby maintaining secure communications without interruption. It's important to note that Phase 1 SAs, which are responsible for establishing the secure tunnel itself, are not synchronized between the HA pair, as these need to be re-established upon failover to ensure secure key exchange.


Question 598

An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy

Which PAN-OS proxy method should be configured to maintain this type of traffic flow?



Answer : D

For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP). https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy


Question 599

Exhibit.

Given the screenshot, how did the firewall handle the traffic?



Answer : B


Question 600

An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?



Answer : A


Question 601

A company wants to use GlobalProtect as its remote access VPN solution.

Which GlobalProtect features require a Gateway license?



Answer : C


Question 602

Review the screenshots.

What is the most likely reason for this decryption error log?



Answer : D


Question 603

Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?



Answer : A


Question 604

An administrator is tasked to provide secure access to applications running on a server in the company's on-premises datacenter.

What must the administrator consider as they prepare to configure the decryption policy?



Answer : B


Question 605

For company compliance purposes, three new contractors will be working with different device groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?



Answer : A

The Device Group and Template Admin role is tailored for managing specific device groups and templates in Panorama, allowing contractors to deploy policies and objects within their assigned scope without broader administrative access. This aligns with compliance by restricting privileges.

Option B (Dynamic Admin) is undefined in PAN-OS; Panorama Admin is too broad. Option C (Read-only Superuser) prevents configuration changes. Option D (Custom Panorama Admin) could work but requires more setup than the predefined role. Documentation recommends this role for such scenarios.


Question 606

How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?



Answer : A


Question 607

An engineer reviews high availability (HA) settings to understand a recent HA failover event Review the screenshot below.

Which tuner determines how long the passive firewall will wart before taking over as the active firewall after losing communications with the HA peer?



Answer : B


Question 608

Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)



Answer : A, C


Question 609

What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-address-object-to-represent-ip-addresses/address-objects


Question 610

Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with multiple virtual systems?



Answer : B


Question 611

What must be configured to apply tags automatically based on User-ID logs?



Answer : D

To apply tags automatically based on User-ID logs, the engineer must configure a Log Forwarding profile that specifies the criteria for matching the logs and the tags to apply. The Log Forwarding profile can be attached to a security policy rule or a decryption policy rule to enable auto-tagging for the traffic that matches the rule.The tags can then be used for dynamic address groups, policy enforcement, or reporting1.Reference:Use Auto-Tagging to Automate Security Actions, PCNSE Study Guide (page 49)


Question 612

Why would a traffic log list an application as "not-applicable''?



Answer : A

traffic log would list an application as ''not-applicable'' if the firewall denied the traffic before the application match could be performed.This can happen if the traffic matches a security rule that is set to deny based on any parameter other than the application, such as source, destination, port, service, etc1.In this case, the firewall does not inspect the application data and discards the traffic, resulting in a ''not-applicable'' entry in the application field of the traffic log1.


Question 613

When creating a Policy-Based Forwarding (PBF) rule, which two components can be used? (Choose two.)



Answer : C, D


Question 614

A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?



Answer : B


Question 615

All firewall at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a sylog server and forward all firewall logs to the syslog server and to the log collectors. There is known logging peak time during the day, and the security team has asked the firewall engineer to determined how many logs per second the current Palo Alto Networking log processing at that particular time. Which method is the most time-efficient to complete this task?



Answer : A


Question 616

A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall

What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)



Answer : B, C

For HIP match logs to be visible on the data center firewall, the following conditions must be met:

HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.

User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.

The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.


Question 617

An administrator configures a preemptive active-passive high availability (HA) pair of firewalls and configures the HA election settings on firewall-02 with a device priority value of 100, and firewall-01 with a device priority value of 90.

When firewall-01 is rebooted, is there any action taken by the firewalls?



Answer : C


Question 618

'SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted'' warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

1. End-users must not get the warning for the https:///www.very-import-website.com/ website.

2. End-users should get the warning for any other untrusted website.

Which approach meets the two customer requirements?



Answer : A


Question 619

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?



Answer : B

When a local configuration override occurs on a firewall managed by Panorama, the administrator can enforce Panorama's centralized management by pushing the template configuration with the 'Force Template Values' option. This option overwrites any local changes on the firewall, ensuring that the Panorama-defined configuration (e.g., interface settings) takes precedence and prevents further overrides unless explicitly allowed.

Option A (device-group commit push) applies to policies and objects, not templates. Option C (commit force from CLI) reinforces local changes, not Panorama's control. Option D (reload running config) is disruptive and doesn't enforce Panorama's template. The 'Force Template Values' option is the documented method for this use case.


Question 620

An engineer must configure a new SSL decryption deployment.

Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?



Answer : D


Question 621

Which log type would provide information about traffic blocked by a Zone Protection profile?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhzCAC

D is the correct answer because the threat log type would provide information about traffic blocked by a Zone Protection profile.This is because Zone Protection profiles are used to protect the network from attacks, including common flood, reconnaissance attacks, and other packet-based attacks1.These attacks are classified as threats by the firewall and are logged in the threat log2.The threat log displays information such as the source and destination IP addresses, ports, zones, applications, threat types, actions, and severity of the threats2.

Verified Reference:

1:Zone protection profiles - Palo Alto Networks Knowledge Base

2:Threat Log Fields - Palo Alto Networks


Question 622

An administrator needs to gather information about the CPU utilization on both the management plane and the data plane. Where does the administrator view the desired data?



Answer : C


Question 623

Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?



Answer : C


Question 624

Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.

In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhwCAC

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat


Question 625

If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?



Answer : A


Question 626

An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an interal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?



Answer : B


Question 627

An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.

Which three platforms support PAN-OS 10.2? (Choose three.)



Answer : A, B, E

https://docs.paloaltonetworks.com/compatibility-matrix/supported-os-releases-by-model/palo-alto-networks-next-gen-firewalls


Question 628

Which type of zone will allow different virtual systems to communicate with each other?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/virtual-systems/communication-between-virtual-systems/inter-vsys-traffic-that-remains-within-the-firewall/external-zone


Question 629

An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two.)



Answer : C, D


Question 630

A firewall administrator needs to check which egress interface the firewall will use to route the IP 10.2.5.3.

Which command should they use?



Answer : D

To determine the egress interface a Palo Alto Networks firewall will use to route a specific IP address, the appropriate command is test routing fib-lookup ip 10.2.5.3 virtual-router default. This command performs a Forwarding Information Base (FIB) lookup for the specified IP address within the context of the specified virtual router, which in this case is the default virtual router. The FIB lookup process checks the routing table and the associated forwarding information to determine the next-hop and the egress interface for the given IP address. This command is instrumental for troubleshooting and verifying routing decisions made by the firewall to ensure that traffic is routed as expected through the network infrastructure.


Question 631

A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.

What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?



Answer : B

Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.

B . The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:

First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.

Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.

Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.

This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.


Question 632

An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is currently processing traffic?



Answer : C


Question 633

How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?



Answer : B

To block users dynamically based on threat log activity, dynamic user groups (DUGs) with tagging provide an automated solution. Option B configures a DUG with a 'malicious' tag, a Log Forwarding profile to tag users in the threat log (e.g., via threat intelligence), and a Security policy to block the tagged group. This leverages User-ID and is ideal for user-based blocking.

Option A uses dynamic address groups (DAGs), which block IPs, not users. Option C (security profiles) can block traffic but not dynamically tag/block users without additional configuration. Documentation supports DUGs for this use case.


Question 634

Which three statements accurately describe Decryption Mirror? (Choose three.)



Answer : B, D, E

Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.

Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.

The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' 'PAN-OS Administrator's Guide' and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.


Question 635

An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover event.

Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?



Answer : D

The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000 ms for all platforms, and the range is 8000-60000 ms.If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12.Reference:HA Timers,Layer 3 High Availability with Optimal Failover Times Best Practices


Question 636

Which action does a firewall take when a decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?



Answer : D


Question 637

An administrator is troubleshooting why video traffic is not being properly classified.

If this traffic does not match any QoS classes, what default class is assigned?



Answer : D

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/qos-concepts/qos-classes


Question 638

After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?



Answer : D


Question 639

A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.

Which action is the most operationally efficient for the security engineer to find and implement the exception?



Answer : D


Question 640

A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.

How can this be achieved?



Answer : D


Question 641

'SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted'' warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

1. End-users must not get the warning for the https:///www.very-import-website.com/ website.

2. End-users should get the warning for any other untrusted website.

Which approach meets the two customer requirements?



Answer : A


Question 642

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls.

The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration.

Which two solutions can the administrator use to scale this configuration? (Choose two.)



Answer : B, D

When deploying a large number of firewalls, such as 15 GlobalProtect gateways around the world, it's crucial to have a scalable configuration approach. Panorama offers several features to help scale configurations efficiently:

B . Template stacks:

Template stacks in Panorama allow administrators to create a collection of configuration templates that can be applied to multiple firewalls or device groups. This enables the consistent deployment of shared settings (such as network configurations, security profiles, etc.) across all managed firewalls, ensuring uniformity and reducing the effort required to manage individual firewall configurations.

D . Variables:

Variables in Panorama provide a way to customize template configurations for individual firewalls or device groups without altering the overall template. For example, a variable can be used to define a unique IP address, hostname, or other specific settings within a shared template. When the template is applied, Panorama replaces the variables with the actual values specified for each device or device group, allowing for customization within a standardized framework.

By using template stacks and variables, an administrator can rapidly deploy and manage configurations across multiple GlobalProtect gateways, ensuring consistency while still accommodating site-specific requirements. This approach streamlines the deployment process and enhances the manageability of a widespread GlobalProtect infrastructure.


Question 643

Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)



Question 644

In the following image from Panorama, why are some values shown in red?



Answer : C


Question 645

Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?



Answer : C


Question 646

A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.

Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)

Site A configuration:



Answer : C, D

The image shows an IKE Gateway configuration where Site B is set to IKEv1 only mode, and passive mode is not enabled. For dynamic peering to work when Site A is using a DHCP assigned address:

Passive mode on Site A needs to be disabled. In passive mode, the firewall will not initiate the IKE negotiation and will only respond to negotiation requests from the peer. Since Site A has a dynamic IP, it must be able to initiate the connection to Site B, which has a static IP.

Matching the IKE version between Site A and Site B is also necessary for successful IPSec tunnel establishment. Since Site B is set to IKEv1 only mode, Site A also needs to be configured to use IKEv1 to ensure that both sites are using the same version for the IKE negotiation process.

NAT Traversal is used when there are NAT devices between the two endpoints, but there's no indication that this is the case here. Additionally, local identification on Site A is not necessarily related to the issue with dynamic peering not working.


Question 647

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67



Answer : C

https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD


Question 648

A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is configure an applications and Threats update schedule with a new App-ID threshold of 48 hours. Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.)



Answer : B, C


Question 649

A security team has enabled real-time WildFire signature lookup on all its firewalls. Which additional action will further reduce the likelihood of newly discovered malware being allowed through the firewalls?



Answer : B


Question 650

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?



Answer : B


Question 651

All firewall at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a sylog server and forward all firewall logs to the syslog server and to the log collectors. There is known logging peak time during the day, and the security team has asked the firewall engineer to determined how many logs per second the current Palo Alto Networking log processing at that particular time. Which method is the most time-efficient to complete this task?



Answer : A


Question 652

You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.

For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)



Answer : B, C, E

https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile

The Palo Alto Networks Best Practices for Anti-Spyware Profiles recommend enabling single-packet captures (PCAP) for medium, high, and critical severity threats. This allows for capturing the first packet of the malicious traffic for further analysis and investigation.PCAP should not be enabled for low and informational severity threats, as they generate a relatively high volume of traffic and are not particularly useful compared to potential threats2.Reference:Create the Data Center Best Practice Anti-Spyware Profile,Security Profile: Anti-Spyware, PCNSE Study Guide (page 57)


Question 653

What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three



Answer : B, C, E


Question 654

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK


Question 655

Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?



Answer : A


Question 656

Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?



Answer : A

IP flood thresholds, you can also use DoS Protection profiles to detect and prevent session exhaustion attacks in which a large number of hosts (bots) establish as many sessions as possible to consume a target's resources. On the profile's Resources Protection tab, you can set the maximum number of concurrent sessions that the device(s) defined in the DoS Protection policy rule to which you apply the profile can receive. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles.html

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles#ida42d52fa-3366-4695-bb4a-d39ebf3b6a5f


Question 657

A firewall engineer is investigating high dataplane CPU utilization. To decrease the load on this CPU, what should be reduced?



Answer : A


Question 658

Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)



Answer : B, C

When implementing an application override in a Palo Alto Networks firewall, the primary goal is to explicitly define how specific traffic is identified and processed by the firewall, bypassing the regular App-ID process. This is particularly useful for traffic that might be misidentified by App-ID or for applications that require special handling for performance reasons.

To successfully implement application override, the following items must be configured:

B . Application override policy rule:

This is a specialized policy rule that you create to specify the criteria for the traffic you want to override. In this rule, you define the source and destination zones, addresses, and ports. Instead of relying on the App-ID engine to identify the application, the firewall uses the criteria defined in the application override policy to classify the traffic.

C . Security policy rule:

After defining an application override policy, you must also configure a security policy rule to allow the overridden traffic through the firewall. This rule specifies the action (allow, deny, drop, etc.) for the traffic that matches the application override policy. It's essential to ensure that the security policy rule matches the traffic defined in the application override policy to ensure that the intended traffic is allowed through the firewall.

For detailed guidance on configuring application override and the necessary security policies, refer to the official Palo Alto Networks documentation. This resource provides step-by-step instructions and best practices for effectively managing traffic using application overrides.


Question 659

Given the following snippet of a WildFire submission log, did the end user successfully download a file?



Answer : D

URL profile action alert.

File Profile action alert.

AV and Wildfire action Reset-both

Policy Action Allow.

The firewall inspects the content as per all the security profiles attached to the original matching rule. If it results in threat detection, then the corresponding security profile action is taken.


Question 660

When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port?



Answer : D

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-clustering-overview


Question 661

An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?



Answer : B

In an active/active high availability (HA) firewall pair, when a firewall experiences a failure of a monitored path, it enters the ''Tentative'' state1. This state indicates that the firewall is synchronizing sessions and configurations from its peer due to a failure or a change in monitored objects such as a link or path. The firewall in this state is not fully functional but is working towards resuming normal operations by syncing with its peer. Therefore, the correct answer is B. Tentative.


Question 662

The UDP-4501 protocol-port is to between which two GlobalProtect components?



Answer : B


Question 663

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?



Answer : B

https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG


Question 664

What can the Log Forwarding built-in action with tagging be used to accomplish?



Answer : B

The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.

This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.

For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.


Question 665

An administrator wants to add User-ID information for their Citrix MetaFrame Presentation Server (MPS) users.

Which option should the administrator use?



Answer : A

If you have clients running multi-user systems in a Windows environment, such as Microsoft Terminal Server or Citrix Metaframe Presentation Server or XenApp, Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping


Question 666

Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)



Answer : A, B


Question 667

An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.

Which two actions could an administrator take to troubleshoot this issue? (Choose two.)



Answer : A, D

A: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-virtual-routers/more-runtime-stats-for-a-logical-router#id5628a5e4-e908-457e-a2fd-270a476ab752

D: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking


Question 668

Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.

Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution

How can Information Security extract and learn iP-to-user mapping information from authentication events for VPN and wireless users?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping#iddb1a7744-17c6-4900-a2cb-5f3511fef60f


Question 669

Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?



Answer : A


Question 670

Which log type would provide information about traffic blocked by a Zone Protection profile?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhzCAC

D is the correct answer because the threat log type would provide information about traffic blocked by a Zone Protection profile.This is because Zone Protection profiles are used to protect the network from attacks, including common flood, reconnaissance attacks, and other packet-based attacks1.These attacks are classified as threats by the firewall and are logged in the threat log2.The threat log displays information such as the source and destination IP addresses, ports, zones, applications, threat types, actions, and severity of the threats2.

Verified Reference:

1:Zone protection profiles - Palo Alto Networks Knowledge Base

2:Threat Log Fields - Palo Alto Networks


Question 671

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?



Answer : B

When a local configuration override occurs on a firewall managed by Panorama, the administrator can enforce Panorama's centralized management by pushing the template configuration with the 'Force Template Values' option. This option overwrites any local changes on the firewall, ensuring that the Panorama-defined configuration (e.g., interface settings) takes precedence and prevents further overrides unless explicitly allowed.

Option A (device-group commit push) applies to policies and objects, not templates. Option C (commit force from CLI) reinforces local changes, not Panorama's control. Option D (reload running config) is disruptive and doesn't enforce Panorama's template. The 'Force Template Values' option is the documented method for this use case.


Question 672

An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors. What is the recommended order of operational steps when upgrading?



Answer : C

Palo Alto Networks best practices dictate upgrading Panorama-managed environments in this order: Panorama first, then log collectors, and finally firewalls. Panorama must be on the latest (or compatible) version to manage upgraded devices and push configurations. Log collectors follow to ensure log compatibility, and firewalls last to maintain operational continuity.

Options A, B, and D risk version mismatches or management issues. This sequence minimizes downtime and ensures compatibility, as per official upgrade guidelines.


Question 673

A customer would like to support Apple Bonjour in their environment for ease of configuration.

Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?



Answer : C


Question 674

An engineer needs to collect User-ID mappings from the company's existing proxies.

What two methods can be used to pull this data from third party proxies? (Choose two.)



Answer : B, C

To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.

Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies.

For further details, refer to the Palo Alto Networks documentation on User-ID integration and the 'PAN-OS Administrator's Guide'.


Question 675

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.



Answer : B


Question 676

A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.

Which path should the engineer follow to deploy the PAN-OS images to the firewalls?



Answer : D, D

In a situation where Panorama and its managed firewalls lack internet access, updating PAN-OS requires a manual upload of the downloaded PAN-OS images. The process involves:


Question 677

A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed.

How should email log forwarding be configured to achieve this goal?



Answer : C

To generate email alerts when decryption rules are changed in a Palo Alto Networks firewall, you would configure email log forwarding based on specific system logs that capture changes to decryption policies. This is done by setting up log forwarding profiles with filters that match events related to decryption rule modifications. These profiles are then applied to the relevant log types within the firewall's log settings.

To specifically monitor for changes to decryption rules, you would navigate to the Device > Log Settings section of the firewall's web interface. Here, you can configure log forwarding for system logs, which capture configuration changes among other system-level events. By creating a filter that looks for logs associated with decryption rule changes, and associating this filter with an email server profile, the firewall can automatically send out email alerts whenever a decryption rule is modified.

This setup ensures that the security team is promptly notified of any changes to the decryption policies, allowing for quick review and action if the changes were unauthorized or unintended. It is an essential part of maintaining the security posture of the network and ensuring compliance with organizational policies on encrypted traffic inspection.


Question 678

View the screenshots

A QoS profile and policy rules are configured as shown. Based on this information which two statements are correct?



Answer : B, D


Question 679

Given the following snippet of a WildFire submission log, did the end user successfully download a file?



Answer : D

URL profile action alert.

File Profile action alert.

AV and Wildfire action Reset-both

Policy Action Allow.

The firewall inspects the content as per all the security profiles attached to the original matching rule. If it results in threat detection, then the corresponding security profile action is taken.


Question 680

Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?



Answer : B

The Test Policy Match tool in PAN-OS allows administrators to simulate traffic against the current security policy set to verify how it will be handled. By inputting source/destination IPs, ports, protocols, and other parameters, it shows which rule matches and whether the traffic is allowed or denied, making it ideal for ensuring unwanted traffic is blocked.

Option A (Managed Devices Health) monitors device status, not policy logic. Option C (Preview Changes) shows configuration diffs, not traffic matching. Option D (Policy Optimizer) helps refine rules but doesn't test specific traffic scenarios. Test Policy Match is the documented tool for this purpose.


Question 681

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?



Answer : A


Question 682

Which operation will impact the performance of the management plane?



Answer : B

TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK

TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD---PART 2:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU4CAK


Question 683

A firewall administrator to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply security rules on segment X after getting the visibility. There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes. What is the best option for the administrator to take?



Answer : D


Question 684

A security team has enabled real-time WildFire signature lookup on all its firewalls. Which additional action will further reduce the likelihood of newly discovered malware being allowed through the firewalls?



Answer : B


Question 685

What can the Log Forwarding built-in action with tagging be used to accomplish?



Answer : B

The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.

This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.

For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.


Question 686

Exhibit.

Review the screenshots and consider the following information

1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC

2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups

Which IP address will be pushed to the firewalls inside Address Object Server-1?



Answer : A

Device Group Hierarchy

Shared

DATACENTER_DG

DC_FW_DG

REGIONAL_DG

OFFICE_FW_DG

FW-1_DG

Analysis

Considerations:

FW-1 is assigned to the FW-1_DG device group.

FW-2 is assigned to the OFFICE_FW_DG device group.

There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.

The address object Server-1 appears in multiple device groups with different IP addresses. The device groups have a hierarchy, which means objects can be inherited from parent groups unless overridden in the child group.

FW-1_DG:

Server-1 has IP 4.4.4.4, which will be pushed to FW-1 because it is in the FW-1_DG device group.

OFFICE_FW_DG (for FW-2):

Since there are no objects in OFFICE_FW_DG and REGIONAL_DG, FW-2 will inherit from Shared.

In the Shared group, Server-1 has IP 1.1.1.1.


Question 687

An engineer is pushing configuration from Panorama to a managed firewall What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?



Answer : C


Question 688

An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity.

Which two objects can Dynamic User Groups use as match conditions for group membership? (Choose two.)



Answer : B, C


Question 689

Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?



Answer : C


Question 690

Which statement applies to HA timer settings?



Answer : D

High Availability (HA) timer settings in PAN-OS control failover speed and stability. The Recommended profile (Option D) is the default and provides balanced timers (e.g., 1000ms heartbeat interval) suitable for typical deployments, ensuring reliable failover without excessive sensitivity.

Option A (Critical profile) uses faster timers (e.g., 100ms) for critical environments, not typical ones. Option B (Moderate) isn't a predefined profile. Option C (Aggressive) uses fast timers (e.g., 200ms), not slower ones. Documentation specifies 'Recommended' for standard use.


Question 691

An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.

Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?



Answer : C

Decryption can be resource-intensive, and in scenarios where the firewall is nearing its resource limits, optimizing decryption practices is crucial. One way to do this is by choosing more efficient encryption algorithms that require less computational power.

C . Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority:

Elliptic Curve Digital Signature Algorithm (ECDSA) is known for requiring smaller key sizes compared to RSA for a comparable level of security. This translates to less computational overhead during the encryption and decryption processes.

By using ECDSA for traffic that isn't sensitive or high-priority, the administrator can reduce the processing load associated with decryption on the firewall. This is particularly beneficial in scenarios where resource optimization is necessary.

It's important to note that this approach does not compromise the security of encrypted traffic. Instead, it offers a more resource-efficient way to manage decryption, thus helping to maintain firewall performance even when system resources are under significant demand.

By judiciously applying this strategy, administrators can manage the decryption workload on the firewall, ensuring continued protection and inspection of encrypted traffic without overburdening the firewall's resources.


Question 692

Which log type would provide information about traffic blocked by a Zone Protection profile?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhzCAC

D is the correct answer because the threat log type would provide information about traffic blocked by a Zone Protection profile.This is because Zone Protection profiles are used to protect the network from attacks, including common flood, reconnaissance attacks, and other packet-based attacks1.These attacks are classified as threats by the firewall and are logged in the threat log2.The threat log displays information such as the source and destination IP addresses, ports, zones, applications, threat types, actions, and severity of the threats2.

Verified Reference:

1:Zone protection profiles - Palo Alto Networks Knowledge Base

2:Threat Log Fields - Palo Alto Networks


Question 693

An organization wants to begin decrypting guest and BYOD traffic.

Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?



Answer : A

An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An authentication portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet. The authentication portal can be customized to include a welcome message, a login prompt, a disclaimer, a certificate download link, and a logout button.The authentication portal can also be configured to use different authentication methods, such as local database, RADIUS, LDAP, Kerberos, or SAML1.By using an authentication portal, the firewall can redirect BYOD users to a web page where they can learn about the decryption policy, download and install the CA certificate, and agree to the terms of use before accessing the network or the internet2.

An SSL decryption profile is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption profile is a set of options that define how the firewall handles SSL/TLS traffic that it decrypts.An SSL decryption profile can include settings such as certificate verification, unsupported protocol handling, session caching, session resumption, algorithm selection, etc3. An SSL decryption profile does not provide any user identification or notification functions.

An SSL decryption policy is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption policy is a set of rules that determine which traffic the firewall decrypts based on various criteria, such as source and destination zones, addresses, users, applications, services, etc.An SSL decryption policy can also specify which type of decryption to apply to the traffic, such as SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy4. An SSL decryption policy does not provide any user identification or notification functions.

Comfort pages are not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. Comfort pages are web pages that the firewall displays to users when it blocks or fails to decrypt certain traffic due to security policy or technical reasons.Comfort pages can include information such as the reason for blocking or failing to decrypt the traffic, the URL of the original site, the firewall serial number, etc5. Comfort pages do not provide any user identification or notification functions before decrypting the traffic.

Configure an Authentication Portal,Redirect Users Through an Authentication Portal,SSL Decryption Profile,Decryption Policy,Comfort Pages


Question 694

ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?



Answer : B

Schedule content updates so that they download-and-install automatically. Then, set a Threshold that determines the amount of time the firewall waits before installing the latest content. In a security-first network, schedule a six to twelve hour threshold. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-content-and-threat-content-updates/best-practices-security-first.html#id184AH00F06E

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/software-and-content-updates/best-practices-for-app-and-threat-content-updates/best-practices-security-first


Question 695

While troubleshooting an issue, a firewall administrator performs a packet capture with a specific filter. The administrator sees drops for packets with a source IP address of 10.1.1.1.

How can the administrator further investigate these packet drops by looking at the global counters for this packet capture filter?



Answer : A


Question 696

Given the following snippet of a WildFire submission log, did the end user successfully download a file?



Answer : D

URL profile action alert.

File Profile action alert.

AV and Wildfire action Reset-both

Policy Action Allow.

The firewall inspects the content as per all the security profiles attached to the original matching rule. If it results in threat detection, then the corresponding security profile action is taken.


Question 697

An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)



Answer : A, B, D


Question 698

What action does a firewall take when a Decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?



Answer : C


Question 699

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?



Answer : B

The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.


Question 700

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?



Answer : B

https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG


Question 701

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.



Answer : B


Question 702

An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?



Answer : B


Question 703

A security engineer needs to mitigate packet floods that occur on a RSF servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?



Answer : A


Question 704

When you troubleshoot an SSL Decryption issue, which PAN-OS CL1 command do you use to check the details of the Forward Trust certificate. Forward Untrust certificate, and SSL Inbound Inspection certificate?



Answer : A


Question 705

A customer wants to enhance the protection provided by their Palo Alto Networks NGFW deployment to cover public-facing company-owned domains from misconfigurations that point records to third-party sources. Which two actions should the network administrator perform to achieve this goal? (Choose two)



Answer : C, D

To protect against DNS misconfigurations, Advanced DNS Security and Advanced URL Filtering licenses (Option C) enable DNS sinkholing and domain monitoring. In an Anti-Spyware profile (Option D), the DNS Policies section allows adding specific domains to detect and block misconfigured records pointing to third-party sources.

Option A (Threat Prevention) lacks DNS-specific features for this use case. Option B (Vulnerability Protection) doesn't include DNS misconfiguration settings. Documentation confirms Anti-Spyware with DNS Security for this purpose.


Question 706

A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.

How can this be achieved?



Answer : D


Question 707

A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)



Answer : C, D, E


Question 708

In the following image from Panorama, why are some values shown in red?



Answer : C


Question 709

A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules.

What is the engineer's next step?



Answer : B


Question 710

Which action does a firewall take when a decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?



Answer : D


Question 711

Which action can be taken to immediately remediate the issue of application traffic with a valid use case triggering the decryption log message, "Received fatal alert UnknownCA from client"?



Answer : B

The 'Received fatal alert UnknownCA from client' log indicates the client rejects the firewall's decryption certificate because it doesn't trust the CA. For a valid use case, adding the certificate's Common Name (CN) to the SSL Decryption Exclusion List (Option B) bypasses decryption for that site, allowing traffic to proceed without interruption. This is an immediate fix within the firewall's control.

Option A (revocation checking) addresses different issues. Option C (check expired certificates) is diagnostic, not immediate. Option D (contact site admin) is external and slow. Documentation recommends exclusions for such errors.


Question 712

A customer would like to support Apple Bonjour in their environment for ease of configuration.

Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?



Answer : C


Question 713

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?



Answer : C


Question 714

A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows



Answer : A


Question 715

A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.

Which VPN configuration would adapt to changes when deployed to the future site?



Answer : A


Question 716

Which two components are required to configure certificate-based authentication to the web UI when firewall access is needed on a trusted interface? (Choose two.)



Answer : B, D


Question 717

Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)



Answer : B, C

To configure SSL Forward Proxy decryption on a Palo Alto Networks firewall, certain key components must be set up to ensure secure and effective decryption and inspection of SSL/TLS encrypted traffic:

B . Define a Forward Trust Certificate:

A Forward Trust Certificate is essential for SSL Forward Proxy decryption. This certificate is used by the firewall to dynamically generate certificates for SSL sites that are trusted. When the firewall decrypts and inspects the traffic and then re-encrypts it, the new certificate presented to the client comes from the Forward Trust Certificate authority. This certificate must be trusted by client devices, often requiring the Forward Trust CA certificate to be distributed and installed on client devices.

C . Configure SSL decryption rules:

SSL decryption rules are the policies that determine which traffic is to be decrypted. These rules specify the source, destination, service, and URL category, among other criteria. The rules define what traffic the SSL Forward Proxy will apply to, enabling selective decryption based on security and privacy requirements.

Together, these components form the basis of the SSL Forward Proxy decryption setup, allowing for the decryption, inspection, and re-encryption of SSL/TLS encrypted traffic to identify and prevent threats hidden within encrypted sessions.


Question 718

An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic.

Which three elements should the administrator configure to address this issue? (Choose three.)



Answer : B, D, E

To address the issue of application performance degradation due to excessive VoIP traffic, the administrator should configure QoS on the egress interface for the traffic flows and a QoS profile defining traffic classes. QoS stands for Quality of Service, which is a feature that allows the firewall to manage bandwidth usage and prioritize traffic based on various criteria, such as application, user, service, etc.QoS can help improve the performance and quality of latency-sensitive applications, such as VoIP, by guaranteeing them sufficient bandwidth and priority over other traffic1.

To enable QoS on the firewall, the administrator needs to create a QoS profile and a QoS policy. A QoS profile defines the eight classes of service that traffic can receive, including priority, guaranteed bandwidth, maximum bandwidth, and weight.A QoS policy identifies the traffic that matches a specific class of service based on source and destination zones, addresses, users, applications, services, etc2. The administrator can also create a custom QoS profile or use the default one.

The administrator should apply QoS on the egress interface for the traffic flows, which is the interface where the traffic leaves the firewall. This is because QoS can only shape outbound traffic and not inbound traffic. The egress interface can be either internal or external, depending on the direction of the VoIP traffic. For example, if the VoIP traffic is from internal users to external servers, then the egress interface is the untrust interface facing the ISP.If the VoIP traffic is from external users to internal servers, then the egress interface is the trust interface facing the LAN3.

The administrator should assign a high priority and a sufficient guaranteed bandwidth to the VoIP traffic in the QoS profile. This will ensure that the VoIP packets are processed first by the firewall and are not dropped or delayed due to congestion.The administrator can also limit or block other applications that consume too much bandwidth or pose security risks in the same or different QoS classes4.

An Application Override policy for SIP traffic is not necessary to address this issue. An Application Override policy is used to change or customize the App-ID of certain traffic based on port and protocol criteria. This can be useful for optimizing performance or security for some applications that are difficult to identify or have non-standard behaviors. However, SIP is a predefined App-ID that identifies Session Initiation Protocol (SIP) traffic, which is commonly used for VoIP signaling.The firewall can recognize SIP traffic without an Application Override policy5.

QoS on the ingress interface for the traffic flows is not effective to address this issue. As mentioned earlier, QoS can only shape outbound traffic and not inbound traffic.Applying QoS on the ingress interface will not have any impact on how the firewall handles or prioritizes the incoming packets6.

A QoS policy for each application is not required to address this issue. A QoS policy can match multiple applications in a single rule by using application filters or application groups. This can simplify and consolidate the QoS policy configuration and management.The administrator does not need to create a separate QoS policy for each application unless there is a specific need to assign different classes of service or parameters to each application7.

QoS Overview,Configure QoS,QoS Use Cases,QoS Best Practices,Application Override,QoS FAQ,Create a QoS Policy Rule


Question 719

Which administrative authentication method supports authorization by an external service?



Answer : C


Question 720

Which statement explains the difference between using the PAN-OS integrated User-ID agent and the standalone User-ID agent when using Active Directory for user-to-IP mapping?



Answer : C

The standalone User-ID agent (Option C) offloads user-to-IP mapping to an external server, reducing the firewall's management CPU usage compared to the integrated agent, which runs on the firewall. Option A is false; neither requires domain membership. Option B is incorrect; the integrated agent uses more resources. Option D is false; the standalone agent can run on any server. The original answer (B) was incorrect, contributing to the 83% Core Concepts score.


Question 721

An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed.

Which Panorama tool can provide a solution?



Answer : B


Question 722

A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panoram

a. In which section is this configured?



Answer : D


Question 723

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?



Answer : A


Question 724

A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.

Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?



Answer : C

A syslog listener is the best choice for deploying User-ID to ensure maximum coverage in an environment with multiple forms of authentication. A syslog listener is a feature that enables the firewall or Panorama to receive syslog messages from other systems and parse them for IP address-to-username mappings.A syslog listener can collect user mapping information from a variety of sources, such as network access control systems, domain controllers, MDM solutions, VPN gateways, wireless controllers, proxies, and more2.A syslog listener can also support multiple platforms and operating systems, such as Windows, Linux, macOS, iOS, Android, etc3. Therefore, a syslog listener can provide a comprehensive and flexible solution for User-ID deployment in a large-scale network.Reference:Configure a Syslog Listener for User Mapping,User-ID Agent Deployment Guide, PCNSE Study Guide (page 48)


Question 725

The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.

When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?



Answer : A

One of the potential causes of a failed install when upgrading Panorama to PAN-OS is having outdated plugins. Plugins are software extensions that enable Panorama to interact with Palo Alto Networks cloud services and third-party services.Plugins have dependencies on specific PAN-OS versions, so they must be updated before or after upgrading Panorama, depending on the plugin compatibility matrix2.If the plugins are not updated accordingly, the upgrade process may fail or cause issues with Panorama functionality3.Reference:Panorama Plugins Upgrade/Downgrade Considerations,Troubleshoot Your Panorama Upgrade, PCNSE Study Guide (page 54)


Question 726

Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)



Answer : A, C

When sizing a decryption firewall deployment, two factors that should be considered are the encryption algorithm and the TLS protocol version. These factors affect the amount of resources and processing power that the firewall needs to decrypt and inspect SSL/TLS traffic.

The encryption algorithm is the method that the server and the client use to encrypt and decrypt the data exchanged in an SSL/TLS session. Different encryption algorithms have different levels of security and performance. For example, AES is a symmetric encryption algorithm that is faster and more efficient than RSA, which is an asymmetric encryption algorithm. However, RSA is more secure than AES because it uses public and private keys to encrypt and decrypt data, while AES uses a single shared key.The firewall must support the encryption algorithms that are used by the servers and clients that it decrypts, and it must have enough CPU and memory resources to handle the decryption workload12.

The TLS protocol version is the standard that defines how the server and the client establish and maintain an SSL/TLS session. Different TLS protocol versions have different features and requirements for encryption algorithms, cipher suites, certificates, handshake messages, etc. For example, TLS 1.3 is the latest and most secure version of TLS, which supports only strong encryption algorithms and cipher suites, such as AES-GCM and ChaCha20-Poly1305, and requires elliptic curve certificates.The firewall must support the TLS protocol versions that are used by the servers and clients that it decrypts, and it must have enough hardware acceleration resources to handle the decryption speed34.

The number of security zones in decryption policies and the number of blocked sessions are not relevant factors for sizing a decryption firewall deployment. The number of security zones in decryption policies only affects how the firewall matches traffic to decryption rules based on source and destination zones, but it does not affect the decryption performance or resource consumption.The number of blocked sessions only indicates how many sessions are denied by the firewall based on security policy or decryption policy rules, but it does not affect the decryption capacity or throughput56.

Encryption Algorithms,TLS Protocol Versions,Decryption Policy, PCNSE Study Guide (page 60)


Question 727

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed.

What is one way the administrator can meet this requirement?



Answer : B

The best way for the administrator to meet the requirement of managing all configuration from Panorama and preventing local overrides isB: Perform a template commit push from Panorama using the ''Force Template Values'' option.This option allows the administrator to overwrite any local configuration on the firewall with the values defined in the template1. This way, the administrator can ensure that the interface configuration and any other


Question 728

Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?



Answer : D


Question 729

A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)



Answer : B, D

The two attributes that a forward trust certificate should have for SSL Forward Proxy decryption are:

B: A private key. This is the key that the firewall uses to sign the certificates that it generates for the decrypted sessions.The private key must be securely stored on the firewall and not shared with anyone1.

D: A certificate authority (CA) certificate. This is the certificate that the firewall uses to issue the certificates for the decrypted sessions.The CA certificate must be trusted by the client browsers and devices that receive the certificates from the firewall1.


Question 730

What type of NAT is required to configure transparent proxy?



Answer : D


Question 731

A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose TWO)



Answer : A, C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW


Question 732

A security engineer needs firewall management access on a trusted interface.

Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)



Answer : A, B, D

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile


Question 733

An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.

Which configuration will enable this HA scenario?



Answer : A


Question 734

Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?



Answer : D

In the second image, VW ports mentioned are 1/5 and 1/7. Hence it can not be a part of any other routing. So if any traffic coming as ingress from 1/7, it has to go out via 1/5.

The egress interface for the traffic with ingress interface ethernet1/7, source 192.168.111.3, and destination 10.46.41.113 will beethernet1/5.This is because the traffic will match the virtual wire with interfaces ethernet1/5 and ethernet1/7, which is configured to allow VLAN-tagged traffic with tags 10 and 201.The traffic will also match the security policy rule that allows traffic from zone Trust to zone Untrust, which are assigned to ethernet1/7 and ethernet1/5 respectively2.Therefore, the traffic will be forwarded to the same interface from which it was received, which is ethernet1/53.


Question 735

An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed.

Which Panorama tool can provide a solution?



Answer : B


Question 736

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?



Answer : B

The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.


Question 737

An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.

Which two actions could an administrator take to troubleshoot this issue? (Choose two.)



Answer : A, D

A: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-virtual-routers/more-runtime-stats-for-a-logical-router#id5628a5e4-e908-457e-a2fd-270a476ab752

D: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking


Question 738

Exhibit.

Given the screenshot, how did the firewall handle the traffic?



Answer : B


Question 739

A company has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a phishing campaign against the organization prompts a search for more controls to secure access to critical assets. For users who need to access these systems, the company decides to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What must the company do in order to use PAN-OS MFA?



Answer : D


Question 740

'SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted'' warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

1. End-users must not get the warning for the https:///www.very-import-website.com/ website.

2. End-users should get the warning for any other untrusted website.

Which approach meets the two customer requirements?



Answer : A


Question 741

When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)



Answer : A, D


Question 742

What action does a firewall take when a Decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?



Answer : C


Question 743

Which protocol is supported by Global Protect clientless VPN



Answer : C


Question 744

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers Traffic to these sites will therefore be blocked if decrypted.

How should the engineer proceed?



Answer : C

If some sites cannot be decrypted due to technical reasons, such as unsupported ciphers, and blocking them is not an option, then the engineer should add the sites to the SSL Decryption Exclusion list to exempt them from decryption. The SSL Decryption Exclusion list is a predefined list of sites that are not subject to SSL decryption by the firewall. The list includes sites that use certificate pinning, mutual authentication, or unsupported cipher suites.The engineer can also add custom sites to the list if they have a valid business reason or technical limitation for not decrypting them34. Adding the sites to the SSL Decryption Exclusion list will allow the traffic to pass through without being decrypted or blocked by the firewall.Reference:SSL Decryption Exclusion,Troubleshoot Unsupported Cipher Suites


Question 745

A company CISO updates the business Security policy to identify vulnerable assets and services and deploy protection for quantum-related attacks. As a part of this update, the firewall team is reviewing the cryptography used by any devices they manage. The firewall architect is reviewing the Palo Alto Networks NGFWs for their VPN tunnel configurations. It is noted in the review that the NGFWs are running PAN-OS 11.2. Which two NGFW settings could the firewall architect recommend to deploy protections per the new policy? (Choose two)



Answer : B, C

Quantum-related attack protection requires cryptography resistant to quantum computing, such as post-quantum algorithms. In PAN-OS 11.2, IKEv2 with Hybrid Key Exchange (Option B) combines classical and quantum-resistant algorithms for key exchange, enhancing VPN security. IKEv2 with Post-Quantum Pre-shared Keys (PPK) (Option C) uses pre-shared keys designed to resist quantum attacks, supported in IKEv2 configurations.

Option A (IKEv1 only) weakens security by avoiding PFS and modern cryptography. Option D (IPsec with Hybrid ID exchange) is not a valid PAN-OS feature. Documentation confirms IKEv2 enhancements for quantum resistance.


Question 746

A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an interface Management profile to secure management access? (Choose three)



Answer : A, B, C


Question 747

A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows



Answer : A


Question 748

An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.

Which three settings can be configured in this template? (Choose three.)



Answer : B, D, E

A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama.A template can include settings from the Device and Network tabs on the firewall web interface, such as login banner, SSL decryption exclusion, and dynamic updates4. These settings can be configured in a template named ''Global'' and included in all template stacks.A template stack is a group of templates that Panorama pushes to managed firewalls in an ordered hierarchy4.Reference:Manage Templates and Template Stacks, PCNSE Study Guide (page 50)


Question 749

Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the firewall? (Choose three.)



Answer : A, B, E

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication#:~:text=The%20administrative%20accounts%20are%20defined,attributes%20on%20the%20SAML%20server.


Question 750

A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?



Answer : D


Question 751

A company has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a phishing campaign against the organization prompts a search for more controls to secure access to critical assets. For users who need to access these systems, the company decides to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What must the company do in order to use PAN-OS MFA?



Answer : D


Question 752

An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?



Answer : B

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0

A device group is a logical grouping of firewalls that share the same security policy rules. A device group can contain multiple vsys and firewalls, including multi-vsys firewalls. A multi-vsys firewall can have each vsys in a different device group, depending on the desired security policy for each vsys.This allows for granular control and flexibility in managing multi-vsys firewalls with Panorama1.Reference:Device Group Push to a Multi-VSYS Firewall,Configure Virtual Systems, PCNSE Study Guide (page 50)


Question 753

A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known

What can the administrator configure to establish the VPN connection?



Answer : B

When the peer device will act as the initiator and none of the peer addresses are known, the administrator can enable Passive Mode to establish the VPN connection. Passive Mode tells the firewall to wait for the peer device to initiate the VPN connection. The other options are incorrect. Option A, setting up certificate authentication, would require the administrator to know the peer device's certificate. Option C, using the Dynamic IP address type, would require the administrator to know the peer device's dynamic IP address. Option D, configuring the peer address as an FQDN, would require the administrator to know the peer device's fully qualified domain name.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0


Question 754

You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.

For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)



Answer : B, C, E

https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile

The Palo Alto Networks Best Practices for Anti-Spyware Profiles recommend enabling single-packet captures (PCAP) for medium, high, and critical severity threats. This allows for capturing the first packet of the malicious traffic for further analysis and investigation.PCAP should not be enabled for low and informational severity threats, as they generate a relatively high volume of traffic and are not particularly useful compared to potential threats2.Reference:Create the Data Center Best Practice Anti-Spyware Profile,Security Profile: Anti-Spyware, PCNSE Study Guide (page 57)


Question 755

An administrator is troubleshooting why video traffic is not being properly classified.

If this traffic does not match any QoS classes, what default class is assigned?



Answer : D

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/qos-concepts/qos-classes


Question 756

Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?



Answer : C


Question 757

An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.

Which two actions could an administrator take to troubleshoot this issue? (Choose two.)



Answer : A, D

A: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-virtual-routers/more-runtime-stats-for-a-logical-router#id5628a5e4-e908-457e-a2fd-270a476ab752

D: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking


Question 758

A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two)



Answer : A, D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRdCAK

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/configure-url-filtering

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/allow-password-access-to-certain-sites#id7e63ce07-8b30-4506-a1e3-5800303954e8


Question 759

A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall

What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)



Answer : B, C

For HIP match logs to be visible on the data center firewall, the following conditions must be met:

HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.

User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.

The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.


Question 760

Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?



Answer : C


Question 761

The vulnerability protection profile of an on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and it has been determined to be a false positive. The issue causes an outage of a critical service. When the vulnerability protection profile is opened to add the exception, the Threat ID is missing. Which action will most efficiently find and implement the exception?



Answer : B

When a Threat ID isn't visible in the Vulnerability Protection profile's Exceptions tab, selecting 'Show all signatures' (Option B) reveals all available threat signatures, including those not recently triggered, allowing the administrator to add an exception efficiently. This is the fastest way to resolve false positives without external assistance.

Option A (system logs) may explain the absence but doesn't implement the fix. Option C (traffic logs) allows rule-based workarounds, not profile exceptions. Option D (support case) is slower and unnecessary. Documentation confirms this method.


Question 762

An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)



Answer : A, D


Question 763

SAML SLO is supported for which two firewall features? (Choose two.)



Answer : A, B


Question 764

Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates.

Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?



Answer : B


Question 765

Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.)



Answer : B, C, E


Question 766

An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?



Answer : D

Palo Alto NetworksPanorama 7.0 Administrator's Guide *77Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.

https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management


Question 767

Which GloDalProtecI gateway setting is required to enable split-tunneting by access route, destination domain and application?



Answer : A

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application


Question 768

A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories

Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?



Answer : A

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/prevent-credential-phishing/set-up-credential-phishing-prevention#idc77030dc-6022-4458-8c50-1dc0fe7cffe4

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/prevent-credential-phishing/set-up-credential-phishing-prevention


Question 769

Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?



Answer : D

https://live.paloaltonetworks.com/t5/general-topics/wildfire-submission-entries-with-severity-high-showing-action/td-p/143516


Question 770

Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?



Answer : C

Palo Alto Networks Device Telemetry data, collected from firewalls with a device certificate installed, is stored on Palo Alto Networks Update Servers. This telemetry data includes information about threats, device health, and other operational metrics that are crucial for the continuous improvement of security services and threat intelligence. The collected data is anonymized and securely transmitted to Palo Alto Networks, where it is used to enhance the overall effectiveness of threat identification and prevention capabilities across all deployed devices. This collaborative approach helps in keeping the security ecosystem updated and resilient against emerging threats.


Question 771

Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?



Answer : B

The Test Policy Match tool in PAN-OS allows administrators to simulate traffic against the current security policy set to verify how it will be handled. By inputting source/destination IPs, ports, protocols, and other parameters, it shows which rule matches and whether the traffic is allowed or denied, making it ideal for ensuring unwanted traffic is blocked.

Option A (Managed Devices Health) monitors device status, not policy logic. Option C (Preview Changes) shows configuration diffs, not traffic matching. Option D (Policy Optimizer) helps refine rules but doesn't test specific traffic scenarios. Test Policy Match is the documented tool for this purpose.


Question 772

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?



Answer : B

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application


Question 773

A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any dat

a. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.

Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?



Answer : C

For an application that is currently identified as unknown-tcp and has sessions that often remain idle for long periods, creating a custom application and using an application override rule is the most time-efficient solution.

C . The process involves:

Creating a custom application in the Palo Alto Networks firewall and configuring it with specific timeouts to accommodate the application's idle session behavior. This step ensures that the firewall does not prematurely close the application's sessions due to inactivity.

Next, creating an application override rule that references the custom application. This rule directs the firewall to identify traffic matching the rule criteria (such as source, destination, and port information) as the custom application, bypassing the App-ID engine's regular identification process.

This approach allows for the quick implementation of a solution that ensures the application is properly identified in traffic logs without undergoing threat scanning, meeting the requirements for both identification and reporting.


Question 774

A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall

What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)



Answer : B, C

For HIP match logs to be visible on the data center firewall, the following conditions must be met:

HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.

User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.

The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.


Question 775

What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection'?



Answer : A


Question 776

Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.

What part of the configuration should the engineer verify?



Answer : C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS https://live.paloaltonetworks.com/t5/general-topics/phase-2-tunnel-is-not-up/td-p/424789


Question 777

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?



Answer : B

https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG


Question 778

Exhibit.

Given the screenshot, how did the firewall handle the traffic?



Answer : B


Question 779

A security engineer needs to mitigate packet floods that occur on a RSF servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?



Answer : A


Question 780

An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)



Answer : A, D


Question 781

When an engineer configures an active/active high availability pair, which two links can they use? (Choose two)



Answer : C, D

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha/prerequisites-for-activeactive-ha

These are the two links that can be used to configure an active/active high availability pair.An active/active high availability pair consists of two firewalls that are both active and share the traffic load between them1.To configure an active/active high availability pair, the following links are required2:

HA1: This is the control link that is used for exchanging heartbeat messages and configuration synchronization between the firewalls. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy.

HA2: This is the data link that is used for forwarding sessions from one firewall to another in case of failover or load balancing. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy.

HA3: This is the session owner synchronization link that is used for synchronizing session information between the firewalls in different virtual systems. It can be a dedicated interface or a subinterface. It is only required for active/active high availability pairs, not for active/passive pairs.


Question 782

A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.

What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?



Answer : B

Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.

B . The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:

First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.

Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.

Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.

This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.


Question 783

A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.

Which set of steps should the engineer take to accomplish this objective?



Answer : C

In Palo Alto Networks firewalls, the processing of NAT rules occurs in a top-down fashion, similar to security policies. To exclude a specific IP address from a broader source NAT rule, a more specific NAT rule must be placed above the broader rule.

C . Place a more specific NAT rule above the broader one:

Create a source NAT rule (NAT-Rule-1) to translate the broader network range (10.0.0.0/23) with dynamic IP and port translation. This rule allows the majority of the subnet to access the internet through NAT.

Create another NAT rule (NAT-Rule-2) with the source IP address in the original packet set specifically to the IP address that should not be translated (10.0.0.10/32). In this rule, set the source translation to none, indicating that this traffic should not be translated and thus not allowed to access the internet.

Place NAT-Rule-2 above NAT-Rule-1 in the NAT policy list. This ensures that the more specific rule (NAT-Rule-2) is evaluated first. If traffic matches NAT-Rule-2, it will not be translated or allowed to the internet, effectively excluding the specific server from internet access.

This configuration leverages the principle of specificity and the order of operation in NAT policies to exclude a specific IP address from source NAT translation, thereby preventing it from accessing the internet.


Question 784

An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?



Answer : A


Question 785

An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.

Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?



Answer : A


Question 786

An administrator plans to install the Windows User-ID agent on a domain member system.

What is a best practice for choosing where to install the User-ID agent?



Answer : C


Question 787

A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.

Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?



Answer : C

A syslog listener is the best choice for deploying User-ID to ensure maximum coverage in an environment with multiple forms of authentication. A syslog listener is a feature that enables the firewall or Panorama to receive syslog messages from other systems and parse them for IP address-to-username mappings.A syslog listener can collect user mapping information from a variety of sources, such as network access control systems, domain controllers, MDM solutions, VPN gateways, wireless controllers, proxies, and more2.A syslog listener can also support multiple platforms and operating systems, such as Windows, Linux, macOS, iOS, Android, etc3. Therefore, a syslog listener can provide a comprehensive and flexible solution for User-ID deployment in a large-scale network.Reference:Configure a Syslog Listener for User Mapping,User-ID Agent Deployment Guide, PCNSE Study Guide (page 48)


Question 788

Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?



Answer : C


Question 789

Which active-passive HA firewall state describes the firewall that is currently processing traffic?



Answer : C


Question 790

A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall

What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)



Answer : B, C

For HIP match logs to be visible on the data center firewall, the following conditions must be met:

HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.

User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.

The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.


Question 791

Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)



Answer : A, C

When sizing a decryption firewall deployment, two factors that should be considered are the encryption algorithm and the TLS protocol version. These factors affect the amount of resources and processing power that the firewall needs to decrypt and inspect SSL/TLS traffic.

The encryption algorithm is the method that the server and the client use to encrypt and decrypt the data exchanged in an SSL/TLS session. Different encryption algorithms have different levels of security and performance. For example, AES is a symmetric encryption algorithm that is faster and more efficient than RSA, which is an asymmetric encryption algorithm. However, RSA is more secure than AES because it uses public and private keys to encrypt and decrypt data, while AES uses a single shared key.The firewall must support the encryption algorithms that are used by the servers and clients that it decrypts, and it must have enough CPU and memory resources to handle the decryption workload12.

The TLS protocol version is the standard that defines how the server and the client establish and maintain an SSL/TLS session. Different TLS protocol versions have different features and requirements for encryption algorithms, cipher suites, certificates, handshake messages, etc. For example, TLS 1.3 is the latest and most secure version of TLS, which supports only strong encryption algorithms and cipher suites, such as AES-GCM and ChaCha20-Poly1305, and requires elliptic curve certificates.The firewall must support the TLS protocol versions that are used by the servers and clients that it decrypts, and it must have enough hardware acceleration resources to handle the decryption speed34.

The number of security zones in decryption policies and the number of blocked sessions are not relevant factors for sizing a decryption firewall deployment. The number of security zones in decryption policies only affects how the firewall matches traffic to decryption rules based on source and destination zones, but it does not affect the decryption performance or resource consumption.The number of blocked sessions only indicates how many sessions are denied by the firewall based on security policy or decryption policy rules, but it does not affect the decryption capacity or throughput56.

Encryption Algorithms,TLS Protocol Versions,Decryption Policy, PCNSE Study Guide (page 60)


Question 792

Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?



Answer : A


Question 793

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?



Answer : B

When a local configuration override occurs on a firewall managed by Panorama, the administrator can enforce Panorama's centralized management by pushing the template configuration with the 'Force Template Values' option. This option overwrites any local changes on the firewall, ensuring that the Panorama-defined configuration (e.g., interface settings) takes precedence and prevents further overrides unless explicitly allowed.

Option A (device-group commit push) applies to policies and objects, not templates. Option C (commit force from CLI) reinforces local changes, not Panorama's control. Option D (reload running config) is disruptive and doesn't enforce Panorama's template. The 'Force Template Values' option is the documented method for this use case.


Question 794

A customer would like to support Apple Bonjour in their environment for ease of configuration.

Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?



Answer : C


Question 795

Which protocol is natively supported by GlobalProtect Clientless VPN?



Answer : C


Question 796

Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?



Answer : D

In the second image, VW ports mentioned are 1/5 and 1/7. Hence it can not be a part of any other routing. So if any traffic coming as ingress from 1/7, it has to go out via 1/5.

The egress interface for the traffic with ingress interface ethernet1/7, source 192.168.111.3, and destination 10.46.41.113 will beethernet1/5.This is because the traffic will match the virtual wire with interfaces ethernet1/5 and ethernet1/7, which is configured to allow VLAN-tagged traffic with tags 10 and 201.The traffic will also match the security policy rule that allows traffic from zone Trust to zone Untrust, which are assigned to ethernet1/7 and ethernet1/5 respectively2.Therefore, the traffic will be forwarded to the same interface from which it was received, which is ethernet1/53.


Question 797

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.

The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?



Answer : C


Question 798

With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?



Answer : B


Question 799

When using certificate authentication for firewall administration, which method is used for authorization?



Answer : A

When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.


Question 800

As a best practice, logging at session start should be used in which case?



Answer : A


Question 801

Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)



Answer : B, C

To configure SSL Forward Proxy decryption on a Palo Alto Networks firewall, certain key components must be set up to ensure secure and effective decryption and inspection of SSL/TLS encrypted traffic:

B . Define a Forward Trust Certificate:

A Forward Trust Certificate is essential for SSL Forward Proxy decryption. This certificate is used by the firewall to dynamically generate certificates for SSL sites that are trusted. When the firewall decrypts and inspects the traffic and then re-encrypts it, the new certificate presented to the client comes from the Forward Trust Certificate authority. This certificate must be trusted by client devices, often requiring the Forward Trust CA certificate to be distributed and installed on client devices.

C . Configure SSL decryption rules:

SSL decryption rules are the policies that determine which traffic is to be decrypted. These rules specify the source, destination, service, and URL category, among other criteria. The rules define what traffic the SSL Forward Proxy will apply to, enabling selective decryption based on security and privacy requirements.

Together, these components form the basis of the SSL Forward Proxy decryption setup, allowing for the decryption, inspection, and re-encryption of SSL/TLS encrypted traffic to identify and prevent threats hidden within encrypted sessions.


Question 802

An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets. For users that need to access these systems. Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What should the enterprise do to use PAN-OS MFA?



Answer : C


Question 803

An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?



Answer : D

Palo Alto NetworksPanorama 7.0 Administrator's Guide *77Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.

https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management


Question 804

Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?



Answer : A

https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-force-template-value-option/td-p/496620 '- Force Template Value will as the name suggest remove any local configuratio and apply the value define the panorama template. But this is valid only for overlapping configuration' 'You need to be careful, what is actually defined in the template. For example - if you decide to enable HA in the template, but after that you decide to not push it with template and just disable it again (remove the check from the 'Enable HA' checkbox). This still will be part of the template, because now your template is explicitely defining HA disabled. If you made a change in the template, and later decide that you don't want to control this setting with template, you need to revert the config by clicking the green bar next to the changed value'


Question 805

An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?



Answer : D


Question 806

Which configuration change will improve network reliability and ensure minimal disruption during tunnel failures?



Answer : B

For IPsec VPN reliability, Option B enhances failover speed by adding a backup tunnel and tuning tunnel monitoring. Reducing the interval (e.g., to 2 seconds) and threshold (e.g., to 3 retries) ensures quick detection and failover to the backup tunnel, minimizing disruption.

Option A (HA and rekey interval) addresses session continuity, not tunnel failure detection. Option C (disable monitoring) risks missing real failures. Option D (Fail Over profile) helps but lacks the proactive tuning of B. Documentation recommends this approach.


Question 807

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?



Answer : B

To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls in an HA pair to synchronize their configurations and maintain consistency. However, when you import the configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until you verify and commit the imported configuration on Panorama.Therefore, you should disable config sync before importing the configuration, and re-enable it after committing the changes on Panorama12.Reference:Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page 50)


Question 808

How does Panorama prompt VMWare NSX to quarantine an infected VM?



Answer : A


Question 809

An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.

Which two actions could an administrator take to troubleshoot this issue? (Choose two.)



Answer : A, D

A: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-virtual-routers/more-runtime-stats-for-a-logical-router#id5628a5e4-e908-457e-a2fd-270a476ab752

D: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking


Question 810

Which three split tunnel methods are supported by a globalProtect gateway? (Choose three.)



Answer : A, B, C


Question 811

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?



Answer : A


Question 812

Which two profiles should be configured when sharing tags from threat logs with a User-ID agent? (Choose two.)



Answer : A, D


Question 813

An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an internal syslog server.

Where can the firewall engineer define the data to be added into each forwarded log?



Answer : A

To facilitate the integration with external log parsing systems, the firewall allows you to customize the log format; it also allows you to add custom Key: Value attribute pairs. Custom message formats can be configured under DeviceServer ProfilesSyslogSyslog Server ProfileCustom Log Format. https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/custom-logevent-format

Step-by-Step

Understanding Log Forwarding in PAN-OS:

Palo Alto Networks firewalls allow forwarding logs to external systems like syslog servers, SNMP servers, or email systems for external analysis or compliance.

Traffic logs can be customized to include additional information that meets the audit or operational requirements.

Syslog Server Profiles:

Syslog Server Profiles specify the format and destination of the log data sent to the syslog server.

These profiles allow customization through the Custom Log Format option, where the firewall engineer can add or modify log fields (e.g., source address, destination address, URL category).

Custom Log Format:

Navigate to Device > Server Profiles > Syslog.

Within the Syslog Server Profile, define a Custom Log Format for traffic logs.

Using this feature, the engineer can include additional fields requested by the internal audit team, such as threat severity, application details, or user ID.

Field Specification:

In the Custom Log Format, fields are defined using variables corresponding to the log fields in PAN-OS.

Example:

$receive_time,$src,$dst,$app,$action,$rule

The engineer can include specific details as requested by the audit team.

Comparison of Other Options:

Option B: Built-in Actions within Objects > Log Forwarding Profile

Log Forwarding Profiles are used to specify what logs are forwarded based on security policy matches. However, they do not control the format of logs.

Log Forwarding Profiles define actions (e.g., forwarding to syslog, SNMP), but customization of log data happens within Syslog Server Profiles.

Option C: Logging and Reporting Settings within Device > Setup > Management

These settings control general logging behavior and settings but do not allow customization of log data for syslog forwarding.

Option D: Data Patterns within Objects > Custom Objects

Data Patterns are used for identifying sensitive data or patterns in data filtering. They are unrelated to log customization.

Why A is Correct?

The Custom Log Format under Device > Server Profiles > Syslog is the only place where additional information can be defined and added to forwarded traffic logs.

This flexibility allows the firewall engineer to meet specific compliance or audit requirements.

Documentation Reference:

PCNSA Study Guide: Logging and Monitoring section discusses Syslog Server Profiles and log forwarding configurations.

PAN-OS Admin Guide: Covers Custom Log Format configuration under the Syslog Server Profile.


Question 814

Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?



Answer : C

The type of policy in Palo Alto Networks firewalls that can use Device-ID as a match condition is QoS. This is because Device-ID is a feature that allows the firewall to identify and classify devices on the network based on their characteristics, such as vendor, model, OS, and role1. QoS policies are used to allocate bandwidth and prioritize traffic based on various criteria, such as application, user, source, destination, and device2. By using Device-ID as a match condition in QoS policies, the firewall can apply different QoS actions to different types of devices, such as IoT devices, laptops, smartphones, etc3. This can help optimize the network performance and ensure the quality of service for critical applications and devices.


Question 815

A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed.

How should email log forwarding be configured to achieve this goal?



Answer : C

To generate email alerts when decryption rules are changed in a Palo Alto Networks firewall, you would configure email log forwarding based on specific system logs that capture changes to decryption policies. This is done by setting up log forwarding profiles with filters that match events related to decryption rule modifications. These profiles are then applied to the relevant log types within the firewall's log settings.

To specifically monitor for changes to decryption rules, you would navigate to the Device > Log Settings section of the firewall's web interface. Here, you can configure log forwarding for system logs, which capture configuration changes among other system-level events. By creating a filter that looks for logs associated with decryption rule changes, and associating this filter with an email server profile, the firewall can automatically send out email alerts whenever a decryption rule is modified.

This setup ensures that the security team is promptly notified of any changes to the decryption policies, allowing for quick review and action if the changes were unauthorized or unintended. It is an essential part of maintaining the security posture of the network and ensuring compliance with organizational policies on encrypted traffic inspection.


Question 816

A firewall administrator needs to check which egress interface the firewall will use to route the IP 10.2.5.3.

Which command should they use?



Answer : D

To determine the egress interface a Palo Alto Networks firewall will use to route a specific IP address, the appropriate command is test routing fib-lookup ip 10.2.5.3 virtual-router default. This command performs a Forwarding Information Base (FIB) lookup for the specified IP address within the context of the specified virtual router, which in this case is the default virtual router. The FIB lookup process checks the routing table and the associated forwarding information to determine the next-hop and the egress interface for the given IP address. This command is instrumental for troubleshooting and verifying routing decisions made by the firewall to ensure that traffic is routed as expected through the network infrastructure.


Question 817

While troubleshooting an issue, a firewall administrator performs a packet capture with a specific filter. The administrator sees drops for packets with a source IP address of 10.1.1.1.

How can the administrator further investigate these packet drops by looking at the global counters for this packet capture filter?



Answer : A


Question 818

Based on the images below, and with no configuration inside the Template Stack itself, what access will the device permit on its management port?



Answer : D


Question 819

An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.

What could an administrator do to troubleshoot the issue?



Answer : B

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF4CAK


Question 820

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)



Answer : A, C, D

ttps://www.kareemccie.com/2021/05/palo-alto-firewall-packet-flow.html


Question 821

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?



Answer : A


Question 822

A firewall engineer is investigating high dataplane CPU utilization. To decrease the load on this CPU, what should be reduced?



Answer : A


Question 823

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.

What must be configured in order to select users and groups for those rules from Panorama?



Answer : D

When building Security rules in a Device Group that need to allow traffic to specific users and groups defined in Active Directory, it's essential to have user and group information available in Panorama to select these entities for the rules.

D . A master device with Group Mapping configured must be set in the device group where the Security rules are configured:

The concept of a 'master device' in Panorama refers to a specific firewall that is designated to provide certain settings or information, such as user and group mappings from Active Directory, to Panorama. This information can then be used across other firewalls within the same device group.

By configuring Group Mapping on a master device, Panorama can leverage this information to populate user and group objects. These objects can then be used in Security rules within the device group, allowing for the creation of policies that are based on user identity and group membership, as defined in Active Directory.

This setup ensures that Panorama has the necessary context to apply user- and group-based policies accurately across the managed firewalls, facilitating centralized management and consistency in policy enforcement.


Question 824

An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.

The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.

Which profile is the engineer configuring?



Answer : D

The engineer is configuring a DoS Protection profile to defend specific endpoints and resources against malicious activity. A DoS Protection profile is a feature that enables the firewall to detect and prevent denial-of-service (DoS) attacks that attempt to overwhelm network resources or disrupt services. A DoS Protection profile can provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet, such as web servers, DNS servers, or VPN gateways.A DoS Protection profile can be applied to a security policy rule that matches the traffic to and from the protected systems, and can specify the thresholds and actions for different types of flood attacks, such as SYN, UDP, ICMP, or other IP floods12.Reference:DoS Protection, PCNSE Study Guide (page 58)


Question 825

Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?



Answer : D

https://live.paloaltonetworks.com/t5/general-topics/wildfire-submission-entries-with-severity-high-showing-action/td-p/143516


Question 826

A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects

Which type of role-based access is most appropriate for this project?



Answer : C

Custom Panorama Admin: Custom Panorama Admin roles allow you to customize the elements of Panorama that an administrator can access. You can hide tabs in the web interface, you can set specific items in Panorama to read-only, or you can limit an administrator's access to Panorama plugins. Custom Panorama Admin roles require planning and configuration, but they provide extensive flexibility because you can control what administrators can access through the web interface or the CLI. Device Group and Template Admin: Device Group and Template Admin roles also require configuration because there are no built-in examples. These Admin Roles allow you to define which Panorama templates or Panorama device groups an administrator can access and configure. You can hide tabs in the web interface or set specific items to read only to control what administrators can configure.


Question 827

Four configuration choices are listed, and each could be used to block access to a specific URL.

If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?



Answer : C


Question 828

Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)



Answer : B, D


Question 829

What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 10.1 version?



Answer : A


Question 830

View the screenshots

A QoS profile and policy rules are configured as shown. Based on this information which two statements are correct?



Answer : B, D


Question 831

A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.

Which path should the engineer follow to deploy the PAN-OS images to the firewalls?



Answer : D, D

In a situation where Panorama and its managed firewalls lack internet access, updating PAN-OS requires a manual upload of the downloaded PAN-OS images. The process involves:


Question 832

A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:

threat type: spyware category: dns-c2 threat ID: 1000011111

Which set of steps should the administrator take to configure an exception for this signature?



Answer : A

When dealing with a false positive, particularly for a spyware threat detected through DNS queries (as indicated by the category 'dns-c2'), the correct course of action involves creating an exception in the Anti-Spyware profile, not the Vulnerability Protection profile. This is because the Anti-Spyware profile in Palo Alto Networks firewalls is designed to detect and block spyware threats, which can include command and control (C2) activities often signaled by DNS queries.

The steps to configure an exception for this specific spyware signature (threat ID: 1000011111) are as follows:

Navigate to Objects > Security Profiles > Anti-Spyware. This is where all the Anti-Spyware profiles are listed.

Select the related Anti-Spyware profile that is currently applied to the security policy which is generating the false positive.

Within the profile, go to the DNS Exceptions tab. This tab allows you to specify exceptions based on DNS signatures.

Search for the related threat ID (in this case, 1000011111) and click enable to create an exception for it. By doing this, you instruct the firewall to bypass the detection for this specific signature, effectively treating it as a false positive.

Commit the changes to make the exception active.

By following these steps, the administrator can effectively address the false positive without disabling the overall spyware protection capabilities of the firewall.


Question 833

An organization wants to begin decrypting guest and BYOD traffic.

Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?



Answer : A

An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An authentication portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet. The authentication portal can be customized to include a welcome message, a login prompt, a disclaimer, a certificate download link, and a logout button.The authentication portal can also be configured to use different authentication methods, such as local database, RADIUS, LDAP, Kerberos, or SAML1.By using an authentication portal, the firewall can redirect BYOD users to a web page where they can learn about the decryption policy, download and install the CA certificate, and agree to the terms of use before accessing the network or the internet2.

An SSL decryption profile is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption profile is a set of options that define how the firewall handles SSL/TLS traffic that it decrypts.An SSL decryption profile can include settings such as certificate verification, unsupported protocol handling, session caching, session resumption, algorithm selection, etc3. An SSL decryption profile does not provide any user identification or notification functions.

An SSL decryption policy is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption policy is a set of rules that determine which traffic the firewall decrypts based on various criteria, such as source and destination zones, addresses, users, applications, services, etc.An SSL decryption policy can also specify which type of decryption to apply to the traffic, such as SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy4. An SSL decryption policy does not provide any user identification or notification functions.

Comfort pages are not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. Comfort pages are web pages that the firewall displays to users when it blocks or fails to decrypt certain traffic due to security policy or technical reasons.Comfort pages can include information such as the reason for blocking or failing to decrypt the traffic, the URL of the original site, the firewall serial number, etc5. Comfort pages do not provide any user identification or notification functions before decrypting the traffic.

Configure an Authentication Portal,Redirect Users Through an Authentication Portal,SSL Decryption Profile,Decryption Policy,Comfort Pages


Question 834

The vulnerability protection profile of an on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and it has been determined to be a false positive. The issue causes an outage of a critical service. When the vulnerability protection profile is opened to add the exception, the Threat ID is missing. Which action will most efficiently find and implement the exception?



Answer : B

When a Threat ID isn't visible in the Vulnerability Protection profile's Exceptions tab, selecting 'Show all signatures' (Option B) reveals all available threat signatures, including those not recently triggered, allowing the administrator to add an exception efficiently. This is the fastest way to resolve false positives without external assistance.

Option A (system logs) may explain the absence but doesn't implement the fix. Option C (traffic logs) allows rule-based workarounds, not profile exceptions. Option D (support case) is slower and unnecessary. Documentation confirms this method.


Question 835

An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?



Answer : B

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0

A device group is a logical grouping of firewalls that share the same security policy rules. A device group can contain multiple vsys and firewalls, including multi-vsys firewalls. A multi-vsys firewall can have each vsys in a different device group, depending on the desired security policy for each vsys.This allows for granular control and flexibility in managing multi-vsys firewalls with Panorama1.Reference:Device Group Push to a Multi-VSYS Firewall,Configure Virtual Systems, PCNSE Study Guide (page 50)


Question 836

Which protocol is natively supported by GlobalProtect Clientless VPN?



Answer : C


Question 837

As a best practice, logging at session start should be used in which case?



Answer : A


Question 838

Which is not a valid reason for receiving a decrypt-cert-validation error?



Answer : A


Question 839

Exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms The network team has reported excessive traffic on the corporate WAN How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?



Answer : D


Question 840

A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows



Answer : A


Question 841

Which two components are required to configure certificate-based authentication to the web Ul when an administrator needs firewall access on a trusted interface'? (Choose two.)



Answer : C, D


Question 842

Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates. Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?



Answer : C

When troubleshooting Palo Alto Networks services, such as dynamic updates, verifying the status of service routes is critical. Service routes determine how the firewall communicates with external services (e.g., Palo Alto Networks update servers, WildFire, DNS, etc.) from the Management Plane or data plane interfaces.

Why 'debug dataplane internal vif route 250' is Correct

Purpose of the Command:

This command allows administrators to view the service routes configured on the firewall and verify if they are installed correctly and actively working.

The number 250 specifically refers to service routes in the Management Plane.

Output:

The command displays detailed information about service routes, including routing decisions, source interfaces, and next-hop IPs.

Helps identify issues such as:

Incorrect interface configuration.

Invalid next-hop IPs.

Missing routes for specific services.

Analysis of Other Options

debug dataplane internal vif route 255

Incorrect:

The number 255 does not correspond to service routes but is used for internal route debugging unrelated to management plane service routes.

show routing route type management

Incorrect:

This command does not exist in PAN-OS CLI. It might be a misrepresentation of another command.

debug dataplane internal vif route 250

Correct:

As explained above, this is the correct command for verifying service routes in the Management Plane.

show routing route type service-route

Incorrect:

This is not a valid PAN-OS CLI command.

PAN-OS Documentation Reference

Service Routes in PAN-OS 11.0:

The configuration and verification of service routes are covered under the Device > Setup > Services section of the GUI.

For CLI, the debug dataplane internal vif route 250 command is specifically used for troubleshooting service routes in the Management Plane.

For more details, refer to:

PAN-OS 11.0 CLI Guide: Covers debugging tools and service route verification.

PCNSA Study Guide: Domain 1 includes service route configurations and their importance in maintaining connectivity for management services.


Question 843

Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.

Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution

How can Information Security extract and learn iP-to-user mapping information from authentication events for VPN and wireless users?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping#iddb1a7744-17c6-4900-a2cb-5f3511fef60f


Question 844

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)



Answer : A, C, D

ttps://www.kareemccie.com/2021/05/palo-alto-firewall-packet-flow.html


Question 845

An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.

The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.

Which profile is the engineer configuring?



Answer : D

The engineer is configuring a DoS Protection profile to defend specific endpoints and resources against malicious activity. A DoS Protection profile is a feature that enables the firewall to detect and prevent denial-of-service (DoS) attacks that attempt to overwhelm network resources or disrupt services. A DoS Protection profile can provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet, such as web servers, DNS servers, or VPN gateways.A DoS Protection profile can be applied to a security policy rule that matches the traffic to and from the protected systems, and can specify the thresholds and actions for different types of flood attacks, such as SYN, UDP, ICMP, or other IP floods12.Reference:DoS Protection, PCNSE Study Guide (page 58)


Question 846

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.



Answer : B


Question 847

What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three



Answer : B, C, E


Question 848

Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?



Answer : C

The type of policy in Palo Alto Networks firewalls that can use Device-ID as a match condition is QoS. This is because Device-ID is a feature that allows the firewall to identify and classify devices on the network based on their characteristics, such as vendor, model, OS, and role1. QoS policies are used to allocate bandwidth and prioritize traffic based on various criteria, such as application, user, source, destination, and device2. By using Device-ID as a match condition in QoS policies, the firewall can apply different QoS actions to different types of devices, such as IoT devices, laptops, smartphones, etc3. This can help optimize the network performance and ensure the quality of service for critical applications and devices.


Question 849

An existing log forwarding profile is currently configured to forward all threat logs to Panoram

a. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed.

Which set of actions should the engineer take to achieve this goal?



Answer : C


Question 850

An administrator configures a preemptive active-passive high availability (HA) pair of firewalls and configures the HA election settings on firewall-02 with a device priority value of 100, and firewall-01 with a device priority value of 90.

When firewall-01 is rebooted, is there any action taken by the firewalls?



Answer : C


Question 851

A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)



Answer : A, B


Question 852

Exhibit.

Given the screenshot, how did the firewall handle the traffic?



Answer : B


Question 853

Refer to Exhibit:

An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?

A)

B)

C)

D)



Answer : A


Question 854

Where can a service route be configured for a specific destination IP?



Answer : C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0


Question 855

Review the images. A firewall policy that permits web traffic includes the global-logs policy is depicted

What is the result of traffic that matches the "Alert - Threats" Profile Match List?



Answer : C


Question 856

A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall

What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)



Answer : B, C

For HIP match logs to be visible on the data center firewall, the following conditions must be met:

HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.

User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.

The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.


Question 857

A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.

Which two mandatory options are used to configure a VLAN interface? (Choose two.)



Answer : A, B


Question 858

An administrator plans to install the Windows-Based User-ID Agent to prevent credential phishing.

Which installer package file should the administrator download from the support site?



Answer : A


Question 859

Which three statements accurately describe Decryption Mirror? (Choose three.)



Answer : B, D, E

Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.

Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.

The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' 'PAN-OS Administrator's Guide' and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.


Question 860

The UDP-4501 protocol-port is to between which two GlobalProtect components?



Answer : B


Question 861

An engineer needs to collect User-ID mappings from the company's existing proxies.

What two methods can be used to pull this data from third party proxies? (Choose two.)



Answer : B, C

To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.

Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies.

For further details, refer to the Palo Alto Networks documentation on User-ID integration and the 'PAN-OS Administrator's Guide'.


Question 862

An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.

What could an administrator do to troubleshoot the issue?



Answer : B

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF4CAK


Question 863

Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)



Answer : A, D


Question 864

A customer would like to support Apple Bonjour in their environment for ease of configuration.

Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?



Answer : C


Question 865

An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.

Which three dynamic routing protocols support BFD? (Choose three.)



Answer : A, B, C

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/bfd/bfd-overview/bfd-for-dynamic-routing-protocols


Question 866

A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)



Answer : A, B


Question 867

Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?



Answer : A

IP flood thresholds, you can also use DoS Protection profiles to detect and prevent session exhaustion attacks in which a large number of hosts (bots) establish as many sessions as possible to consume a target's resources. On the profile's Resources Protection tab, you can set the maximum number of concurrent sessions that the device(s) defined in the DoS Protection policy rule to which you apply the profile can receive. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles.html

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles#ida42d52fa-3366-4695-bb4a-d39ebf3b6a5f


Question 868

Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?



Answer : C


Question 869

What is the benefit of the Artificial Intelligence Operations (AIOps) Plugin for Panorama?



Answer : B

The AIOps Plugin for Panorama enhances security management by proactively validating commits against best practices (Option B). It analyzes policies, provides recommendations (e.g., unused rules, misconfigurations), and advises administrators before pushing changes, improving security posture without automatic enforcement.

Option A (auto-push) overstates its role; it advises, not pushes. Option C (auto-correct) is inaccurate; it suggests, not fixes. Option D (retroactive checks) misaligns with its proactive design. Documentation highlights its advisory function.


Question 870

A company CISO updates the business Security policy to identify vulnerable assets and services and deploy protection for quantum-related attacks. As a part of this update, the firewall team is reviewing the cryptography used by any devices they manage. The firewall architect is reviewing the Palo Alto Networks NGFWs for their VPN tunnel configurations. It is noted in the review that the NGFWs are running PAN-OS 11.2. Which two NGFW settings could the firewall architect recommend to deploy protections per the new policy? (Choose two)



Answer : B, C

Quantum-related attack protection requires cryptography resistant to quantum computing, such as post-quantum algorithms. In PAN-OS 11.2, IKEv2 with Hybrid Key Exchange (Option B) combines classical and quantum-resistant algorithms for key exchange, enhancing VPN security. IKEv2 with Post-Quantum Pre-shared Keys (PPK) (Option C) uses pre-shared keys designed to resist quantum attacks, supported in IKEv2 configurations.

Option A (IKEv1 only) weakens security by avoiding PFS and modern cryptography. Option D (IPsec with Hybrid ID exchange) is not a valid PAN-OS feature. Documentation confirms IKEv2 enhancements for quantum resistance.


Question 871

The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.

When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?



Answer : A

One of the potential causes of a failed install when upgrading Panorama to PAN-OS is having outdated plugins. Plugins are software extensions that enable Panorama to interact with Palo Alto Networks cloud services and third-party services.Plugins have dependencies on specific PAN-OS versions, so they must be updated before or after upgrading Panorama, depending on the plugin compatibility matrix2.If the plugins are not updated accordingly, the upgrade process may fail or cause issues with Panorama functionality3.Reference:Panorama Plugins Upgrade/Downgrade Considerations,Troubleshoot Your Panorama Upgrade, PCNSE Study Guide (page 54)


Question 872

Which source is the most reliable for collecting User-ID user mapping?



Answer : D


Question 873

Exhibit.

Review the screenshots and consider the following information

1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC

2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups

Which IP address will be pushed to the firewalls inside Address Object Server-1?



Answer : A

Device Group Hierarchy

Shared

DATACENTER_DG

DC_FW_DG

REGIONAL_DG

OFFICE_FW_DG

FW-1_DG

Analysis

Considerations:

FW-1 is assigned to the FW-1_DG device group.

FW-2 is assigned to the OFFICE_FW_DG device group.

There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.

The address object Server-1 appears in multiple device groups with different IP addresses. The device groups have a hierarchy, which means objects can be inherited from parent groups unless overridden in the child group.

FW-1_DG:

Server-1 has IP 4.4.4.4, which will be pushed to FW-1 because it is in the FW-1_DG device group.

OFFICE_FW_DG (for FW-2):

Since there are no objects in OFFICE_FW_DG and REGIONAL_DG, FW-2 will inherit from Shared.

In the Shared group, Server-1 has IP 1.1.1.1.


Question 874

A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?



Answer : B


Question 875

If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?



Answer : A


Question 876

PBF can address which two scenarios? (Choose two.)



Answer : A, B

Policy-Based Forwarding (PBF) on Palo Alto Networks firewalls allows administrators to define forwarding decisions based on criteria other than the destination IP address, such as the application, source address, or user. It can address scenarios like:

A . Routing FTP to a backup ISP link to save bandwidth on the primary ISP link: PBF can be configured to identify FTP traffic and route it through a different ISP, preserving bandwidth on the primary link for other critical applications.

B . Providing application connectivity when the primary circuit fails: PBF can be used for failover purposes, directing traffic to an alternate path if the primary connection goes down, ensuring continuous application availability.

PBF is not designed to bypass Layer 7 inspection or forward traffic based solely on source port, as these tasks are managed through different mechanisms within the firewall's operating system.


Question 877

A firewall engineer at a company is researching the Device Telemetry feature of PAN-OS. Which two aspects of the feature require further action for the company to remain compliant with local laws regarding privacy and data storage? (Choose two.)



Answer : A, B


Question 878

An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is currently processing traffic?



Answer : C


Question 879

Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?



Answer : D


Question 880

Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)



Answer : A, C


Question 881

Which GloDalProtecI gateway setting is required to enable split-tunneting by access route, destination domain and application?



Answer : A

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application


Question 882

Which operation will impact the performance of the management plane?



Answer : B

TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK

TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD---PART 2:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU4CAK


Question 883

Review the images. A firewall policy that permits web traffic includes the global-logs policy is depicted

What is the result of traffic that matches the "Alert - Threats" Profile Match List?



Answer : C


Question 884

A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates.

What must occur to have Antivirus signatures update?



Answer : D


Question 885

Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)



Answer : B, C

When implementing an application override in a Palo Alto Networks firewall, the primary goal is to explicitly define how specific traffic is identified and processed by the firewall, bypassing the regular App-ID process. This is particularly useful for traffic that might be misidentified by App-ID or for applications that require special handling for performance reasons.

To successfully implement application override, the following items must be configured:

B . Application override policy rule:

This is a specialized policy rule that you create to specify the criteria for the traffic you want to override. In this rule, you define the source and destination zones, addresses, and ports. Instead of relying on the App-ID engine to identify the application, the firewall uses the criteria defined in the application override policy to classify the traffic.

C . Security policy rule:

After defining an application override policy, you must also configure a security policy rule to allow the overridden traffic through the firewall. This rule specifies the action (allow, deny, drop, etc.) for the traffic that matches the application override policy. It's essential to ensure that the security policy rule matches the traffic defined in the application override policy to ensure that the intended traffic is allowed through the firewall.

For detailed guidance on configuring application override and the necessary security policies, refer to the official Palo Alto Networks documentation. This resource provides step-by-step instructions and best practices for effectively managing traffic using application overrides.


Question 886

An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.

Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?



Answer : A


Question 887

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)



Answer : A, D

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy


Question 888

As a best practice, which URL category should you target first for SSL decryption?



Answer : B

Palo Alto Networks recommends starting SSL decryption with High Risk categories (Option B) because they're more likely to contain threats (e.g., malware, phishing) that require visibility for inspection, balancing security and resource use.

Options A, C, and D (Online Storage, Health, Financial) are less risky or privacy-sensitive, making them lower priorities. Best practice guides prioritize High Risk for initial decryption.


Question 889

Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?



Answer : A


Question 890

How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?



Question 891

When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)



Answer : A, D


Question 892

A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.

Which set of steps should the engineer take to accomplish this objective?



Answer : C

In Palo Alto Networks firewalls, the processing of NAT rules occurs in a top-down fashion, similar to security policies. To exclude a specific IP address from a broader source NAT rule, a more specific NAT rule must be placed above the broader rule.

C . Place a more specific NAT rule above the broader one:

Create a source NAT rule (NAT-Rule-1) to translate the broader network range (10.0.0.0/23) with dynamic IP and port translation. This rule allows the majority of the subnet to access the internet through NAT.

Create another NAT rule (NAT-Rule-2) with the source IP address in the original packet set specifically to the IP address that should not be translated (10.0.0.10/32). In this rule, set the source translation to none, indicating that this traffic should not be translated and thus not allowed to access the internet.

Place NAT-Rule-2 above NAT-Rule-1 in the NAT policy list. This ensures that the more specific rule (NAT-Rule-2) is evaluated first. If traffic matches NAT-Rule-2, it will not be translated or allowed to the internet, effectively excluding the specific server from internet access.

This configuration leverages the principle of specificity and the order of operation in NAT policies to exclude a specific IP address from source NAT translation, thereby preventing it from accessing the internet.


Question 893

What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 10.1 version?



Answer : A


Question 894

Which method will dynamically register tags on the Palo Alto Networks NGFW?



Question 895

An organization uses the User-ID agent to control access to sensitive internal resources. A firewall engineer adds Security policies to ensure only User A has access to a specific resource. User A was able to access the resource without issue before the updated policies, but now is having intermittent connectivity issues. What is the most likely resolution to this issue?



Answer : A


Question 896

An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?



Answer : B


Question 897

An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors. What is the recommended order of operational steps when upgrading?



Answer : C

Palo Alto Networks best practices dictate upgrading Panorama-managed environments in this order: Panorama first, then log collectors, and finally firewalls. Panorama must be on the latest (or compatible) version to manage upgraded devices and push configurations. Log collectors follow to ensure log compatibility, and firewalls last to maintain operational continuity.

Options A, B, and D risk version mismatches or management issues. This sequence minimizes downtime and ensures compatibility, as per official upgrade guidelines.


Question 898

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing.

What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?



Answer : D

https://live.paloaltonetworks.com/t5/blogs/what-is-application-dependency/ba-p/344330

To create an application-based Security policy rule to allow Evernote, the administrator only needs to add the Evernote application to the Security policy rule. The Evernote application is a predefined App-ID that identifies the traffic generated by the Evernote client or web interface. The Evernote application implicitly uses SSL and web browsing as dependencies, which means that the firewall automatically allows these applications when the Evernote application is allowed. Therefore, there is no need to add HTTP, SSL, or web browsing applications to the same Security policy rule.Adding these applications would broaden the scope of the rule and potentially allow unwanted traffic12.Reference:App-ID Overview,Create a Security Policy Rule


Question 899

Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)



Answer : B, D


Question 900

What action does a firewall take when a Decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?



Answer : C


Question 901

Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)



Question 902

Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.

In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhwCAC

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat


Question 903

A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an interface Management profile to secure management access? (Choose three)



Answer : A, B, C


Question 904

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)



Question 905

An administrator plans to install the Windows-Based User-ID Agent.

What type of Active Directory (AD) service account should the administrator use?



Answer : A


Question 906

A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)



Answer : C, D, E


Question 907

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)



Answer : A, D

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy


Question 908

After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?



Answer : D


Question 909

Which feature can provide NGFWs with User-ID mapping information?



Answer : C


Question 910

An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?



Answer : C

The Exceptions settings allows you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The Exception tab supports filtering functions.

If you not believed, then login the firewall go to Vulnerability > Exceptions and select 'Show all signatures'. From there you will see all threat information including specific actions.

More detail: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC


Question 911

A superuser is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects

Which type of role-based access is most appropriate for this project?



Answer : C

Custom Panorama Admin: Custom Panorama Admin roles allow you to customize the elements of Panorama that an administrator can access. You can hide tabs in the web interface, you can set specific items in Panorama to read-only, or you can limit an administrator's access to Panorama plugins. Custom Panorama Admin roles require planning and configuration, but they provide extensive flexibility because you can control what administrators can access through the web interface or the CLI. Device Group and Template Admin: Device Group and Template Admin roles also require configuration because there are no built-in examples. These Admin Roles allow you to define which Panorama templates or Panorama device groups an administrator can access and configure. You can hide tabs in the web interface or set specific items to read only to control what administrators can configure.


Question 912

A firewall engineer at a company is researching the Device Telemetry feature of PAN-OS. Which two aspects of the feature require further action for the company to remain compliant with local laws regarding privacy and data storage? (Choose two.)



Answer : A, B


Question 913

Which link is responsible for synchronizing sessions between high availability (HA) peers?



Answer : D


Question 914

An engineer reviews high availability (HA) settings to understand a recent HA failover event Review the screenshot below.

Which tuner determines how long the passive firewall will wart before taking over as the active firewall after losing communications with the HA peer?



Answer : B


Question 915

A security engineer needs firewall management access on a trusted interface.

Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)



Answer : A, B, D

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile


Question 916

A network security engineer is going to enable Zone Protection on several security zones How can the engineer ensure that Zone Protection events appear in the firewall's logs?



Answer : A


Question 917

For company compliance purposes, three new contractors will be working with different device-groups in their hierarchy to deploy policies and objects.

Which type of role-based access is most appropriate for this project?



Answer : A


Question 918

An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama.

However, pre-existing logs from the firewalls are not appearing in Panorama.

Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?



Question 919

A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates.

What must occur to have Antivirus signatures update?



Answer : D


Question 920

Which sessions does Packet Buffer Protection apply to when used on ingress zones to protect against single-session DoS attacks?



Answer : D


Question 921

In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?



Answer : B

The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This helps the administrator to identify any new applications that are not explicitly defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured applications.The compare option also shows the usage statistics and risk levels of the applications, and provides suggestions for optimizing the rule by adding, removing, or replacing applications12.Reference:New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)


Question 922

Four configuration choices are listed, and each could be used to block access to a specific URL.

If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?



Answer : C


Question 923

An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.

What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)



Answer : C, D

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy


Question 924

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK


Question 925

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?



Answer : C


Question 926

An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)



Answer : A, B, D


Question 927

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?



Answer : A


Question 928

Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?



Answer : D


Question 929

Review the screenshot of the Certificates page.

An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems.

When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings.

What is the cause of the unsecured website warnings?



Answer : D

The cause of the unsecured website warnings is that the forward trust certificate has not been signed by the self-signed root CA certificate. The forward trust certificate is used by the firewall to generate a copy of the server certificate for outbound SSL decryption (SSL Forward Proxy). The firewall signs the copy with the forward trust certificate and presents it to the client. The client then verifies the signature using the public key of the CA that issued the forward trust certificate. If the client does not trust the CA, it will display a warning message. Therefore, the forward trust certificate must be signed by a CA that is trusted by the client. In this case, the administrator has installed the self-signed root CA certificate in all client systems, so this CA should be used to sign the forward trust certificate. However, as shown in the screenshot, the forward trust certificate has a different issuer than the self-signed root CA certificate, which means it has not been signed by it. This causes the client to reject the signature and show a warning message.To fix this issue, the administrator should generate a new forward trust certificate and sign it with the self-signed root CA certificate12.Reference:Keys and Certificates for Decryption Policies,How to Configure SSL Decryption


Question 930

A company CISO updates the business Security policy to identify vulnerable assets and services and deploy protection for quantum-related attacks. As a part of this update, the firewall team is reviewing the cryptography used by any devices they manage. The firewall architect is reviewing the Palo Alto Networks NGFWs for their VPN tunnel configurations. It is noted in the review that the NGFWs are running PAN-OS 11.2. Which two NGFW settings could the firewall architect recommend to deploy protections per the new policy? (Choose two)



Answer : B, C

Quantum-related attack protection requires cryptography resistant to quantum computing, such as post-quantum algorithms. In PAN-OS 11.2, IKEv2 with Hybrid Key Exchange (Option B) combines classical and quantum-resistant algorithms for key exchange, enhancing VPN security. IKEv2 with Post-Quantum Pre-shared Keys (PPK) (Option C) uses pre-shared keys designed to resist quantum attacks, supported in IKEv2 configurations.

Option A (IKEv1 only) weakens security by avoiding PFS and modern cryptography. Option D (IPsec with Hybrid ID exchange) is not a valid PAN-OS feature. Documentation confirms IKEv2 enhancements for quantum resistance.


Question 931

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?



Answer : A


Question 932

What are two requirements of IPSec in transport mode? (Choose two.)



Answer : C, D


Question 933

A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.

How does the firewall identify the New App-ID characteristic?



Answer : B

The New App-ID characteristic enables the firewall to monitor new applications on the network, so that the engineer can better assess the security policy updates they might want to make. The New App-ID characteristic always matches to only the new App-IDs in the most recently installed content releases. When a new content release is installed, the New App-ID characteristic automatically begins to match only to the new App-IDs in that content release version. This way, the engineer can see how the newly-categorized applications might impact security policy enforcement and make any necessary adjustments.Reference:Monitor New App-IDs


Question 934

Which new PAN-OS 11.0 feature supports IPv6 traffic?



Answer : A

https://docs.paloaltonetworks.com/compatibility-matrix/ipv6-support-by-feature/ipv6-support-by-feature-table


Question 935

When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port?



Answer : D

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-clustering-overview


Question 936

An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when the link failed?



Answer : C


Question 937

How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?



Answer : B

To block users dynamically based on threat log activity, dynamic user groups (DUGs) with tagging provide an automated solution. Option B configures a DUG with a 'malicious' tag, a Log Forwarding profile to tag users in the threat log (e.g., via threat intelligence), and a Security policy to block the tagged group. This leverages User-ID and is ideal for user-based blocking.

Option A uses dynamic address groups (DAGs), which block IPs, not users. Option C (security profiles) can block traffic but not dynamically tag/block users without additional configuration. Documentation supports DUGs for this use case.


Question 938

When you troubleshoot an SSL Decryption issue, which PAN-OS CL1 command do you use to check the details of the Forward Trust certificate. Forward Untrust certificate, and SSL Inbound Inspection certificate?



Answer : A


Question 939

An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an interal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?



Answer : B


Question 940

An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?



Answer : D

Palo Alto NetworksPanorama 7.0 Administrator's Guide *77Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.

https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management


Question 941

A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?



Answer : C


Question 942

Which action can be taken to immediately remediate the issue of application traffic with a valid use case triggering the decryption log message, "Received fatal alert UnknownCA from client"?



Answer : B

The 'Received fatal alert UnknownCA from client' log indicates the client rejects the firewall's decryption certificate because it doesn't trust the CA. For a valid use case, adding the certificate's Common Name (CN) to the SSL Decryption Exclusion List (Option B) bypasses decryption for that site, allowing traffic to proceed without interruption. This is an immediate fix within the firewall's control.

Option A (revocation checking) addresses different issues. Option C (check expired certificates) is diagnostic, not immediate. Option D (contact site admin) is external and slow. Documentation recommends exclusions for such errors.


Question 943

Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?



Answer : B

The Test Policy Match tool in PAN-OS allows administrators to simulate traffic against the current security policy set to verify how it will be handled. By inputting source/destination IPs, ports, protocols, and other parameters, it shows which rule matches and whether the traffic is allowed or denied, making it ideal for ensuring unwanted traffic is blocked.

Option A (Managed Devices Health) monitors device status, not policy logic. Option C (Preview Changes) shows configuration diffs, not traffic matching. Option D (Policy Optimizer) helps refine rules but doesn't test specific traffic scenarios. Test Policy Match is the documented tool for this purpose.


Question 944

During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.

Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


Question 945

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?



Answer : C


Question 946

An administrator has purchased WildFire subscriptions for 90 firewalls globally.

What should the administrator consider with regards to the WildFire infra-structure?



Answer : C

https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts

Each WildFire cloud---global (U.S.), regional, and private---analyzes samples and generates WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data. https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html


Question 947

A customer wants to enhance the protection provided by their Palo Alto Networks NGFW deployment to cover public-facing company-owned domains from misconfigurations that point records to third-party sources. Which two actions should the network administrator perform to achieve this goal? (Choose two)



Answer : C, D

To protect against DNS misconfigurations, Advanced DNS Security and Advanced URL Filtering licenses (Option C) enable DNS sinkholing and domain monitoring. In an Anti-Spyware profile (Option D), the DNS Policies section allows adding specific domains to detect and block misconfigured records pointing to third-party sources.

Option A (Threat Prevention) lacks DNS-specific features for this use case. Option B (Vulnerability Protection) doesn't include DNS misconfiguration settings. Documentation confirms Anti-Spyware with DNS Security for this purpose.


Question 948

Which two scripting file types require direct upload to the Advanced WildFire portal/API for analysis? (Choose two.)



Answer : B, D


Question 949

An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.

Which three parts of a template an engineer can configure? (Choose three.)



Answer : A, C, D

A, C, and D are the correct answers because they are the parts of a template that an engineer can configure in Panorama.A template is a collection of device and network settings that can be pushed to multiple firewalls from Panorama1.A template can contain settings such as2:

A: NTP Server Address: This is the address of the Network Time Protocol server that synchronizes the time on the firewall.

C: Authentication Profile: This is the profile that defines how the firewall authenticates users and administrators.

D: Service Route Configuration: This is the configuration that specifies which interface and source IP address the firewall uses to access external services, such as DNS, email, syslog, etc.


Question 950

A security engineer needs to mitigate packet floods that occur on a RSF servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?



Answer : A


Question 951

Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?



Answer : A

IP flood thresholds, you can also use DoS Protection profiles to detect and prevent session exhaustion attacks in which a large number of hosts (bots) establish as many sessions as possible to consume a target's resources. On the profile's Resources Protection tab, you can set the maximum number of concurrent sessions that the device(s) defined in the DoS Protection policy rule to which you apply the profile can receive. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles.html

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles#ida42d52fa-3366-4695-bb4a-d39ebf3b6a5f


Question 952

An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama.

However, pre-existing logs from the firewalls are not appearing in Panorama.

Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?



Question 953

Why would a traffic log list an application as "not-applicable''?



Answer : A

traffic log would list an application as ''not-applicable'' if the firewall denied the traffic before the application match could be performed.This can happen if the traffic matches a security rule that is set to deny based on any parameter other than the application, such as source, destination, port, service, etc1.In this case, the firewall does not inspect the application data and discards the traffic, resulting in a ''not-applicable'' entry in the application field of the traffic log1.


Question 954

A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules.

What is the engineer's next step?



Answer : B


Question 955

Which type of zone will allow different virtual systems to communicate with each other?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/virtual-systems/communication-between-virtual-systems/inter-vsys-traffic-that-remains-within-the-firewall/external-zone


Question 956

A company needs to preconfigure firewalls to be sent to remote sites with the least amount of reconfiguration. Once deployed, each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers.

Which VPN configuration would adapt to changes when deployed to the future site?



Answer : A


Question 957

Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?



Answer : C


Question 958

Which statement regarding HA timer settings is true?



Answer : A

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers


Question 959

A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panoram

a. In which section is this configured?



Answer : D


Question 960

If a URL is in multiple custom URL categories with different actions, which action will take priority?



Answer : C

When a URL matches multiple categories, the category chosen is the one that has the most severe action defined below (block being most severe and allow least severe).

1 block

2 override

3 continue

4 alert

5 allow

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC


Question 961

Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)



Answer : B, C

When implementing an application override in a Palo Alto Networks firewall, the primary goal is to explicitly define how specific traffic is identified and processed by the firewall, bypassing the regular App-ID process. This is particularly useful for traffic that might be misidentified by App-ID or for applications that require special handling for performance reasons.

To successfully implement application override, the following items must be configured:

B . Application override policy rule:

This is a specialized policy rule that you create to specify the criteria for the traffic you want to override. In this rule, you define the source and destination zones, addresses, and ports. Instead of relying on the App-ID engine to identify the application, the firewall uses the criteria defined in the application override policy to classify the traffic.

C . Security policy rule:

After defining an application override policy, you must also configure a security policy rule to allow the overridden traffic through the firewall. This rule specifies the action (allow, deny, drop, etc.) for the traffic that matches the application override policy. It's essential to ensure that the security policy rule matches the traffic defined in the application override policy to ensure that the intended traffic is allowed through the firewall.

For detailed guidance on configuring application override and the necessary security policies, refer to the official Palo Alto Networks documentation. This resource provides step-by-step instructions and best practices for effectively managing traffic using application overrides.


Question 962

An administrator is attempting to create policies for deployment of a device group and template stack. When creating the policies, the zone drop-down list does not include the required zone. What can the administrator do to correct this issue?



Answer : B

In Panorama, zones defined in a template must be linked to a device group for visibility in policy creation. Adding the template as a reference template in the device group (Option B) ensures its zones are available in the policy editor's drop-down list.

Option A (master device) affects User-ID, not zones. Option C (add firewall) is a prerequisite, not a fix. Option D (share objects) is unrelated to zones. Documentation specifies reference templates for this issue.


Question 963

An engineer needs to collect User-ID mappings from the company's existing proxies.

What two methods can be used to pull this data from third party proxies? (Choose two.)



Answer : B, C

To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.

Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies.

For further details, refer to the Palo Alto Networks documentation on User-ID integration and the 'PAN-OS Administrator's Guide'.


Question 964

A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.

What should the engineer do to complete the configuration?



Answer : B

If the DNS response matches the Original Destination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/source-nat-and-destination-nat/destination-nat-dns-rewrite-use-cases#id0d85db1b-05b9-4956-a467-f71d558263bb


Question 965

Which action can be taken to immediately remediate the issue of application traffic with a valid use case triggering the decryption log message, "Received fatal alert UnknownCA from client"?



Answer : B

The 'Received fatal alert UnknownCA from client' log indicates the client rejects the firewall's decryption certificate because it doesn't trust the CA. For a valid use case, adding the certificate's Common Name (CN) to the SSL Decryption Exclusion List (Option B) bypasses decryption for that site, allowing traffic to proceed without interruption. This is an immediate fix within the firewall's control.

Option A (revocation checking) addresses different issues. Option C (check expired certificates) is diagnostic, not immediate. Option D (contact site admin) is external and slow. Documentation recommends exclusions for such errors.


Question 966

An engineer reviews high availability (HA) settings to understand a recent HA failover event Review the screenshot below.

Which tuner determines how long the passive firewall will wart before taking over as the active firewall after losing communications with the HA peer?



Answer : B


Question 967

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.

Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)



Answer : A, D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG2CAK


Question 968

An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.

Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?



Answer : C

Decryption can be resource-intensive, and in scenarios where the firewall is nearing its resource limits, optimizing decryption practices is crucial. One way to do this is by choosing more efficient encryption algorithms that require less computational power.

C . Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority:

Elliptic Curve Digital Signature Algorithm (ECDSA) is known for requiring smaller key sizes compared to RSA for a comparable level of security. This translates to less computational overhead during the encryption and decryption processes.

By using ECDSA for traffic that isn't sensitive or high-priority, the administrator can reduce the processing load associated with decryption on the firewall. This is particularly beneficial in scenarios where resource optimization is necessary.

It's important to note that this approach does not compromise the security of encrypted traffic. Instead, it offers a more resource-efficient way to manage decryption, thus helping to maintain firewall performance even when system resources are under significant demand.

By judiciously applying this strategy, administrators can manage the decryption workload on the firewall, ensuring continued protection and inspection of encrypted traffic without overburdening the firewall's resources.


Question 969

Given the following configuration, which route is used for destination 10 10 0 4?



Answer : A


Question 970

An engineer troubleshoots a high availability (HA) link that is unreliable.

Where can the engineer view what time the interface went down?



Question 971

When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port?



Answer : D

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-clustering-overview


Question 972

An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?



Answer : A


Question 973

An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram

Which template values will be configured on the firewall If each template has an SSL/TLS Service profile configured named Management?



Question 974

When you troubleshoot an SSL Decryption issue, which PAN-OS CL1 command do you use to check the details of the Forward Trust certificate. Forward Untrust certificate, and SSL Inbound Inspection certificate?



Answer : A


Question 975

Review the images. A firewall policy that permits web traffic includes the global-logs policy is depicted

What is the result of traffic that matches the "Alert - Threats" Profile Match List?



Answer : C


Question 976

What is the best description of the Cluster Synchronization Timeout (min)?



Answer : A

The best description of the Cluster Synchronization Timeout (min) is the maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing. This is a parameter that can be configured in an HA cluster, which is a group of firewalls that share session state and provide high availability and scalability. The Cluster Synchronization Timeout (min) determines how long the local firewall will wait for the cluster to reach a stable state before it decides to become Active and process traffic. A stable state means that all cluster members are either Active or Passive, and have synchronized their sessions with each other. If there is another cluster member that is in an unknown or unstable state, such as Initializing, Non-functional, or Suspended, then it may prevent the cluster from fully synchronizing and cause a delay in traffic processing. The Cluster Synchronization Timeout (min) can be set to a value between 0 and 30 minutes, with a default of 0. If it is set to 0, then the local firewall will not wait for any other cluster member and will immediately go to Active state.If it is set to a positive value, then the local firewall will wait for that amount of time before going to Active state, unless the cluster reaches a stable state earlier12.Reference:Configure HA Clustering, PCNSE Study Guide (page 53)


Question 977

Which two components are required to configure certificate-based authentication to the web UI when firewall access is needed on a trusted interface? (Choose two.)



Answer : B, D


Question 978

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67



Answer : C

https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD


Question 979

A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.

Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)

Site A configuration:



Answer : C, D

The image shows an IKE Gateway configuration where Site B is set to IKEv1 only mode, and passive mode is not enabled. For dynamic peering to work when Site A is using a DHCP assigned address:

Passive mode on Site A needs to be disabled. In passive mode, the firewall will not initiate the IKE negotiation and will only respond to negotiation requests from the peer. Since Site A has a dynamic IP, it must be able to initiate the connection to Site B, which has a static IP.

Matching the IKE version between Site A and Site B is also necessary for successful IPSec tunnel establishment. Since Site B is set to IKEv1 only mode, Site A also needs to be configured to use IKEv1 to ensure that both sites are using the same version for the IKE negotiation process.

NAT Traversal is used when there are NAT devices between the two endpoints, but there's no indication that this is the case here. Additionally, local identification on Site A is not necessarily related to the issue with dynamic peering not working.


Question 980

Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application?



Answer : B


Question 981

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?



Answer : B

To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls in an HA pair to synchronize their configurations and maintain consistency. However, when you import the configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until you verify and commit the imported configuration on Panorama.Therefore, you should disable config sync before importing the configuration, and re-enable it after committing the changes on Panorama12.Reference:Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page 50)


Question 982

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?



Answer : B

https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG


Question 983

An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 sub-interface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.

Without changing the existing access to the management interface, how can the engineer fulfill this request?



Answer : C

To enable XML API access to a firewall for automation from a network segment routed through a Layer 3 sub-interface, the most straightforward approach is to use an Interface Management profile.

C . This can be achieved by:

Configuring an Interface Management profile and enabling HTTPS access on it. This profile defines management services that are permitted on the interface, including HTTPS, which is required for XML API access.

Applying this Interface Management profile to the desired Layer 3 sub-interface. This action enables HTTPS access (and thus XML API access) on the sub-interface, allowing devices on the connected network segment to communicate with the firewall for automation purposes.

This solution allows for the secure extension of management capabilities to network segments without direct access to the dedicated management interface, facilitating automation and operational efficiency without necessitating changes to existing access configurations.


Question 984

Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.)



Answer : B, C, E


Question 985

Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)



Answer : A, B


Question 986

An organization wants to begin decrypting guest and BYOD traffic.

Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?



Answer : A

An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An authentication portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet. The authentication portal can be customized to include a welcome message, a login prompt, a disclaimer, a certificate download link, and a logout button.The authentication portal can also be configured to use different authentication methods, such as local database, RADIUS, LDAP, Kerberos, or SAML1.By using an authentication portal, the firewall can redirect BYOD users to a web page where they can learn about the decryption policy, download and install the CA certificate, and agree to the terms of use before accessing the network or the internet2.

An SSL decryption profile is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption profile is a set of options that define how the firewall handles SSL/TLS traffic that it decrypts.An SSL decryption profile can include settings such as certificate verification, unsupported protocol handling, session caching, session resumption, algorithm selection, etc3. An SSL decryption profile does not provide any user identification or notification functions.

An SSL decryption policy is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption policy is a set of rules that determine which traffic the firewall decrypts based on various criteria, such as source and destination zones, addresses, users, applications, services, etc.An SSL decryption policy can also specify which type of decryption to apply to the traffic, such as SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy4. An SSL decryption policy does not provide any user identification or notification functions.

Comfort pages are not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. Comfort pages are web pages that the firewall displays to users when it blocks or fails to decrypt certain traffic due to security policy or technical reasons.Comfort pages can include information such as the reason for blocking or failing to decrypt the traffic, the URL of the original site, the firewall serial number, etc5. Comfort pages do not provide any user identification or notification functions before decrypting the traffic.

Configure an Authentication Portal,Redirect Users Through an Authentication Portal,SSL Decryption Profile,Decryption Policy,Comfort Pages


Question 987

When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port?



Answer : D

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-clustering-overview


Question 988

A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.

How can this be achieved?



Answer : D


Question 989

An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?



Answer : D

Palo Alto NetworksPanorama 7.0 Administrator's Guide *77Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.

https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management


Question 990

An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks.

Which sessions does Packet Buffer Protection apply to?



Answer : A

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/packet-buffer-protection


Question 991

Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?



Answer : C


Question 992

Exhibit.

Review the screenshots and consider the following information

1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC

2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups

Which IP address will be pushed to the firewalls inside Address Object Server-1?



Answer : A

Device Group Hierarchy

Shared

DATACENTER_DG

DC_FW_DG

REGIONAL_DG

OFFICE_FW_DG

FW-1_DG

Analysis

Considerations:

FW-1 is assigned to the FW-1_DG device group.

FW-2 is assigned to the OFFICE_FW_DG device group.

There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.

The address object Server-1 appears in multiple device groups with different IP addresses. The device groups have a hierarchy, which means objects can be inherited from parent groups unless overridden in the child group.

FW-1_DG:

Server-1 has IP 4.4.4.4, which will be pushed to FW-1 because it is in the FW-1_DG device group.

OFFICE_FW_DG (for FW-2):

Since there are no objects in OFFICE_FW_DG and REGIONAL_DG, FW-2 will inherit from Shared.

In the Shared group, Server-1 has IP 1.1.1.1.


Question 993

Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)



Answer : B, D


Question 994

An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?



Answer : A


Question 995

You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.

For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)



Answer : B, C, E

https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile

The Palo Alto Networks Best Practices for Anti-Spyware Profiles recommend enabling single-packet captures (PCAP) for medium, high, and critical severity threats. This allows for capturing the first packet of the malicious traffic for further analysis and investigation.PCAP should not be enabled for low and informational severity threats, as they generate a relatively high volume of traffic and are not particularly useful compared to potential threats2.Reference:Create the Data Center Best Practice Anti-Spyware Profile,Security Profile: Anti-Spyware, PCNSE Study Guide (page 57)


Question 996

An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?



Answer : A


Question 997

An engineer is troubleshooting a traffic-routing issue.

What is the correct packet-flow sequence?



Answer : C

The correct packet-flow sequence is C. PBF > Static route > Security policy enforcement. This sequence describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic based on the source and destination addresses, application, user, or service. PBF is evaluated before the static route lookup, which is the default method of forwarding traffic based on the destination address and the longest prefix match.Security policy enforcement is the stage where the firewall applies the security policy rules to allow or block traffic based on various criteria, such as zone, address, port, user, application, etc12.Reference:Policy-Based Forwarding,Packet Flow Sequence in PAN-OS


Question 998

After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?



Answer : C

https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-to-panorama-management Push the configuration bundle from Panorama to the newly added firewall to remove all policy rules and objects from its local configuration. This step is necessary to prevent duplicate rule or object names, which would cause commit errors when you push the device group configuration from Panorama to the firewall in the next step.


Question 999

A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?



Answer : B


Question 1000

A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose TWO)



Answer : A, C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW


Question 1001

An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?



Answer : D


Question 1002

What are two requirements of IPSec in transport mode? (Choose two.)



Answer : C, D


Question 1003

An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover event.

Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?



Answer : D

The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000 ms for all platforms, and the range is 8000-60000 ms.If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12.Reference:HA Timers,Layer 3 High Availability with Optimal Failover Times Best Practices


Question 1004

To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?



Answer : B


Question 1005

An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.

Which three settings can be configured in this template? (Choose three.)



Answer : B, D, E

A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama.A template can include settings from the Device and Network tabs on the firewall web interface, such as login banner, SSL decryption exclusion, and dynamic updates4. These settings can be configured in a template named ''Global'' and included in all template stacks.A template stack is a group of templates that Panorama pushes to managed firewalls in an ordered hierarchy4.Reference:Manage Templates and Template Stacks, PCNSE Study Guide (page 50)


Question 1006

An engineer configures a destination NAT policy to allow inbound access to an internal server in the DMZ. The NAT policy is configured with the following values:

- Source zone: Outside and source IP address 1.2.2.2

- Destination zone: Outside and destination IP address 2.2.2.1

The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone.

Which destination IP address and zone should the engineer use to configure the security policy?



Answer : C


Question 1007

An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.

Which priority is correct for the passive firewall?



Answer : D


Question 1008

An administrator configures a preemptive active-passive high availability (HA) pair of firewalls and configures the HA election settings on firewall-02 with a device priority value of 100, and firewall-01 with a device priority value of 90.

When firewall-01 is rebooted, is there any action taken by the firewalls?



Answer : C


Question 1009

Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.

In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhwCAC

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat


Question 1010

When creating a Policy-Based Forwarding (PBF) rule, which two components can be used? (Choose two.)



Answer : C, D


Question 1011

A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)



Answer : C, D, E


Question 1012

An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an interal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?



Answer : B


Question 1013

Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)



Answer : A, C


Question 1014

An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?



Answer : A


Question 1015

A threat intelligence team has requested more than a dozen Short signatures to be deployed on all perimeter Palo Alto Networks firewalls. How does the firewall engineer fulfill this request with the least time to implement?



Answer : C


Question 1016

Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?



Answer : C


Question 1017

Which protocol is natively supported by GlobalProtect Clientless VPN?



Answer : C


Question 1018

A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)



Answer : B, C, D


Question 1019

Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?



Answer : D


Question 1020

A network security engineer is going to enable Zone Protection on several security zones How can the engineer ensure that Zone Protection events appear in the firewall's logs?



Answer : A


Question 1021

The vulnerability protection profile of an on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and it has been determined to be a false positive. The issue causes an outage of a critical service. When the vulnerability protection profile is opened to add the exception, the Threat ID is missing. Which action will most efficiently find and implement the exception?



Answer : B

When a Threat ID isn't visible in the Vulnerability Protection profile's Exceptions tab, selecting 'Show all signatures' (Option B) reveals all available threat signatures, including those not recently triggered, allowing the administrator to add an exception efficiently. This is the fastest way to resolve false positives without external assistance.

Option A (system logs) may explain the absence but doesn't implement the fix. Option C (traffic logs) allows rule-based workarounds, not profile exceptions. Option D (support case) is slower and unnecessary. Documentation confirms this method.


Question 1022

The UDP-4501 protocol-port is to between which two GlobalProtect components?



Answer : B


Question 1023

If a URL is in multiple custom URL categories with different actions, which action will take priority?



Answer : C

When a URL matches multiple categories, the category chosen is the one that has the most severe action defined below (block being most severe and allow least severe).

1 block

2 override

3 continue

4 alert

5 allow

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC


Question 1024

Which statement regarding HA timer settings is true?



Answer : A

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers


Question 1025

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?



Answer : A


Question 1026

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67



Answer : C

https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD


Question 1027

Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)



Answer : A, C


Question 1028

An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.

Which configuration will enable this HA scenario?



Answer : A


Question 1029

A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access only for hosts that have antivirus or anti-spyware enabled?



Answer : D


Question 1030

A company wants to implement threat prevention to take action without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)



Answer : B, D


Question 1031

A company CISO updates the business Security policy to identify vulnerable assets and services and deploy protection for quantum-related attacks. As a part of this update, the firewall team is reviewing the cryptography used by any devices they manage. The firewall architect is reviewing the Palo Alto Networks NGFWs for their VPN tunnel configurations. It is noted in the review that the NGFWs are running PAN-OS 11.2. Which two NGFW settings could the firewall architect recommend to deploy protections per the new policy? (Choose two)



Answer : B, C

Quantum-related attack protection requires cryptography resistant to quantum computing, such as post-quantum algorithms. In PAN-OS 11.2, IKEv2 with Hybrid Key Exchange (Option B) combines classical and quantum-resistant algorithms for key exchange, enhancing VPN security. IKEv2 with Post-Quantum Pre-shared Keys (PPK) (Option C) uses pre-shared keys designed to resist quantum attacks, supported in IKEv2 configurations.

Option A (IKEv1 only) weakens security by avoiding PFS and modern cryptography. Option D (IPsec with Hybrid ID exchange) is not a valid PAN-OS feature. Documentation confirms IKEv2 enhancements for quantum resistance.


Question 1032

Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)



Answer : B, D

The two key exchange algorithms that consume the most resources when decrypting SSL traffic are ECDHE and DHE. These are both Diffie-Hellman based algorithms that enable perfect forward secrecy (PFS), which means that they generate a new and unique session key for each SSL/TLS session, and do not reuse any previous keys. This enhances the security of the encrypted communication, but also increases the computational cost and complexity of the key exchange process. ECDHE stands for Elliptic Curve Diffie-Hellman Ephemeral, which uses elliptic curve cryptography (ECC) to generate the session key. DHE stands for Diffie-Hellman Ephemeral, which uses modular arithmetic to generate the session key.Both ECDHE and DHE require more CPU and memory resources than RSA, which is a non-PFS algorithm that uses public and private keys to encrypt and decrypt the session key123.Reference:Key Exchange Algorithms,Best Practices for Enabling SSL Decryption, PCNSE Study Guide (page 60)


Question 1033

An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?



Answer : C

The Exceptions settings allows you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The Exception tab supports filtering functions.

If you not believed, then login the firewall go to Vulnerability > Exceptions and select 'Show all signatures'. From there you will see all threat information including specific actions.

More detail: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC


Question 1034

Which CLI command displays the physical media that are connected to ethernet1/8?



Answer : B

The CLI command 'show system state filter-pretty sys.sl.p8.phy' is used to display detailed physical layer information, which would include the physical media connected to a specific interface such as ethernet1/8. This command is designed to filter the output to show relevant physical layer information for the specified interface.

For more information on Palo Alto Networks CLI commands and their outputs, refer to the 'PAN-OS CLI Reference Guide'.


Question 1035

An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?



Answer : A


Question 1036

A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.

How can this be achieved?



Answer : D


Question 1037

An existing log forwarding profile is currently configured to forward all threat logs to Panoram

a. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed.

Which set of actions should the engineer take to achieve this goal?



Answer : C


Question 1038

Which action does a firewall take when a decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?



Answer : D


Question 1039

A firewall engineer is migrating port-based rules to application-based rules by using the Policy Optimizer. The engineer needs to ensure that the new application-based rules are future-proofed, and that they will continue to match if the existing signatures for a specific application are expanded with new child applications. Which action will meet the requirement while ensuring that traffic unrelated to the specific application is not matched?



Answer : D

Using Policy Optimizer to migrate to application-based rules, adding the container application (Option D) ensures future-proofing. Container apps (e.g., 'web-browsing') include child apps (e.g., specific web services) as signatures evolve, maintaining rule accuracy without over-matching unrelated traffic.

Option A (custom app with ports) reverts to port-based logic, losing App-ID benefits. Option B (application filter) risks overbroad matching (e.g., by category). Option C (specific apps) lacks flexibility for new child apps. Documentation supports container apps for this purpose.


Question 1040

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow. Upon opening the newly created packet capture, the administrator still sees traffic for the previous filter.

What can the administrator do to limit the captured traffic to the newly configured filter?



Answer : B


Question 1041

To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?



Answer : B


Question 1042

An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.

Which three dynamic routing protocols support BFD? (Choose three.)



Answer : A, B, C

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/bfd/bfd-overview/bfd-for-dynamic-routing-protocols


Question 1043

A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS (Perfect Forward Secrecy) needs to be enabled. What action should the engineer take?



Answer : D


Question 1044

While troubleshooting an issue, a firewall administrator performs a packet capture with a specific filter. The administrator sees drops for packets with a source IP address of 10.1.1.1.

How can the administrator further investigate these packet drops by looking at the global counters for this packet capture filter?



Answer : A


Question 1045

Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?



Answer : A

IP flood thresholds, you can also use DoS Protection profiles to detect and prevent session exhaustion attacks in which a large number of hosts (bots) establish as many sessions as possible to consume a target's resources. On the profile's Resources Protection tab, you can set the maximum number of concurrent sessions that the device(s) defined in the DoS Protection policy rule to which you apply the profile can receive. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles.html

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles#ida42d52fa-3366-4695-bb4a-d39ebf3b6a5f


Question 1046

A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall

What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)



Answer : B, C

For HIP match logs to be visible on the data center firewall, the following conditions must be met:

HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.

User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.

The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.


Question 1047

A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any dat

a. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.

Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?



Answer : C

For an application that is currently identified as unknown-tcp and has sessions that often remain idle for long periods, creating a custom application and using an application override rule is the most time-efficient solution.

C . The process involves:

Creating a custom application in the Palo Alto Networks firewall and configuring it with specific timeouts to accommodate the application's idle session behavior. This step ensures that the firewall does not prematurely close the application's sessions due to inactivity.

Next, creating an application override rule that references the custom application. This rule directs the firewall to identify traffic matching the rule criteria (such as source, destination, and port information) as the custom application, bypassing the App-ID engine's regular identification process.

This approach allows for the quick implementation of a solution that ensures the application is properly identified in traffic logs without undergoing threat scanning, meeting the requirements for both identification and reporting.


Question 1048

A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.

What should the NAT rule destination zone be set to?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping


Question 1049

Which three items must be configured to implement application override? (Choose three )



Answer : A, B, C

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/policies/policies-application-override

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPDrCAO


Question 1050

Which is not a valid reason for receiving a decrypt-cert-validation error?



Answer : A


Question 1051

Which two components are required to configure certificate-based authentication to the web UI when firewall access is needed on a trusted interface? (Choose two.)



Answer : B, D


Question 1052

In which two scenarios is it necessary to use Proxy IDs when configuring site-to-site VPN tunnels? (Choose two.)



Answer : A, C


Question 1053

How is Perfect Forward Secrecy (PFS) enabled when troubleshooting a VPN Phase 2 mismatch?



Answer : A

Perfect Forward Secrecy (PFS) ensures unique session keys per VPN session, enabled under the IKE Gateway advanced options (Option A) by selecting a Diffie-Hellman (DH) group. This resolves Phase 2 mismatches if the peer requires PFS.

Option B (IPsec Tunnel) doesn't directly control PFS. Option C (DH Group in IPsec Crypto) is related but not the enablement point. Option D (authentication algorithm) is unrelated. Documentation specifies IKE Gateway for PFS.


Question 1054

An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration.

What type of service route can be used for this configuration?



Answer : A


Question 1055

A standalone firewall with local objects and policies needs to be migrated into Panoram

a. What procedure should you use so Panorama is fully managing the firewall?



Answer : C


Question 1056

An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?



Answer : B

In an active/active high availability (HA) firewall pair, when a firewall experiences a failure of a monitored path, it enters the ''Tentative'' state1. This state indicates that the firewall is synchronizing sessions and configurations from its peer due to a failure or a change in monitored objects such as a link or path. The firewall in this state is not fully functional but is working towards resuming normal operations by syncing with its peer. Therefore, the correct answer is B. Tentative.


Question 1057

Which active-passive HA firewall state describes the firewall that is currently processing traffic?



Answer : C


Question 1058

An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.

What could an administrator do to troubleshoot the issue?



Answer : B

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF4CAK


Question 1059

Which three statements accurately describe Decryption Mirror? (Choose three.)



Answer : B, D, E

Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.

Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.

The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' 'PAN-OS Administrator's Guide' and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.


Question 1060

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls.

The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration.

Which two solutions can the administrator use to scale this configuration? (Choose two.)



Answer : B, D

When deploying a large number of firewalls, such as 15 GlobalProtect gateways around the world, it's crucial to have a scalable configuration approach. Panorama offers several features to help scale configurations efficiently:

B . Template stacks:

Template stacks in Panorama allow administrators to create a collection of configuration templates that can be applied to multiple firewalls or device groups. This enables the consistent deployment of shared settings (such as network configurations, security profiles, etc.) across all managed firewalls, ensuring uniformity and reducing the effort required to manage individual firewall configurations.

D . Variables:

Variables in Panorama provide a way to customize template configurations for individual firewalls or device groups without altering the overall template. For example, a variable can be used to define a unique IP address, hostname, or other specific settings within a shared template. When the template is applied, Panorama replaces the variables with the actual values specified for each device or device group, allowing for customization within a standardized framework.

By using template stacks and variables, an administrator can rapidly deploy and manage configurations across multiple GlobalProtect gateways, ensuring consistency while still accommodating site-specific requirements. This approach streamlines the deployment process and enhances the manageability of a widespread GlobalProtect infrastructure.


Question 1061

Which three split tunnel methods are supported by a globalProtect gateway? (Choose three.)



Answer : A, B, C


Question 1062

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?



Answer : C

The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.

C . It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:

If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.

This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.


Question 1063

Which statement accurately describes how web proxy is run on a firewall with multiple virtual systems?



Answer : A


Question 1064

A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two)



Answer : A, D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRdCAK

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/configure-url-filtering

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/allow-password-access-to-certain-sites#id7e63ce07-8b30-4506-a1e3-5800303954e8


Question 1065

An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for authenticating users. What should the administrator be aware of regarding the authentication sequence, based on the Authentication profile in the order Kerberos LDAP, and TACACS+?



Answer : B


Question 1066

A network engineer troubleshoots a VPN Phase 2 mismatch and decides that PFS (Perfect Forward Secrecy) needs to be enabled. What action should the engineer take?



Answer : D


Question 1067

Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?



Answer : B

The Test Policy Match tool in PAN-OS allows administrators to simulate traffic against the current security policy set to verify how it will be handled. By inputting source/destination IPs, ports, protocols, and other parameters, it shows which rule matches and whether the traffic is allowed or denied, making it ideal for ensuring unwanted traffic is blocked.

Option A (Managed Devices Health) monitors device status, not policy logic. Option C (Preview Changes) shows configuration diffs, not traffic matching. Option D (Policy Optimizer) helps refine rules but doesn't test specific traffic scenarios. Test Policy Match is the documented tool for this purpose.


Question 1068

Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?



Answer : D


Question 1069

Review the images. A firewall policy that permits web traffic includes the global-logs policy is depicted

What is the result of traffic that matches the "Alert - Threats" Profile Match List?



Answer : C


Question 1070

A firewall engineer needs to patch the company's Palo Alto Network firewalls to the latest version of PAN-OS. The company manages its firewalls by using panoram

a. Logs are forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire appliances for analysis. What must the engineer consider when planning deployment?



Answer : B


Question 1071

A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access only for hosts that have antivirus or anti-spyware enabled?



Answer : D


Question 1072

Which two components are required to configure certificate-based authentication to the web UI when firewall access is needed on a trusted interface? (Choose two.)



Answer : B, D


Question 1073

Which tool can gather information about the application patterns when defining a signature for a custom application?



Answer : C

Wireshark (Option C) is a packet capture tool that provides detailed application traffic patterns (e.g., ports, protocols, payloads), essential for defining custom application signatures in PAN-OS.

Option A (Policy Optimizer) analyzes existing rules, not raw traffic. Option B (Data Filtering Log) shows data patterns, not app behavior. Option D (Expedition) is for migration, not signature creation. Documentation recommends packet captures for this task.


Question 1074

The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.

When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?



Answer : A

One of the potential causes of a failed install when upgrading Panorama to PAN-OS is having outdated plugins. Plugins are software extensions that enable Panorama to interact with Palo Alto Networks cloud services and third-party services.Plugins have dependencies on specific PAN-OS versions, so they must be updated before or after upgrading Panorama, depending on the plugin compatibility matrix2.If the plugins are not updated accordingly, the upgrade process may fail or cause issues with Panorama functionality3.Reference:Panorama Plugins Upgrade/Downgrade Considerations,Troubleshoot Your Panorama Upgrade, PCNSE Study Guide (page 54)


Question 1075

An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two.)



Answer : C, D


Question 1076

A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.

How does the firewall identify the New App-ID characteristic?



Answer : B

The New App-ID characteristic enables the firewall to monitor new applications on the network, so that the engineer can better assess the security policy updates they might want to make. The New App-ID characteristic always matches to only the new App-IDs in the most recently installed content releases. When a new content release is installed, the New App-ID characteristic automatically begins to match only to the new App-IDs in that content release version. This way, the engineer can see how the newly-categorized applications might impact security policy enforcement and make any necessary adjustments.Reference:Monitor New App-IDs


Question 1077

What should an engineer consider when setting up the DNS proxy for web proxy?



Answer : A


Question 1078

An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama.

However, pre-existing logs from the firewalls are not appearing in Panorama.

Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?



Question 1079

A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access only for hosts that have antivirus or anti-spyware enabled?



Answer : D


Question 1080

What happens when the log forwarding built-in action with tagging is used?



Answer : A

When using the log forwarding built-in action with tagging in Palo Alto Networks firewalls, the primary purpose is to dynamically respond to threats or unwanted traffic identified by the firewall's threat detection mechanisms. The action involves tagging the IP address associated with the unwanted traffic and then using that tag in dynamic security policies to block or manage the traffic.

A . Destination IP addresses of selected unwanted traffic are blocked:

When the tagging action is used, the firewall tags the IP addresses involved in the unwanted traffic (which could be the source or destination IP addresses, but in many configurations, the focus is on the source of the attack). These tags can then be referenced in Dynamic Address Groups (DAGs) within security policies. Consequently, any traffic coming from or going to these tagged IP addresses can be blocked or subjected to specific security rules, effectively mitigating the threat or unwanted behavior.

This approach allows for automated, real-time responses to identified threats, enhancing the security posture by quickly adapting to emerging threats without manual intervention.


Question 1081

A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules.

What is the engineer's next step?



Answer : B


Question 1082

An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.

What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)



Answer : C, D

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy


Question 1083

An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.

What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?



Answer : B

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS


Question 1084

An administrator configures two VPN tunnels to provide for failover and uninterrupted VPN service. What should an administrator configure to enable automatic failover to the backup tunnel?



Answer : C


Question 1085

An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.

Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?



Answer : C

Decryption can be resource-intensive, and in scenarios where the firewall is nearing its resource limits, optimizing decryption practices is crucial. One way to do this is by choosing more efficient encryption algorithms that require less computational power.

C . Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority:

Elliptic Curve Digital Signature Algorithm (ECDSA) is known for requiring smaller key sizes compared to RSA for a comparable level of security. This translates to less computational overhead during the encryption and decryption processes.

By using ECDSA for traffic that isn't sensitive or high-priority, the administrator can reduce the processing load associated with decryption on the firewall. This is particularly beneficial in scenarios where resource optimization is necessary.

It's important to note that this approach does not compromise the security of encrypted traffic. Instead, it offers a more resource-efficient way to manage decryption, thus helping to maintain firewall performance even when system resources are under significant demand.

By judiciously applying this strategy, administrators can manage the decryption workload on the firewall, ensuring continued protection and inspection of encrypted traffic without overburdening the firewall's resources.


Question 1086

When configuring explicit proxy on a firewall, which interface should be selected under the Listening interface option?



Answer : D


Question 1087

What is the best description of the Cluster Synchronization Timeout (min)?



Answer : A

The best description of the Cluster Synchronization Timeout (min) is the maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing. This is a parameter that can be configured in an HA cluster, which is a group of firewalls that share session state and provide high availability and scalability. The Cluster Synchronization Timeout (min) determines how long the local firewall will wait for the cluster to reach a stable state before it decides to become Active and process traffic. A stable state means that all cluster members are either Active or Passive, and have synchronized their sessions with each other. If there is another cluster member that is in an unknown or unstable state, such as Initializing, Non-functional, or Suspended, then it may prevent the cluster from fully synchronizing and cause a delay in traffic processing. The Cluster Synchronization Timeout (min) can be set to a value between 0 and 30 minutes, with a default of 0. If it is set to 0, then the local firewall will not wait for any other cluster member and will immediately go to Active state.If it is set to a positive value, then the local firewall will wait for that amount of time before going to Active state, unless the cluster reaches a stable state earlier12.Reference:Configure HA Clustering, PCNSE Study Guide (page 53)


Question 1088

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?



Answer : A


Question 1089

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?



Answer : D

Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


Question 1090

When using certificate authentication for firewall administration, which method is used for authorization?



Answer : A

When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.


Question 1091

An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?



Answer : B


Question 1092

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK


Question 1093

An existing log forwarding profile is currently configured to forward all threat logs to Panoram

a. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed.

Which set of actions should the engineer take to achieve this goal?



Answer : C


Question 1094

Which translated port number should be used when configuring a NAT rule for a transparent proxy?



Answer : C

A transparent proxy operates by intercepting traffic without client configuration, typically redirecting HTTP (port 80) or HTTPS (port 443) to a proxy port on the firewall. In Palo Alto Networks NGFWs, when configuring a NAT rule for a transparent proxy, the standard translated port is 8080 (Option C), commonly used for proxy services. This port is where the firewall redirects client traffic for processing (e.g., URL filtering or decryption) before forwarding it to the destination.

Option A (80) is the original HTTP port, not a proxy port. Option B (443) is for HTTPS, not transparent proxy redirection. Option D (4443) is non-standard and unrelated. Documentation and best practices confirm 8080 for this use case.


Question 1095

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)



Answer : A, D

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy


Question 1096

Which link is responsible for synchronizing sessions between high availability (HA) peers?



Answer : D


Question 1097

Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)



Answer : B, C

When implementing an application override in a Palo Alto Networks firewall, the primary goal is to explicitly define how specific traffic is identified and processed by the firewall, bypassing the regular App-ID process. This is particularly useful for traffic that might be misidentified by App-ID or for applications that require special handling for performance reasons.

To successfully implement application override, the following items must be configured:

B . Application override policy rule:

This is a specialized policy rule that you create to specify the criteria for the traffic you want to override. In this rule, you define the source and destination zones, addresses, and ports. Instead of relying on the App-ID engine to identify the application, the firewall uses the criteria defined in the application override policy to classify the traffic.

C . Security policy rule:

After defining an application override policy, you must also configure a security policy rule to allow the overridden traffic through the firewall. This rule specifies the action (allow, deny, drop, etc.) for the traffic that matches the application override policy. It's essential to ensure that the security policy rule matches the traffic defined in the application override policy to ensure that the intended traffic is allowed through the firewall.

For detailed guidance on configuring application override and the necessary security policies, refer to the official Palo Alto Networks documentation. This resource provides step-by-step instructions and best practices for effectively managing traffic using application overrides.


Question 1098

A firewall administrator wants to be able at to see all NAT sessions that are going 'through a firewall with source NAT. Which CLI command can the administrator use?



Answer : D


Question 1099

An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors. What is the recommended order of operational steps when upgrading?



Answer : C

Palo Alto Networks best practices dictate upgrading Panorama-managed environments in this order: Panorama first, then log collectors, and finally firewalls. Panorama must be on the latest (or compatible) version to manage upgraded devices and push configurations. Log collectors follow to ensure log compatibility, and firewalls last to maintain operational continuity.

Options A, B, and D risk version mismatches or management issues. This sequence minimizes downtime and ensures compatibility, as per official upgrade guidelines.


Question 1100

Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.

In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhwCAC

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat


Question 1101

An administrator is troubleshooting application traffic that has a valid business use case, and observes the following decryption log message: "Received fatal alert UnknownCA from client."

How should the administrator remediate this issue?



Answer : C


Question 1102

What is the best definition of the Heartbeat Interval?



Answer : C

The firewalls exchange hello messages and heartbeats at configurable intervals to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer. A response from the peer indicates that the firewalls are connected and responsive.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUcCAK

'A 'heartbeat-interval' CLI command was added to the election settings for HA, this interval has a 1000ms minimum for all Palo Alto Networks platforms and is an ICMP ping to the other device through the HA control link.' https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMaCAK


Question 1103

A security engineer needs firewall management access on a trusted interface.

Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)



Answer : A, B, D

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile


Question 1104

Exhibit.

Given the screenshot, how did the firewall handle the traffic?



Answer : B


Question 1105

What are two requirements of IPSec in transport mode? (Choose two.)



Answer : C, D


Question 1106

Refer to exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.

How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?



Question 1107

A firewall administrator wants to be able at to see all NAT sessions that are going 'through a firewall with source NAT. Which CLI command can the administrator use?



Answer : D


Question 1108

What happens when an A/P firewall pair synchronizes IPsec tunnel security associations (SAs)?



Answer : B

In a High Availability (HA) setup with Palo Alto Networks firewalls, the synchronization of IPsec tunnel Security Associations (SAs) is an important aspect to ensure seamless failover and continued secure communication. Specifically, for Phase 2 SAs, they are synchronized over the HA2 links. The HA2 link is dedicated to synchronizing sessions, forwarding tables, IPSec SA, ARP tables, and other critical information between the active and passive firewalls in an HA pair. This ensures that the passive unit can immediately take over in case the active unit fails, without the need for re-establishing IPsec tunnels, thereby maintaining secure communications without interruption. It's important to note that Phase 1 SAs, which are responsible for establishing the secure tunnel itself, are not synchronized between the HA pair, as these need to be re-established upon failover to ensure secure key exchange.


Question 1109

Which statement explains the difference between using the PAN-OS integrated User-ID agent and the standalone User-ID agent when using Active Directory for user-to-IP mapping?



Answer : C

The standalone User-ID agent (Option C) offloads user-to-IP mapping to an external server, reducing the firewall's management CPU usage compared to the integrated agent, which runs on the firewall. Option A is false; neither requires domain membership. Option B is incorrect; the integrated agent uses more resources. Option D is false; the standalone agent can run on any server. The original answer (B) was incorrect, contributing to the 83% Core Concepts score.


Question 1110

A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.

What should the engineer do to complete the configuration?



Answer : B

If the DNS response matches the Original Destination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/source-nat-and-destination-nat/destination-nat-dns-rewrite-use-cases#id0d85db1b-05b9-4956-a467-f71d558263bb


Question 1111

A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.

What should the NAT rule destination zone be set to?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping


Question 1112

An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for authenticating users. What should the administrator be aware of regarding the authentication sequence, based on the Authentication profile in the order Kerberos LDAP, and TACACS+?



Answer : B


Question 1113

Which three statements accurately describe Decryption Mirror? (Choose three.)



Answer : B, D, E

Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.

Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.

The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' 'PAN-OS Administrator's Guide' and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.


Question 1114

A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.

Which action is the most operationally efficient for the security engineer to find and implement the exception?



Answer : D


Question 1115

Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)



Answer : A, C

When sizing a decryption firewall deployment, two factors that should be considered are the encryption algorithm and the TLS protocol version. These factors affect the amount of resources and processing power that the firewall needs to decrypt and inspect SSL/TLS traffic.

The encryption algorithm is the method that the server and the client use to encrypt and decrypt the data exchanged in an SSL/TLS session. Different encryption algorithms have different levels of security and performance. For example, AES is a symmetric encryption algorithm that is faster and more efficient than RSA, which is an asymmetric encryption algorithm. However, RSA is more secure than AES because it uses public and private keys to encrypt and decrypt data, while AES uses a single shared key.The firewall must support the encryption algorithms that are used by the servers and clients that it decrypts, and it must have enough CPU and memory resources to handle the decryption workload12.

The TLS protocol version is the standard that defines how the server and the client establish and maintain an SSL/TLS session. Different TLS protocol versions have different features and requirements for encryption algorithms, cipher suites, certificates, handshake messages, etc. For example, TLS 1.3 is the latest and most secure version of TLS, which supports only strong encryption algorithms and cipher suites, such as AES-GCM and ChaCha20-Poly1305, and requires elliptic curve certificates.The firewall must support the TLS protocol versions that are used by the servers and clients that it decrypts, and it must have enough hardware acceleration resources to handle the decryption speed34.

The number of security zones in decryption policies and the number of blocked sessions are not relevant factors for sizing a decryption firewall deployment. The number of security zones in decryption policies only affects how the firewall matches traffic to decryption rules based on source and destination zones, but it does not affect the decryption performance or resource consumption.The number of blocked sessions only indicates how many sessions are denied by the firewall based on security policy or decryption policy rules, but it does not affect the decryption capacity or throughput56.

Encryption Algorithms,TLS Protocol Versions,Decryption Policy, PCNSE Study Guide (page 60)


Question 1116

Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)



Answer : B, C

To configure SSL Forward Proxy decryption on a Palo Alto Networks firewall, certain key components must be set up to ensure secure and effective decryption and inspection of SSL/TLS encrypted traffic:

B . Define a Forward Trust Certificate:

A Forward Trust Certificate is essential for SSL Forward Proxy decryption. This certificate is used by the firewall to dynamically generate certificates for SSL sites that are trusted. When the firewall decrypts and inspects the traffic and then re-encrypts it, the new certificate presented to the client comes from the Forward Trust Certificate authority. This certificate must be trusted by client devices, often requiring the Forward Trust CA certificate to be distributed and installed on client devices.

C . Configure SSL decryption rules:

SSL decryption rules are the policies that determine which traffic is to be decrypted. These rules specify the source, destination, service, and URL category, among other criteria. The rules define what traffic the SSL Forward Proxy will apply to, enabling selective decryption based on security and privacy requirements.

Together, these components form the basis of the SSL Forward Proxy decryption setup, allowing for the decryption, inspection, and re-encryption of SSL/TLS encrypted traffic to identify and prevent threats hidden within encrypted sessions.


Question 1117

What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 10.1 version?



Answer : A


Question 1118

An organization uses the User-ID agent to control access to sensitive internal resources. A firewall engineer adds Security policies to ensure only User A has access to a specific resource. User A was able to access the resource without issue before the updated policies, but now is having intermittent connectivity issues. What is the most likely resolution to this issue?



Answer : A


Question 1119

What is the purpose of the firewall decryption broker?



Answer : A


Question 1120

An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI Which CLI command can the engineer use?



Answer : A


Question 1121

Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates.

Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?



Answer : B


Question 1122

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)



Answer : A, C, D

ttps://www.kareemccie.com/2021/05/palo-alto-firewall-packet-flow.html


Question 1123

'SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted'' warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

1. End-users must not get the warning for the https:///www.very-import-website.com/ website.

2. End-users should get the warning for any other untrusted website.

Which approach meets the two customer requirements?



Answer : A


Question 1124

An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets. For users that need to access these systems. Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What should the enterprise do to use PAN-OS MFA?



Answer : C


Question 1125

Which two statements correctly describe Session 380280? (Choose two.)



Answer : A, C


Question 1126

An engineer is troubleshooting a traffic-routing issue.

What is the correct packet-flow sequence?



Answer : C

The correct packet-flow sequence is C. PBF > Static route > Security policy enforcement. This sequence describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic based on the source and destination addresses, application, user, or service. PBF is evaluated before the static route lookup, which is the default method of forwarding traffic based on the destination address and the longest prefix match.Security policy enforcement is the stage where the firewall applies the security policy rules to allow or block traffic based on various criteria, such as zone, address, port, user, application, etc12.Reference:Policy-Based Forwarding,Packet Flow Sequence in PAN-OS


Question 1127

A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories

Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?



Answer : A

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/prevent-credential-phishing/set-up-credential-phishing-prevention#idc77030dc-6022-4458-8c50-1dc0fe7cffe4

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/prevent-credential-phishing/set-up-credential-phishing-prevention


Question 1128

An administrator needs to identify which NAT policy is being used for internet traffic.

From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?



Answer : A

Traffic view in the Monitor tab of the firewall GUI can display the information about the NAT policy that is in use for a traffic flow, if the Source or Destination NAT columns are included and reviewed in the detailed log view1.The Source NAT column shows the translated source IP address and port, and the Destination NAT column shows the translated destination IP address and port2. These columns can help the administrator identify which NAT policy is applied to the traffic flow based on the pre-NAT and post-NAT addresses and ports.


Question 1129

A security team has enabled real-time WildFire signature lookup on all its firewalls. Which additional action will further reduce the likelihood of newly discovered malware being allowed through the firewalls?



Answer : B


Question 1130

An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.

Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?



Answer : A


Question 1131

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?



Answer : C

The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.

C . It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:

If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.

This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.


Question 1132

An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?



Answer : D

Palo Alto NetworksPanorama 7.0 Administrator's Guide *77Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.

https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management


Question 1133

Which protocol is natively supported by GlobalProtect Clientless VPN?



Answer : C


Question 1134

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?



Answer : B

https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG


Question 1135

ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?



Answer : B

Schedule content updates so that they download-and-install automatically. Then, set a Threshold that determines the amount of time the firewall waits before installing the latest content. In a security-first network, schedule a six to twelve hour threshold. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-content-and-threat-content-updates/best-practices-security-first.html#id184AH00F06E

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/software-and-content-updates/best-practices-for-app-and-threat-content-updates/best-practices-security-first


Question 1136

Which is not a valid reason for receiving a decrypt-cert-validation error?



Answer : A


Question 1137

An engineer troubleshoots a high availability (HA) link that is unreliable.

Where can the engineer view what time the interface went down?



Question 1138

Which GloDalProtecI gateway setting is required to enable split-tunneting by access route, destination domain and application?



Answer : A

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application


Question 1139

Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.)



Answer : B, C, E


Question 1140

An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.

Which three platforms support PAN-OS 10.2? (Choose three.)



Answer : A, B, E

https://docs.paloaltonetworks.com/compatibility-matrix/supported-os-releases-by-model/palo-alto-networks-next-gen-firewalls


Question 1141

A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose TWO)



Answer : A, C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW


Question 1142

Exhibit.

Review the screenshots and consider the following information

1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC

2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups

Which IP address will be pushed to the firewalls inside Address Object Server-1?



Answer : A

Device Group Hierarchy

Shared

DATACENTER_DG

DC_FW_DG

REGIONAL_DG

OFFICE_FW_DG

FW-1_DG

Analysis

Considerations:

FW-1 is assigned to the FW-1_DG device group.

FW-2 is assigned to the OFFICE_FW_DG device group.

There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.

The address object Server-1 appears in multiple device groups with different IP addresses. The device groups have a hierarchy, which means objects can be inherited from parent groups unless overridden in the child group.

FW-1_DG:

Server-1 has IP 4.4.4.4, which will be pushed to FW-1 because it is in the FW-1_DG device group.

OFFICE_FW_DG (for FW-2):

Since there are no objects in OFFICE_FW_DG and REGIONAL_DG, FW-2 will inherit from Shared.

In the Shared group, Server-1 has IP 1.1.1.1.


Question 1143

'SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted'' warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

1. End-users must not get the warning for the https:///www.very-import-website.com/ website.

2. End-users should get the warning for any other untrusted website.

Which approach meets the two customer requirements?



Answer : A


Question 1144

Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application?



Answer : B


Question 1145

Which DoS Protection Profile detects and prevents session exhaustion attacks against specific destinations?



Answer : A

IP flood thresholds, you can also use DoS Protection profiles to detect and prevent session exhaustion attacks in which a large number of hosts (bots) establish as many sessions as possible to consume a target's resources. On the profile's Resources Protection tab, you can set the maximum number of concurrent sessions that the device(s) defined in the DoS Protection policy rule to which you apply the profile can receive. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles.html

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles#ida42d52fa-3366-4695-bb4a-d39ebf3b6a5f


Question 1146

An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.

Which three parts of a template an engineer can configure? (Choose three.)



Answer : A, C, D

A, C, and D are the correct answers because they are the parts of a template that an engineer can configure in Panorama.A template is a collection of device and network settings that can be pushed to multiple firewalls from Panorama1.A template can contain settings such as2:

A: NTP Server Address: This is the address of the Network Time Protocol server that synchronizes the time on the firewall.

C: Authentication Profile: This is the profile that defines how the firewall authenticates users and administrators.

D: Service Route Configuration: This is the configuration that specifies which interface and source IP address the firewall uses to access external services, such as DNS, email, syslog, etc.


Question 1147

Which translated port number should be used when configuring a NAT rule for transparent proxy?



Answer : C


Question 1148

A security engineer has configured a GlobalProtect portal agent with four gateways Which GlobalProtect Gateway will users connect to based on the chart provided?



Answer : A


Question 1149

An engineer configures SSL decryption in order to have more visibility to the internal users' traffic when it is regressing the firewall.

Which three types of interfaces support SSL Forward Proxy? (Choose three.)



Answer : B, C, E

PAN-OS can decrypt and inspect SSL inbound and outbound connections going through the firewall. SSL decryption can occur on interfaces in virtual wire, Layer 2 or Layer 3 mode https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmyCAC


Question 1150

Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the firewall? (Choose three.)



Answer : A, B, E

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication#:~:text=The%20administrative%20accounts%20are%20defined,attributes%20on%20the%20SAML%20server.


Question 1151

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed.

What is one way the administrator can meet this requirement?



Answer : B

The best way for the administrator to meet the requirement of managing all configuration from Panorama and preventing local overrides isB: Perform a template commit push from Panorama using the ''Force Template Values'' option.This option allows the administrator to overwrite any local configuration on the firewall with the values defined in the template1. This way, the administrator can ensure that the interface configuration and any other


Question 1152

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?



Answer : D

Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


Question 1153

A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panoram

a. In which section is this configured?



Answer : D


Question 1154

An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for authenticating users. What should the administrator be aware of regarding the authentication sequence, based on the Authentication profile in the order Kerberos LDAP, and TACACS+?



Answer : B


Question 1155

A company has recently migrated their branch office's PA-220S to a centralized Panoram

a. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama

They notice that commit times have drastically increased for the PA-220S after the migration

What can they do to reduce commit times?



Answer : A

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS


Question 1156

An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any." There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all."

Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?'



Answer : D


Question 1157

An administrator has been tasked with configuring decryption policies,

Which decryption best practice should they consider?



Answer : A

The best decryption best practice that the administrator should consider isA: Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.This is because decryption involves intercepting and inspecting encrypted traffic, which may raise privacy and compliance issues depending on the jurisdiction and the type of traffic1.Therefore, the administrator should be aware of the local, legal, and regulatory implications and how they affect which traffic can be decrypted, and follow the appropriate guidelines and policies to ensure that decryption is done in a lawful and ethical manner1.


Question 1158

Which translated port number should be used when configuring a NAT rule for a transparent proxy?



Answer : C

A transparent proxy operates by intercepting traffic without client configuration, typically redirecting HTTP (port 80) or HTTPS (port 443) to a proxy port on the firewall. In Palo Alto Networks NGFWs, when configuring a NAT rule for a transparent proxy, the standard translated port is 8080 (Option C), commonly used for proxy services. This port is where the firewall redirects client traffic for processing (e.g., URL filtering or decryption) before forwarding it to the destination.

Option A (80) is the original HTTP port, not a proxy port. Option B (443) is for HTTPS, not transparent proxy redirection. Option D (4443) is non-standard and unrelated. Documentation and best practices confirm 8080 for this use case.


Question 1159

A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.

Which two mandatory options are used to configure a VLAN interface? (Choose two.)



Answer : A, B


Question 1160

An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?



Answer : A


Question 1161

Which statement applies to HA timer settings?



Answer : D

High Availability (HA) timer settings in PAN-OS control failover speed and stability. The Recommended profile (Option D) is the default and provides balanced timers (e.g., 1000ms heartbeat interval) suitable for typical deployments, ensuring reliable failover without excessive sensitivity.

Option A (Critical profile) uses faster timers (e.g., 100ms) for critical environments, not typical ones. Option B (Moderate) isn't a predefined profile. Option C (Aggressive) uses fast timers (e.g., 200ms), not slower ones. Documentation specifies 'Recommended' for standard use.


Question 1162

SAML SLO is supported for which two firewall features? (Choose two.)



Answer : A, B


Question 1163

All firewall at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a sylog server and forward all firewall logs to the syslog server and to the log collectors. There is known logging peak time during the day, and the security team has asked the firewall engineer to determined how many logs per second the current Palo Alto Networking log processing at that particular time. Which method is the most time-efficient to complete this task?



Answer : A


Question 1164

Which two actions can the administrative role called "vsysadmin" perform? (Choose two)



Answer : B, C

The vsysadmin role in Palo Alto Networks firewalls is a virtual system (vsys)-specific administrative role with limited privileges. It can commit changes to the candidate configuration of the assigned vsys (Option B) and create/edit Security policies and profiles specific to that vsys (Option C). This role is designed for multi-tenant environments where administrators manage only their assigned virtual systems.

Option A (configure resource limits) is a superuser or device-level task, not within vsysadmin's scope. Option D (configure interfaces) is also outside vsysadmin's permissions, as interface management is a device-wide function. Official documentation defines these privileges clearly.


Question 1165

Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?



Answer : C


Question 1166

An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.

Which configuration will enable this HA scenario?



Answer : A


Question 1167

The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.

When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?



Answer : A

One of the potential causes of a failed install when upgrading Panorama to PAN-OS is having outdated plugins. Plugins are software extensions that enable Panorama to interact with Palo Alto Networks cloud services and third-party services.Plugins have dependencies on specific PAN-OS versions, so they must be updated before or after upgrading Panorama, depending on the plugin compatibility matrix2.If the plugins are not updated accordingly, the upgrade process may fail or cause issues with Panorama functionality3.Reference:Panorama Plugins Upgrade/Downgrade Considerations,Troubleshoot Your Panorama Upgrade, PCNSE Study Guide (page 54)


Question 1168

A firewall administrator needs to check which egress interface the firewall will use to route the IP 10.2.5.3.

Which command should they use?



Answer : D

To determine the egress interface a Palo Alto Networks firewall will use to route a specific IP address, the appropriate command is test routing fib-lookup ip 10.2.5.3 virtual-router default. This command performs a Forwarding Information Base (FIB) lookup for the specified IP address within the context of the specified virtual router, which in this case is the default virtual router. The FIB lookup process checks the routing table and the associated forwarding information to determine the next-hop and the egress interface for the given IP address. This command is instrumental for troubleshooting and verifying routing decisions made by the firewall to ensure that traffic is routed as expected through the network infrastructure.


Question 1169

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?



Answer : B

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application


Question 1170

An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?



Answer : A


Question 1171

An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?



Answer : D


Question 1172

Which tool can gather information about the application patterns when defining a signature for a custom application?



Answer : C

Wireshark (Option C) is a packet capture tool that provides detailed application traffic patterns (e.g., ports, protocols, payloads), essential for defining custom application signatures in PAN-OS.

Option A (Policy Optimizer) analyzes existing rules, not raw traffic. Option B (Data Filtering Log) shows data patterns, not app behavior. Option D (Expedition) is for migration, not signature creation. Documentation recommends packet captures for this task.


Question 1173

Where can a service route be configured for a specific destination IP?



Answer : C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0


Question 1174

A firewall administrator wants to be able at to see all NAT sessions that are going 'through a firewall with source NAT. Which CLI command can the administrator use?



Answer : D


Question 1175

An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an interal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?



Answer : B


Question 1176

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?



Answer : C


Question 1177

An administrator is troubleshooting application traffic that has a valid business use case, and observes the following decryption log message: "Received fatal alert UnknownCA from client."

How should the administrator remediate this issue?



Answer : C


Question 1178

For company compliance purposes, three new contractors will be working with different device-groups in their hierarchy to deploy policies and objects.

Which type of role-based access is most appropriate for this project?



Answer : A


Question 1179

An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.

Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?



Answer : C

Decryption can be resource-intensive, and in scenarios where the firewall is nearing its resource limits, optimizing decryption practices is crucial. One way to do this is by choosing more efficient encryption algorithms that require less computational power.

C . Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority:

Elliptic Curve Digital Signature Algorithm (ECDSA) is known for requiring smaller key sizes compared to RSA for a comparable level of security. This translates to less computational overhead during the encryption and decryption processes.

By using ECDSA for traffic that isn't sensitive or high-priority, the administrator can reduce the processing load associated with decryption on the firewall. This is particularly beneficial in scenarios where resource optimization is necessary.

It's important to note that this approach does not compromise the security of encrypted traffic. Instead, it offers a more resource-efficient way to manage decryption, thus helping to maintain firewall performance even when system resources are under significant demand.

By judiciously applying this strategy, administrators can manage the decryption workload on the firewall, ensuring continued protection and inspection of encrypted traffic without overburdening the firewall's resources.


Question 1180

Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates.

Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?



Answer : B


Question 1181

Four configuration choices are listed, and each could be used to block access to a specific URL.

If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?



Answer : C


Question 1182

An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.

Which configuration will enable this HA scenario?



Answer : A


Question 1183

How can a firewall engineer bypass App-ID and content inspection features on a Palo Alto Networks firewall when troubleshooting?



Answer : B

An application override (Option B) bypasses App-ID and content inspection by forcing the firewall to classify traffic as the custom app, skipping deeper analysis. The custom app's properties (e.g., ports) define the match, and no security profiles are applied.

Option A (no scanning options) still processes App-ID. Option C (no profiles) skips inspection but not App-ID. Option D (disable SRI) only limits server response checks. Documentation confirms overrides for bypassing.


Question 1184

A network security engineer is going to enable Zone Protection on several security zones How can the engineer ensure that Zone Protection events appear in the firewall's logs?



Answer : A


Question 1185

An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?



Answer : B

In an active/active high availability (HA) firewall pair, when a firewall experiences a failure of a monitored path, it enters the ''Tentative'' state1. This state indicates that the firewall is synchronizing sessions and configurations from its peer due to a failure or a change in monitored objects such as a link or path. The firewall in this state is not fully functional but is working towards resuming normal operations by syncing with its peer. Therefore, the correct answer is B. Tentative.


Question 1186

What can the Log Forwarding built-in action with tagging be used to accomplish?



Answer : B

The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.

This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.

For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.


Question 1187

After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?



Answer : D


Question 1188

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-mapping/globalprotect.html

GlobalProtect is a VPN solution that provides secure remote access to corporate networks. When a user connects to GlobalProtect, their identity is verified against an LDAP server. This ensures that all IP address-to-user mappings are explicitly known.


Question 1189

A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)



Answer : B, D

The two attributes that a forward trust certificate should have for SSL Forward Proxy decryption are:

B: A private key. This is the key that the firewall uses to sign the certificates that it generates for the decrypted sessions.The private key must be securely stored on the firewall and not shared with anyone1.

D: A certificate authority (CA) certificate. This is the certificate that the firewall uses to issue the certificates for the decrypted sessions.The CA certificate must be trusted by the client browsers and devices that receive the certificates from the firewall1.


Question 1190

Which three methods are supported for split tunneling in the GlobalProtect Gateway? (Choose three.)



Answer : C, D, E


Question 1191

What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection'?



Answer : A


Question 1192

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)



Answer : A, D

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy


Question 1193

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?



Answer : B


Question 1194

How is Perfect Forward Secrecy (PFS) enabled when troubleshooting a VPN Phase 2 mismatch?



Answer : A

Perfect Forward Secrecy (PFS) ensures unique session keys per VPN session, enabled under the IKE Gateway advanced options (Option A) by selecting a Diffie-Hellman (DH) group. This resolves Phase 2 mismatches if the peer requires PFS.

Option B (IPsec Tunnel) doesn't directly control PFS. Option C (DH Group in IPsec Crypto) is related but not the enablement point. Option D (authentication algorithm) is unrelated. Documentation specifies IKE Gateway for PFS.


Question 1195

A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules.

How can this be achieved?



Answer : D


Question 1196

A security engineer has configured a GlobalProtect portal agent with four gateways Which GlobalProtect Gateway will users connect to based on the chart provided?



Answer : A


Question 1197

A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed.

How should email log forwarding be configured to achieve this goal?



Answer : C

To generate email alerts when decryption rules are changed in a Palo Alto Networks firewall, you would configure email log forwarding based on specific system logs that capture changes to decryption policies. This is done by setting up log forwarding profiles with filters that match events related to decryption rule modifications. These profiles are then applied to the relevant log types within the firewall's log settings.

To specifically monitor for changes to decryption rules, you would navigate to the Device > Log Settings section of the firewall's web interface. Here, you can configure log forwarding for system logs, which capture configuration changes among other system-level events. By creating a filter that looks for logs associated with decryption rule changes, and associating this filter with an email server profile, the firewall can automatically send out email alerts whenever a decryption rule is modified.

This setup ensures that the security team is promptly notified of any changes to the decryption policies, allowing for quick review and action if the changes were unauthorized or unintended. It is an essential part of maintaining the security posture of the network and ensuring compliance with organizational policies on encrypted traffic inspection.


Question 1198

Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?



Answer : C

The type of policy in Palo Alto Networks firewalls that can use Device-ID as a match condition is QoS. This is because Device-ID is a feature that allows the firewall to identify and classify devices on the network based on their characteristics, such as vendor, model, OS, and role1. QoS policies are used to allocate bandwidth and prioritize traffic based on various criteria, such as application, user, source, destination, and device2. By using Device-ID as a match condition in QoS policies, the firewall can apply different QoS actions to different types of devices, such as IoT devices, laptops, smartphones, etc3. This can help optimize the network performance and ensure the quality of service for critical applications and devices.


Question 1199

A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)



Answer : B, D

The two attributes that a forward trust certificate should have for SSL Forward Proxy decryption are:

B: A private key. This is the key that the firewall uses to sign the certificates that it generates for the decrypted sessions.The private key must be securely stored on the firewall and not shared with anyone1.

D: A certificate authority (CA) certificate. This is the certificate that the firewall uses to issue the certificates for the decrypted sessions.The CA certificate must be trusted by the client browsers and devices that receive the certificates from the firewall1.


Question 1200

An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?



Answer : D


Question 1201

A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.

Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)

Site A configuration:



Answer : C, D

The image shows an IKE Gateway configuration where Site B is set to IKEv1 only mode, and passive mode is not enabled. For dynamic peering to work when Site A is using a DHCP assigned address:

Passive mode on Site A needs to be disabled. In passive mode, the firewall will not initiate the IKE negotiation and will only respond to negotiation requests from the peer. Since Site A has a dynamic IP, it must be able to initiate the connection to Site B, which has a static IP.

Matching the IKE version between Site A and Site B is also necessary for successful IPSec tunnel establishment. Since Site B is set to IKEv1 only mode, Site A also needs to be configured to use IKEv1 to ensure that both sites are using the same version for the IKE negotiation process.

NAT Traversal is used when there are NAT devices between the two endpoints, but there's no indication that this is the case here. Additionally, local identification on Site A is not necessarily related to the issue with dynamic peering not working.


Question 1202

A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules.

What is the engineer's next step?



Answer : B


Question 1203

A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.

What should the NAT rule destination zone be set to?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping


Question 1204

What must be configured to apply tags automatically based on User-ID logs?



Answer : D

To apply tags automatically based on User-ID logs, the engineer must configure a Log Forwarding profile that specifies the criteria for matching the logs and the tags to apply. The Log Forwarding profile can be attached to a security policy rule or a decryption policy rule to enable auto-tagging for the traffic that matches the rule.The tags can then be used for dynamic address groups, policy enforcement, or reporting1.Reference:Use Auto-Tagging to Automate Security Actions, PCNSE Study Guide (page 49)


Question 1205

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)



Answer : A, D

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy


Question 1206

To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?



Answer : B


Question 1207

Which two actions can the administrative role called "vsysadmin" perform? (Choose two)



Answer : B, C

The vsysadmin role in Palo Alto Networks firewalls is a virtual system (vsys)-specific administrative role with limited privileges. It can commit changes to the candidate configuration of the assigned vsys (Option B) and create/edit Security policies and profiles specific to that vsys (Option C). This role is designed for multi-tenant environments where administrators manage only their assigned virtual systems.

Option A (configure resource limits) is a superuser or device-level task, not within vsysadmin's scope. Option D (configure interfaces) is also outside vsysadmin's permissions, as interface management is a device-wide function. Official documentation defines these privileges clearly.


Question 1208

What should an engineer consider when setting up the DNS proxy for web proxy?



Answer : A


Question 1209

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?



Answer : D

Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


Question 1210

Which two statements correctly describe Session 380280? (Choose two.)



Answer : A, C


Question 1211

A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall

What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)



Answer : B, C

For HIP match logs to be visible on the data center firewall, the following conditions must be met:

HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.

User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.

The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.


Question 1212

What is the benefit of the Artificial Intelligence Operations (AIOps) Plugin for Panorama?



Answer : B

The AIOps Plugin for Panorama enhances security management by proactively validating commits against best practices (Option B). It analyzes policies, provides recommendations (e.g., unused rules, misconfigurations), and advises administrators before pushing changes, improving security posture without automatic enforcement.

Option A (auto-push) overstates its role; it advises, not pushes. Option C (auto-correct) is inaccurate; it suggests, not fixes. Option D (retroactive checks) misaligns with its proactive design. Documentation highlights its advisory function.


Question 1213

What can the Log Forwarding built-in action with tagging be used to accomplish?



Answer : B

The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.

This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.

For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.


Question 1214

Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)



Answer : B, D


Question 1215

An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an interal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?



Answer : B


Question 1216

A firewall administrator has configured User-ID and deployed GlobalProtect, but there is no User-ID showing in the traffic logs.

How can the administrator ensure that User-IDs are populated in the traffic logs?



Answer : D


Question 1217

A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.

Which path should the engineer follow to deploy the PAN-OS images to the firewalls?



Answer : D, D

In a situation where Panorama and its managed firewalls lack internet access, updating PAN-OS requires a manual upload of the downloaded PAN-OS images. The process involves:


Question 1218

In the following image from Panorama, why are some values shown in red?



Answer : C


Question 1219

An engineer is troubleshooting a traffic-routing issue.

What is the correct packet-flow sequence?



Answer : C

The correct packet-flow sequence is C. PBF > Static route > Security policy enforcement. This sequence describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic based on the source and destination addresses, application, user, or service. PBF is evaluated before the static route lookup, which is the default method of forwarding traffic based on the destination address and the longest prefix match.Security policy enforcement is the stage where the firewall applies the security policy rules to allow or block traffic based on various criteria, such as zone, address, port, user, application, etc12.Reference:Policy-Based Forwarding,Packet Flow Sequence in PAN-OS


Question 1220

A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)



Answer : A, B


Question 1221

A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)



Answer : C, D, E


Question 1222

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.

The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?



Answer : C


Question 1223

How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?



Question 1224

After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?



Answer : D


Question 1225

An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?



Answer : B


Question 1226

When an engineer configures an active/active high availability pair, which two links can they use? (Choose two)



Answer : C, D

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha/prerequisites-for-activeactive-ha

These are the two links that can be used to configure an active/active high availability pair.An active/active high availability pair consists of two firewalls that are both active and share the traffic load between them1.To configure an active/active high availability pair, the following links are required2:

HA1: This is the control link that is used for exchanging heartbeat messages and configuration synchronization between the firewalls. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy.

HA2: This is the data link that is used for forwarding sessions from one firewall to another in case of failover or load balancing. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy.

HA3: This is the session owner synchronization link that is used for synchronizing session information between the firewalls in different virtual systems. It can be a dedicated interface or a subinterface. It is only required for active/active high availability pairs, not for active/passive pairs.


Question 1227

An administrator is attempting to create policies tor deployment of a device group and template stack. When creating the policies, the zone drop down list does not include the required zone.

What must the administrator do to correct this issue?



Answer : C

In order to see what is in a template, the device-group needs the template referenced. Even if you add the firewall to both the template and device-group, the device-group will not see what is in the template. The following link has a video that demonstrates that B is the correct answer. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNfeCAG


Question 1228

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers Traffic to these sites will therefore be blocked if decrypted.

How should the engineer proceed?



Answer : C

If some sites cannot be decrypted due to technical reasons, such as unsupported ciphers, and blocking them is not an option, then the engineer should add the sites to the SSL Decryption Exclusion list to exempt them from decryption. The SSL Decryption Exclusion list is a predefined list of sites that are not subject to SSL decryption by the firewall. The list includes sites that use certificate pinning, mutual authentication, or unsupported cipher suites.The engineer can also add custom sites to the list if they have a valid business reason or technical limitation for not decrypting them34. Adding the sites to the SSL Decryption Exclusion list will allow the traffic to pass through without being decrypted or blocked by the firewall.Reference:SSL Decryption Exclusion,Troubleshoot Unsupported Cipher Suites


Question 1229

What type of NAT is required to configure transparent proxy?



Answer : D


Question 1230

After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.

The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.

The engineer reviews the following CLI output for ethernet1/1.

Which setting should be modified on ethernet1/1 to remedy this problem?



Answer : D


Question 1231

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?



Answer : B

When a local configuration override occurs on a firewall managed by Panorama, the administrator can enforce Panorama's centralized management by pushing the template configuration with the 'Force Template Values' option. This option overwrites any local changes on the firewall, ensuring that the Panorama-defined configuration (e.g., interface settings) takes precedence and prevents further overrides unless explicitly allowed.

Option A (device-group commit push) applies to policies and objects, not templates. Option C (commit force from CLI) reinforces local changes, not Panorama's control. Option D (reload running config) is disruptive and doesn't enforce Panorama's template. The 'Force Template Values' option is the documented method for this use case.


Question 1232

A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?



Answer : B


Question 1233

Which CLI command displays the physical media that are connected to ethernet1/8?



Answer : B

The CLI command 'show system state filter-pretty sys.sl.p8.phy' is used to display detailed physical layer information, which would include the physical media connected to a specific interface such as ethernet1/8. This command is designed to filter the output to show relevant physical layer information for the specified interface.

For more information on Palo Alto Networks CLI commands and their outputs, refer to the 'PAN-OS CLI Reference Guide'.


Question 1234

Which protocol is supported by GlobalProtect Clientless VPN?



Answer : D

Virtual Desktop Infrastructure (VDI) and Virtual Machine (VM) environments, such as Citrix XenApp and XenDesktop or VMWare Horizon and Vcenter, support access natively through HTML5. You can RDP, VNC, or SSH to these machines through Clientless VPN without requiring additional third-party middleware. In environments that do not include native support for HTML5 or other web application technologies supported by Clientless VPN, you can use third-party vendors, such as Thinfinity, to RDP through Clientless VPN. Reference: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vpn/supported-technologies

https://networkwiki.blogspot.com/2017/03/palo-alto-networks-clientless-vpn-and.html


Question 1235

How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?



Answer : A


Question 1236

Where can a service route be configured for a specific destination IP?



Answer : C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0


Question 1237

An administrator connects a new fiber cable and transceiver Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not come up. How can the administrator troubleshoot to confirm the transceiver type, tx-power, rxpower, vendor name, and part number by using the CLI?



Answer : D


Question 1238

An administrator plans to install the Windows-Based User-ID Agent.

What type of Active Directory (AD) service account should the administrator use?



Answer : A


Question 1239

A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?



Answer : D


Question 1240

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)



Question 1241

An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.

Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?



Answer : A


Question 1242

Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.)



Answer : B, C

When implementing an application override in a Palo Alto Networks firewall, the primary goal is to explicitly define how specific traffic is identified and processed by the firewall, bypassing the regular App-ID process. This is particularly useful for traffic that might be misidentified by App-ID or for applications that require special handling for performance reasons.

To successfully implement application override, the following items must be configured:

B . Application override policy rule:

This is a specialized policy rule that you create to specify the criteria for the traffic you want to override. In this rule, you define the source and destination zones, addresses, and ports. Instead of relying on the App-ID engine to identify the application, the firewall uses the criteria defined in the application override policy to classify the traffic.

C . Security policy rule:

After defining an application override policy, you must also configure a security policy rule to allow the overridden traffic through the firewall. This rule specifies the action (allow, deny, drop, etc.) for the traffic that matches the application override policy. It's essential to ensure that the security policy rule matches the traffic defined in the application override policy to ensure that the intended traffic is allowed through the firewall.

For detailed guidance on configuring application override and the necessary security policies, refer to the official Palo Alto Networks documentation. This resource provides step-by-step instructions and best practices for effectively managing traffic using application overrides.


Question 1243

Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.

Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution

How can Information Security extract and learn iP-to-user mapping information from authentication events for VPN and wireless users?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping#iddb1a7744-17c6-4900-a2cb-5f3511fef60f


Question 1244

An administrator plans to install the Windows-Based User-ID Agent.

What type of Active Directory (AD) service account should the administrator use?



Answer : A


Question 1245

Refer to exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.

How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?



Question 1246

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls.

The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration.

Which two solutions can the administrator use to scale this configuration? (Choose two.)



Answer : B, D

When deploying a large number of firewalls, such as 15 GlobalProtect gateways around the world, it's crucial to have a scalable configuration approach. Panorama offers several features to help scale configurations efficiently:

B . Template stacks:

Template stacks in Panorama allow administrators to create a collection of configuration templates that can be applied to multiple firewalls or device groups. This enables the consistent deployment of shared settings (such as network configurations, security profiles, etc.) across all managed firewalls, ensuring uniformity and reducing the effort required to manage individual firewall configurations.

D . Variables:

Variables in Panorama provide a way to customize template configurations for individual firewalls or device groups without altering the overall template. For example, a variable can be used to define a unique IP address, hostname, or other specific settings within a shared template. When the template is applied, Panorama replaces the variables with the actual values specified for each device or device group, allowing for customization within a standardized framework.

By using template stacks and variables, an administrator can rapidly deploy and manage configurations across multiple GlobalProtect gateways, ensuring consistency while still accommodating site-specific requirements. This approach streamlines the deployment process and enhances the manageability of a widespread GlobalProtect infrastructure.


Question 1247

All firewall at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a sylog server and forward all firewall logs to the syslog server and to the log collectors. There is known logging peak time during the day, and the security team has asked the firewall engineer to determined how many logs per second the current Palo Alto Networking log processing at that particular time. Which method is the most time-efficient to complete this task?



Answer : A


Question 1248

You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.

For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)



Answer : B, C, E

https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile

The Palo Alto Networks Best Practices for Anti-Spyware Profiles recommend enabling single-packet captures (PCAP) for medium, high, and critical severity threats. This allows for capturing the first packet of the malicious traffic for further analysis and investigation.PCAP should not be enabled for low and informational severity threats, as they generate a relatively high volume of traffic and are not particularly useful compared to potential threats2.Reference:Create the Data Center Best Practice Anti-Spyware Profile,Security Profile: Anti-Spyware, PCNSE Study Guide (page 57)


Question 1249

An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity.

Which two objects can Dynamic User Groups use as match conditions for group membership? (Choose two.)



Answer : B, C


Question 1250

A decryption policy has been created with an action of "No Decryption." The decryption profile is configured in alignment to best practices.

What protections does this policy provide to the enterprise?



Answer : D


Question 1251

An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.

Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)



Question 1252

A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is configure an applications and Threats update schedule with a new App-ID threshold of 48 hours. Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.)



Answer : B, C


Question 1253

An engineer is configuring a firewall with three interfaces:

* MGT connects to a switch with internet access.

* Ethernet1/1 connects to an edge router.

* Ethernet1/2 connects to a visualization network.

The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic. What should be configured in Setup > Services > Service Route Configuration to allow this traffic?



Answer : A

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0


Question 1254

Which CLI command displays the physical media that are connected to ethernet1/8?



Answer : B

The CLI command 'show system state filter-pretty sys.sl.p8.phy' is used to display detailed physical layer information, which would include the physical media connected to a specific interface such as ethernet1/8. This command is designed to filter the output to show relevant physical layer information for the specified interface.

For more information on Palo Alto Networks CLI commands and their outputs, refer to the 'PAN-OS CLI Reference Guide'.


Question 1255

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?



Answer : C

The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.

C . It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:

If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.

This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.


Question 1256

Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)



Answer : B, C

To configure SSL Forward Proxy decryption on a Palo Alto Networks firewall, certain key components must be set up to ensure secure and effective decryption and inspection of SSL/TLS encrypted traffic:

B . Define a Forward Trust Certificate:

A Forward Trust Certificate is essential for SSL Forward Proxy decryption. This certificate is used by the firewall to dynamically generate certificates for SSL sites that are trusted. When the firewall decrypts and inspects the traffic and then re-encrypts it, the new certificate presented to the client comes from the Forward Trust Certificate authority. This certificate must be trusted by client devices, often requiring the Forward Trust CA certificate to be distributed and installed on client devices.

C . Configure SSL decryption rules:

SSL decryption rules are the policies that determine which traffic is to be decrypted. These rules specify the source, destination, service, and URL category, among other criteria. The rules define what traffic the SSL Forward Proxy will apply to, enabling selective decryption based on security and privacy requirements.

Together, these components form the basis of the SSL Forward Proxy decryption setup, allowing for the decryption, inspection, and re-encryption of SSL/TLS encrypted traffic to identify and prevent threats hidden within encrypted sessions.


Question 1257

What is the benefit of the Artificial Intelligence Operations (AIOps) Plugin for Panorama?



Answer : B

The AIOps Plugin for Panorama enhances security management by proactively validating commits against best practices (Option B). It analyzes policies, provides recommendations (e.g., unused rules, misconfigurations), and advises administrators before pushing changes, improving security posture without automatic enforcement.

Option A (auto-push) overstates its role; it advises, not pushes. Option C (auto-correct) is inaccurate; it suggests, not fixes. Option D (retroactive checks) misaligns with its proactive design. Documentation highlights its advisory function.


Question 1258

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?



Answer : D

Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


Question 1259

Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)



Answer : A, C

When sizing a decryption firewall deployment, two factors that should be considered are the encryption algorithm and the TLS protocol version. These factors affect the amount of resources and processing power that the firewall needs to decrypt and inspect SSL/TLS traffic.

The encryption algorithm is the method that the server and the client use to encrypt and decrypt the data exchanged in an SSL/TLS session. Different encryption algorithms have different levels of security and performance. For example, AES is a symmetric encryption algorithm that is faster and more efficient than RSA, which is an asymmetric encryption algorithm. However, RSA is more secure than AES because it uses public and private keys to encrypt and decrypt data, while AES uses a single shared key.The firewall must support the encryption algorithms that are used by the servers and clients that it decrypts, and it must have enough CPU and memory resources to handle the decryption workload12.

The TLS protocol version is the standard that defines how the server and the client establish and maintain an SSL/TLS session. Different TLS protocol versions have different features and requirements for encryption algorithms, cipher suites, certificates, handshake messages, etc. For example, TLS 1.3 is the latest and most secure version of TLS, which supports only strong encryption algorithms and cipher suites, such as AES-GCM and ChaCha20-Poly1305, and requires elliptic curve certificates.The firewall must support the TLS protocol versions that are used by the servers and clients that it decrypts, and it must have enough hardware acceleration resources to handle the decryption speed34.

The number of security zones in decryption policies and the number of blocked sessions are not relevant factors for sizing a decryption firewall deployment. The number of security zones in decryption policies only affects how the firewall matches traffic to decryption rules based on source and destination zones, but it does not affect the decryption performance or resource consumption.The number of blocked sessions only indicates how many sessions are denied by the firewall based on security policy or decryption policy rules, but it does not affect the decryption capacity or throughput56.

Encryption Algorithms,TLS Protocol Versions,Decryption Policy, PCNSE Study Guide (page 60)


Question 1260

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections

What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?



Answer : B

Cisco TrustSec technology uses Security Group Tags (SGTs) to enforce access controls on Layer 2 traffic. When implementing Zone Protection on a Palo Alto Networks firewall in an environment with Cisco TrustSec, you should configure Ethernet SGT Protection. This setting ensures that the firewall can recognize SGTs in Ethernet frames and apply the appropriate actions based on the configured policies.

The use of Ethernet SGT Protection in conjunction with TrustSec is covered in advanced firewall configuration documentation and in interoperability guides between Palo Alto Networks and Cisco systems.


Question 1261

Exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms The network team has reported excessive traffic on the corporate WAN How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?



Answer : D


Question 1262

A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.

Which action is the most operationally efficient for the security engineer to find and implement the exception?



Answer : D


Question 1263

An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI Which CLI command can the engineer use?



Answer : A


Question 1264

A security engineer needs firewall management access on a trusted interface.

Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)



Answer : A, B, D

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile


Question 1265

An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.

What could an administrator do to troubleshoot the issue?



Answer : B

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF4CAK


Question 1266

An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.

Which two actions could an administrator take to troubleshoot this issue? (Choose two.)



Answer : A, D

A: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-virtual-routers/more-runtime-stats-for-a-logical-router#id5628a5e4-e908-457e-a2fd-270a476ab752

D: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking


Question 1267

An existing log forwarding profile is currently configured to forward all threat logs to Panoram

a. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed.

Which set of actions should the engineer take to achieve this goal?



Answer : C


Question 1268

An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot?



Answer : A, C


Question 1269

Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)



Answer : A, D


Question 1270

A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is configure an applications and Threats update schedule with a new App-ID threshold of 48 hours. Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.)



Answer : B, C


Question 1271

To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled?



Answer : B


Question 1272

An engineer is pushing configuration from Panorama to a managed firewall What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?



Answer : C


Question 1273

A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11 0 The client currently uses RADIUS authentication in their environment

Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.)



Answer : A, D

For explicit Web Proxy deployment on PAN-OS, Palo Alto Networks currently supports Kerberos and SAML as authentication methods. RADIUS is not supported for explicit or transparent Web Proxy authentication on Palo Alto Networks appliances, which means that if the client is currently using RADIUS, they will need to configure an alternate supported authentication method. LDAP or TACACS+ authentication is not directly supported for Web Proxy authentication in PAN-OS.

For more information on supported Web Proxy authentication methods, please refer to the latest Palo Alto Networks 'PAN-OS Web Interface Reference Guide'.


Question 1274

Which rule type controls end user SSL traffic to external websites?



Answer : B

The SSL Forward Proxy rule type is designed to control and inspect SSL traffic from internal users to external websites. When an internal user attempts to access an HTTPS site, the Palo Alto Networks firewall, acting as an SSL Forward Proxy, intercepts the SSL request. It then establishes an SSL connection with the requested website on behalf of the user. Simultaneously, the firewall establishes a separate SSL connection with the user. This setup allows the firewall to decrypt and inspect the traffic for threats and compliance with security policies before re-encrypting and forwarding the traffic to its destination.

This process is transparent to the end user and ensures that potentially harmful content delivered over encrypted SSL connections can be identified and blocked. SSL Forward Proxy is a critical component of a comprehensive security strategy, allowing organizations to enforce security policies and protect against threats in encrypted traffic.


Question 1275

In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?



Answer : B

The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This helps the administrator to identify any new applications that are not explicitly defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured applications.The compare option also shows the usage statistics and risk levels of the applications, and provides suggestions for optimizing the rule by adding, removing, or replacing applications12.Reference:New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)


Question 1276

Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the firewall? (Choose three.)



Answer : A, B, E

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication#:~:text=The%20administrative%20accounts%20are%20defined,attributes%20on%20the%20SAML%20server.


Question 1277

A customer would like to support Apple Bonjour in their environment for ease of configuration.

Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?



Answer : C


Question 1278

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?



Answer : D

Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


Question 1279

During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.

Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


Question 1280

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?



Answer : A


Question 1281

A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:

threat type: spyware category: dns-c2 threat ID: 1000011111

Which set of steps should the administrator take to configure an exception for this signature?



Answer : A

When dealing with a false positive, particularly for a spyware threat detected through DNS queries (as indicated by the category 'dns-c2'), the correct course of action involves creating an exception in the Anti-Spyware profile, not the Vulnerability Protection profile. This is because the Anti-Spyware profile in Palo Alto Networks firewalls is designed to detect and block spyware threats, which can include command and control (C2) activities often signaled by DNS queries.

The steps to configure an exception for this specific spyware signature (threat ID: 1000011111) are as follows:

Navigate to Objects > Security Profiles > Anti-Spyware. This is where all the Anti-Spyware profiles are listed.

Select the related Anti-Spyware profile that is currently applied to the security policy which is generating the false positive.

Within the profile, go to the DNS Exceptions tab. This tab allows you to specify exceptions based on DNS signatures.

Search for the related threat ID (in this case, 1000011111) and click enable to create an exception for it. By doing this, you instruct the firewall to bypass the detection for this specific signature, effectively treating it as a false positive.

Commit the changes to make the exception active.

By following these steps, the administrator can effectively address the false positive without disabling the overall spyware protection capabilities of the firewall.


Question 1282

An administrator has purchased WildFire subscriptions for 90 firewalls globally.

What should the administrator consider with regards to the WildFire infra-structure?



Answer : C

https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts

Each WildFire cloud---global (U.S.), regional, and private---analyzes samples and generates WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data. https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html


Question 1283

An engineer is pushing configuration from Panorama to a managed firewall What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall?



Answer : C


Question 1284

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing.

What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?



Answer : D

https://live.paloaltonetworks.com/t5/blogs/what-is-application-dependency/ba-p/344330

To create an application-based Security policy rule to allow Evernote, the administrator only needs to add the Evernote application to the Security policy rule. The Evernote application is a predefined App-ID that identifies the traffic generated by the Evernote client or web interface. The Evernote application implicitly uses SSL and web browsing as dependencies, which means that the firewall automatically allows these applications when the Evernote application is allowed. Therefore, there is no need to add HTTP, SSL, or web browsing applications to the same Security policy rule.Adding these applications would broaden the scope of the rule and potentially allow unwanted traffic12.Reference:App-ID Overview,Create a Security Policy Rule


Question 1285

An administrator is attempting to create policies for deployment of a device group and template stack. When creating the policies, the zone drop-down list does not include the required zone. What can the administrator do to correct this issue?



Answer : B

In Panorama, zones defined in a template must be linked to a device group for visibility in policy creation. Adding the template as a reference template in the device group (Option B) ensures its zones are available in the policy editor's drop-down list.

Option A (master device) affects User-ID, not zones. Option C (add firewall) is a prerequisite, not a fix. Option D (share objects) is unrelated to zones. Documentation specifies reference templates for this issue.


Question 1286

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?



Answer : C

The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.

C . It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:

If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.

This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.


Question 1287

An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic.

Which three elements should the administrator configure to address this issue? (Choose three.)



Answer : B, D, E

To address the issue of application performance degradation due to excessive VoIP traffic, the administrator should configure QoS on the egress interface for the traffic flows and a QoS profile defining traffic classes. QoS stands for Quality of Service, which is a feature that allows the firewall to manage bandwidth usage and prioritize traffic based on various criteria, such as application, user, service, etc.QoS can help improve the performance and quality of latency-sensitive applications, such as VoIP, by guaranteeing them sufficient bandwidth and priority over other traffic1.

To enable QoS on the firewall, the administrator needs to create a QoS profile and a QoS policy. A QoS profile defines the eight classes of service that traffic can receive, including priority, guaranteed bandwidth, maximum bandwidth, and weight.A QoS policy identifies the traffic that matches a specific class of service based on source and destination zones, addresses, users, applications, services, etc2. The administrator can also create a custom QoS profile or use the default one.

The administrator should apply QoS on the egress interface for the traffic flows, which is the interface where the traffic leaves the firewall. This is because QoS can only shape outbound traffic and not inbound traffic. The egress interface can be either internal or external, depending on the direction of the VoIP traffic. For example, if the VoIP traffic is from internal users to external servers, then the egress interface is the untrust interface facing the ISP.If the VoIP traffic is from external users to internal servers, then the egress interface is the trust interface facing the LAN3.

The administrator should assign a high priority and a sufficient guaranteed bandwidth to the VoIP traffic in the QoS profile. This will ensure that the VoIP packets are processed first by the firewall and are not dropped or delayed due to congestion.The administrator can also limit or block other applications that consume too much bandwidth or pose security risks in the same or different QoS classes4.

An Application Override policy for SIP traffic is not necessary to address this issue. An Application Override policy is used to change or customize the App-ID of certain traffic based on port and protocol criteria. This can be useful for optimizing performance or security for some applications that are difficult to identify or have non-standard behaviors. However, SIP is a predefined App-ID that identifies Session Initiation Protocol (SIP) traffic, which is commonly used for VoIP signaling.The firewall can recognize SIP traffic without an Application Override policy5.

QoS on the ingress interface for the traffic flows is not effective to address this issue. As mentioned earlier, QoS can only shape outbound traffic and not inbound traffic.Applying QoS on the ingress interface will not have any impact on how the firewall handles or prioritizes the incoming packets6.

A QoS policy for each application is not required to address this issue. A QoS policy can match multiple applications in a single rule by using application filters or application groups. This can simplify and consolidate the QoS policy configuration and management.The administrator does not need to create a separate QoS policy for each application unless there is a specific need to assign different classes of service or parameters to each application7.

QoS Overview,Configure QoS,QoS Use Cases,QoS Best Practices,Application Override,QoS FAQ,Create a QoS Policy Rule


Question 1288

'SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted'' warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

1. End-users must not get the warning for the https:///www.very-import-website.com/ website.

2. End-users should get the warning for any other untrusted website.

Which approach meets the two customer requirements?



Answer : A


Question 1289

Which is not a valid reason for receiving a decrypt-cert-validation error?



Answer : A


Question 1290

Refer to Exhibit:

An administrator can not see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama?

A)

B)

C)

D)



Answer : A


Question 1291

Which two actions can the administrative role called "vsysadmin" perform? (Choose two)



Answer : B, C

The vsysadmin role in Palo Alto Networks firewalls is a virtual system (vsys)-specific administrative role with limited privileges. It can commit changes to the candidate configuration of the assigned vsys (Option B) and create/edit Security policies and profiles specific to that vsys (Option C). This role is designed for multi-tenant environments where administrators manage only their assigned virtual systems.

Option A (configure resource limits) is a superuser or device-level task, not within vsysadmin's scope. Option D (configure interfaces) is also outside vsysadmin's permissions, as interface management is a device-wide function. Official documentation defines these privileges clearly.


Question 1292

A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)



Answer : A, B


Question 1293

Based on the image, what caused the commit warning?



Answer : D


Question 1294

A company has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a phishing campaign against the organization prompts a search for more controls to secure access to critical assets. For users who need to access these systems, the company decides to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.

What must the company do in order to use PAN-OS MFA?



Answer : D


Question 1295

An administrator is troubleshooting why video traffic is not being properly classified.

If this traffic does not match any QoS classes, what default class is assigned?



Answer : D

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/qos-concepts/qos-classes


Question 1296

A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?



Answer : B


Question 1297

A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose TWO)



Answer : A, C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW


Question 1298

A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access only for hosts that have antivirus or anti-spyware enabled?



Answer : D


Question 1299

'SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www important-website com certificate, End-users are receiving the "security certificate is no: trusted'' warning, Without SSL decryption, the web browser shows chat the website certificate is trusted and signet by well-known certificate chain Well-Known-intermediate and Wako Hebe CA Security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

1. End-users must not get the warning for the https:///www.very-import-website.com/ website.

2. End-users should get the warning for any other untrusted website.

Which approach meets the two customer requirements?



Answer : A


Question 1300

A firewall engineer is investigating high dataplane CPU utilization. To decrease the load on this CPU, what should be reduced?



Answer : A


Question 1301

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?



Answer : B

To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls in an HA pair to synchronize their configurations and maintain consistency. However, when you import the configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until you verify and commit the imported configuration on Panorama.Therefore, you should disable config sync before importing the configuration, and re-enable it after committing the changes on Panorama12.Reference:Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page 50)


Question 1302

Which statement regarding HA timer settings is true?



Answer : A

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers


Question 1303

An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks.

Which sessions does Packet Buffer Protection apply to?



Answer : A

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/packet-buffer-protection


Question 1304

Which action does a firewall take when a decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?



Answer : D


Question 1305

Which protocol is supported by GlobalProtect Clientless VPN?



Answer : D

Virtual Desktop Infrastructure (VDI) and Virtual Machine (VM) environments, such as Citrix XenApp and XenDesktop or VMWare Horizon and Vcenter, support access natively through HTML5. You can RDP, VNC, or SSH to these machines through Clientless VPN without requiring additional third-party middleware. In environments that do not include native support for HTML5 or other web application technologies supported by Clientless VPN, you can use third-party vendors, such as Thinfinity, to RDP through Clientless VPN. Reference: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vpn/supported-technologies

https://networkwiki.blogspot.com/2017/03/palo-alto-networks-clientless-vpn-and.html


Question 1306

Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?



Answer : C


Question 1307

An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic.

Which three elements should the administrator configure to address this issue? (Choose three.)



Answer : B, D, E

To address the issue of application performance degradation due to excessive VoIP traffic, the administrator should configure QoS on the egress interface for the traffic flows and a QoS profile defining traffic classes. QoS stands for Quality of Service, which is a feature that allows the firewall to manage bandwidth usage and prioritize traffic based on various criteria, such as application, user, service, etc.QoS can help improve the performance and quality of latency-sensitive applications, such as VoIP, by guaranteeing them sufficient bandwidth and priority over other traffic1.

To enable QoS on the firewall, the administrator needs to create a QoS profile and a QoS policy. A QoS profile defines the eight classes of service that traffic can receive, including priority, guaranteed bandwidth, maximum bandwidth, and weight.A QoS policy identifies the traffic that matches a specific class of service based on source and destination zones, addresses, users, applications, services, etc2. The administrator can also create a custom QoS profile or use the default one.

The administrator should apply QoS on the egress interface for the traffic flows, which is the interface where the traffic leaves the firewall. This is because QoS can only shape outbound traffic and not inbound traffic. The egress interface can be either internal or external, depending on the direction of the VoIP traffic. For example, if the VoIP traffic is from internal users to external servers, then the egress interface is the untrust interface facing the ISP.If the VoIP traffic is from external users to internal servers, then the egress interface is the trust interface facing the LAN3.

The administrator should assign a high priority and a sufficient guaranteed bandwidth to the VoIP traffic in the QoS profile. This will ensure that the VoIP packets are processed first by the firewall and are not dropped or delayed due to congestion.The administrator can also limit or block other applications that consume too much bandwidth or pose security risks in the same or different QoS classes4.

An Application Override policy for SIP traffic is not necessary to address this issue. An Application Override policy is used to change or customize the App-ID of certain traffic based on port and protocol criteria. This can be useful for optimizing performance or security for some applications that are difficult to identify or have non-standard behaviors. However, SIP is a predefined App-ID that identifies Session Initiation Protocol (SIP) traffic, which is commonly used for VoIP signaling.The firewall can recognize SIP traffic without an Application Override policy5.

QoS on the ingress interface for the traffic flows is not effective to address this issue. As mentioned earlier, QoS can only shape outbound traffic and not inbound traffic.Applying QoS on the ingress interface will not have any impact on how the firewall handles or prioritizes the incoming packets6.

A QoS policy for each application is not required to address this issue. A QoS policy can match multiple applications in a single rule by using application filters or application groups. This can simplify and consolidate the QoS policy configuration and management.The administrator does not need to create a separate QoS policy for each application unless there is a specific need to assign different classes of service or parameters to each application7.

QoS Overview,Configure QoS,QoS Use Cases,QoS Best Practices,Application Override,QoS FAQ,Create a QoS Policy Rule


Question 1308

An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.

Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?



Answer : C

Decryption can be resource-intensive, and in scenarios where the firewall is nearing its resource limits, optimizing decryption practices is crucial. One way to do this is by choosing more efficient encryption algorithms that require less computational power.

C . Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority:

Elliptic Curve Digital Signature Algorithm (ECDSA) is known for requiring smaller key sizes compared to RSA for a comparable level of security. This translates to less computational overhead during the encryption and decryption processes.

By using ECDSA for traffic that isn't sensitive or high-priority, the administrator can reduce the processing load associated with decryption on the firewall. This is particularly beneficial in scenarios where resource optimization is necessary.

It's important to note that this approach does not compromise the security of encrypted traffic. Instead, it offers a more resource-efficient way to manage decryption, thus helping to maintain firewall performance even when system resources are under significant demand.

By judiciously applying this strategy, administrators can manage the decryption workload on the firewall, ensuring continued protection and inspection of encrypted traffic without overburdening the firewall's resources.


Question 1309

An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?



Answer : C

The Exceptions settings allows you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The Exception tab supports filtering functions.

If you not believed, then login the firewall go to Vulnerability > Exceptions and select 'Show all signatures'. From there you will see all threat information including specific actions.

More detail: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC


Question 1310

A network security engineer is going to enable Zone Protection on several security zones How can the engineer ensure that Zone Protection events appear in the firewall's logs?



Answer : A


Question 1311

During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.

Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


Question 1312

An engineer needs to collect User-ID mappings from the company's existing proxies.

What two methods can be used to pull this data from third party proxies? (Choose two.)



Answer : B, C

To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.

Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies.

For further details, refer to the Palo Alto Networks documentation on User-ID integration and the 'PAN-OS Administrator's Guide'.


Question 1313

Which statement applies to HA timer settings?



Answer : D

High Availability (HA) timer settings in PAN-OS control failover speed and stability. The Recommended profile (Option D) is the default and provides balanced timers (e.g., 1000ms heartbeat interval) suitable for typical deployments, ensuring reliable failover without excessive sensitivity.

Option A (Critical profile) uses faster timers (e.g., 100ms) for critical environments, not typical ones. Option B (Moderate) isn't a predefined profile. Option C (Aggressive) uses fast timers (e.g., 200ms), not slower ones. Documentation specifies 'Recommended' for standard use.


Question 1314

An administrator needs to gather information about the CPU utilization on both the management plane and the data plane. Where does the administrator view the desired data?



Answer : C


Question 1315

An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.

What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)



Answer : C, D

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy


Question 1316

Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?



Answer : A

https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-force-template-value-option/td-p/496620 '- Force Template Value will as the name suggest remove any local configuratio and apply the value define the panorama template. But this is valid only for overlapping configuration' 'You need to be careful, what is actually defined in the template. For example - if you decide to enable HA in the template, but after that you decide to not push it with template and just disable it again (remove the check from the 'Enable HA' checkbox). This still will be part of the template, because now your template is explicitely defining HA disabled. If you made a change in the template, and later decide that you don't want to control this setting with template, you need to revert the config by clicking the green bar next to the changed value'


Question 1317

An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.

Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)



Question 1318

What can the Log Forwarding built-in action with tagging be used to accomplish?



Answer : B

The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.

This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.

For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.


Question 1319

A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose TWO)



Answer : A, C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW


Question 1320

A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows



Answer : A


Question 1321

Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks.

Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution

How can Information Security extract and learn iP-to-user mapping information from authentication events for VPN and wireless users?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping#iddb1a7744-17c6-4900-a2cb-5f3511fef60f


Question 1322

A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter?



Answer : C


Question 1323

An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic.

Which three elements should the administrator configure to address this issue? (Choose three.)



Answer : B, D, E

To address the issue of application performance degradation due to excessive VoIP traffic, the administrator should configure QoS on the egress interface for the traffic flows and a QoS profile defining traffic classes. QoS stands for Quality of Service, which is a feature that allows the firewall to manage bandwidth usage and prioritize traffic based on various criteria, such as application, user, service, etc.QoS can help improve the performance and quality of latency-sensitive applications, such as VoIP, by guaranteeing them sufficient bandwidth and priority over other traffic1.

To enable QoS on the firewall, the administrator needs to create a QoS profile and a QoS policy. A QoS profile defines the eight classes of service that traffic can receive, including priority, guaranteed bandwidth, maximum bandwidth, and weight.A QoS policy identifies the traffic that matches a specific class of service based on source and destination zones, addresses, users, applications, services, etc2. The administrator can also create a custom QoS profile or use the default one.

The administrator should apply QoS on the egress interface for the traffic flows, which is the interface where the traffic leaves the firewall. This is because QoS can only shape outbound traffic and not inbound traffic. The egress interface can be either internal or external, depending on the direction of the VoIP traffic. For example, if the VoIP traffic is from internal users to external servers, then the egress interface is the untrust interface facing the ISP.If the VoIP traffic is from external users to internal servers, then the egress interface is the trust interface facing the LAN3.

The administrator should assign a high priority and a sufficient guaranteed bandwidth to the VoIP traffic in the QoS profile. This will ensure that the VoIP packets are processed first by the firewall and are not dropped or delayed due to congestion.The administrator can also limit or block other applications that consume too much bandwidth or pose security risks in the same or different QoS classes4.

An Application Override policy for SIP traffic is not necessary to address this issue. An Application Override policy is used to change or customize the App-ID of certain traffic based on port and protocol criteria. This can be useful for optimizing performance or security for some applications that are difficult to identify or have non-standard behaviors. However, SIP is a predefined App-ID that identifies Session Initiation Protocol (SIP) traffic, which is commonly used for VoIP signaling.The firewall can recognize SIP traffic without an Application Override policy5.

QoS on the ingress interface for the traffic flows is not effective to address this issue. As mentioned earlier, QoS can only shape outbound traffic and not inbound traffic.Applying QoS on the ingress interface will not have any impact on how the firewall handles or prioritizes the incoming packets6.

A QoS policy for each application is not required to address this issue. A QoS policy can match multiple applications in a single rule by using application filters or application groups. This can simplify and consolidate the QoS policy configuration and management.The administrator does not need to create a separate QoS policy for each application unless there is a specific need to assign different classes of service or parameters to each application7.

QoS Overview,Configure QoS,QoS Use Cases,QoS Best Practices,Application Override,QoS FAQ,Create a QoS Policy Rule


Question 1324

Where can a service route be configured for a specific destination IP?



Answer : C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0


Question 1325

An administrator configures a preemptive active-passive high availability (HA) pair of firewalls and configures the HA election settings on firewall-02 with a device priority value of 100, and firewall-01 with a device priority value of 90.

When firewall-01 is rebooted, is there any action taken by the firewalls?



Answer : C


Question 1326

In which two scenarios is it necessary to use Proxy IDs when configuring site-to-site VPN tunnels? (Choose two.)



Answer : A, C


Question 1327

How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?



Answer : B

To block users dynamically based on threat log activity, dynamic user groups (DUGs) with tagging provide an automated solution. Option B configures a DUG with a 'malicious' tag, a Log Forwarding profile to tag users in the threat log (e.g., via threat intelligence), and a Security policy to block the tagged group. This leverages User-ID and is ideal for user-based blocking.

Option A uses dynamic address groups (DAGs), which block IPs, not users. Option C (security profiles) can block traffic but not dynamically tag/block users without additional configuration. Documentation supports DUGs for this use case.


Question 1328

An administrator is attempting to create policies tor deployment of a device group and template stack. When creating the policies, the zone drop down list does not include the required zone.

What must the administrator do to correct this issue?



Answer : C

In order to see what is in a template, the device-group needs the template referenced. Even if you add the firewall to both the template and device-group, the device-group will not see what is in the template. The following link has a video that demonstrates that B is the correct answer. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNfeCAG


Question 1329

For company compliance purposes, three new contractors will be working with different device groups in their hierarchy to deploy policies and objects. Which type of role-based access is most appropriate for this project?



Answer : A

The Device Group and Template Admin role is tailored for managing specific device groups and templates in Panorama, allowing contractors to deploy policies and objects within their assigned scope without broader administrative access. This aligns with compliance by restricting privileges.

Option B (Dynamic Admin) is undefined in PAN-OS; Panorama Admin is too broad. Option C (Read-only Superuser) prevents configuration changes. Option D (Custom Panorama Admin) could work but requires more setup than the predefined role. Documentation recommends this role for such scenarios.


Question 1330

A company wants to implement threat prevention to take action without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)



Answer : B, D


Question 1331

In a template, which two objects can be configured? (Choose two.)



Answer : B, C

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-network-profiles/network-network-profiles-monitor.html


Question 1332

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?



Answer : A


Question 1333

An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?



Answer : C

The Exceptions settings allows you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The Exception tab supports filtering functions.

If you not believed, then login the firewall go to Vulnerability > Exceptions and select 'Show all signatures'. From there you will see all threat information including specific actions.

More detail: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC


Question 1334

During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.

Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


Question 1335

Which statement accurately describes how web proxy is run on a firewall with multiple virtual systems?



Answer : A


Question 1336

Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?



Answer : D


Question 1337

An administrator has been tasked with configuring decryption policies,

Which decryption best practice should they consider?



Answer : A

The best decryption best practice that the administrator should consider isA: Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.This is because decryption involves intercepting and inspecting encrypted traffic, which may raise privacy and compliance issues depending on the jurisdiction and the type of traffic1.Therefore, the administrator should be aware of the local, legal, and regulatory implications and how they affect which traffic can be decrypted, and follow the appropriate guidelines and policies to ensure that decryption is done in a lawful and ethical manner1.


Question 1338

When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)



Answer : A, D


Question 1339

A company CISO updates the business Security policy to identify vulnerable assets and services and deploy protection for quantum-related attacks. As a part of this update, the firewall team is reviewing the cryptography used by any devices they manage. The firewall architect is reviewing the Palo Alto Networks NGFWs for their VPN tunnel configurations. It is noted in the review that the NGFWs are running PAN-OS 11.2. Which two NGFW settings could the firewall architect recommend to deploy protections per the new policy? (Choose two)



Answer : B, C

Quantum-related attack protection requires cryptography resistant to quantum computing, such as post-quantum algorithms. In PAN-OS 11.2, IKEv2 with Hybrid Key Exchange (Option B) combines classical and quantum-resistant algorithms for key exchange, enhancing VPN security. IKEv2 with Post-Quantum Pre-shared Keys (PPK) (Option C) uses pre-shared keys designed to resist quantum attacks, supported in IKEv2 configurations.

Option A (IKEv1 only) weakens security by avoiding PFS and modern cryptography. Option D (IPsec with Hybrid ID exchange) is not a valid PAN-OS feature. Documentation confirms IKEv2 enhancements for quantum resistance.


Question 1340

An administrator configures two VPN tunnels to provide for failover and uninterrupted VPN service. What should an administrator configure to enable automatic failover to the backup tunnel?



Answer : C


Question 1341

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?



Answer : A


Question 1342

Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?



Answer : D

In the second image, VW ports mentioned are 1/5 and 1/7. Hence it can not be a part of any other routing. So if any traffic coming as ingress from 1/7, it has to go out via 1/5.

The egress interface for the traffic with ingress interface ethernet1/7, source 192.168.111.3, and destination 10.46.41.113 will beethernet1/5.This is because the traffic will match the virtual wire with interfaces ethernet1/5 and ethernet1/7, which is configured to allow VLAN-tagged traffic with tags 10 and 201.The traffic will also match the security policy rule that allows traffic from zone Trust to zone Untrust, which are assigned to ethernet1/7 and ethernet1/5 respectively2.Therefore, the traffic will be forwarded to the same interface from which it was received, which is ethernet1/53.


Question 1343

An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.

Which three settings can be configured in this template? (Choose three.)



Answer : B, D, E

A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama.A template can include settings from the Device and Network tabs on the firewall web interface, such as login banner, SSL decryption exclusion, and dynamic updates4. These settings can be configured in a template named ''Global'' and included in all template stacks.A template stack is a group of templates that Panorama pushes to managed firewalls in an ordered hierarchy4.Reference:Manage Templates and Template Stacks, PCNSE Study Guide (page 50)


Question 1344

A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)



Answer : B, D

The two attributes that a forward trust certificate should have for SSL Forward Proxy decryption are:

B: A private key. This is the key that the firewall uses to sign the certificates that it generates for the decrypted sessions.The private key must be securely stored on the firewall and not shared with anyone1.

D: A certificate authority (CA) certificate. This is the certificate that the firewall uses to issue the certificates for the decrypted sessions.The CA certificate must be trusted by the client browsers and devices that receive the certificates from the firewall1.


Question 1345

Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.)



Answer : A, C

When sizing a decryption firewall deployment, two factors that should be considered are the encryption algorithm and the TLS protocol version. These factors affect the amount of resources and processing power that the firewall needs to decrypt and inspect SSL/TLS traffic.

The encryption algorithm is the method that the server and the client use to encrypt and decrypt the data exchanged in an SSL/TLS session. Different encryption algorithms have different levels of security and performance. For example, AES is a symmetric encryption algorithm that is faster and more efficient than RSA, which is an asymmetric encryption algorithm. However, RSA is more secure than AES because it uses public and private keys to encrypt and decrypt data, while AES uses a single shared key.The firewall must support the encryption algorithms that are used by the servers and clients that it decrypts, and it must have enough CPU and memory resources to handle the decryption workload12.

The TLS protocol version is the standard that defines how the server and the client establish and maintain an SSL/TLS session. Different TLS protocol versions have different features and requirements for encryption algorithms, cipher suites, certificates, handshake messages, etc. For example, TLS 1.3 is the latest and most secure version of TLS, which supports only strong encryption algorithms and cipher suites, such as AES-GCM and ChaCha20-Poly1305, and requires elliptic curve certificates.The firewall must support the TLS protocol versions that are used by the servers and clients that it decrypts, and it must have enough hardware acceleration resources to handle the decryption speed34.

The number of security zones in decryption policies and the number of blocked sessions are not relevant factors for sizing a decryption firewall deployment. The number of security zones in decryption policies only affects how the firewall matches traffic to decryption rules based on source and destination zones, but it does not affect the decryption performance or resource consumption.The number of blocked sessions only indicates how many sessions are denied by the firewall based on security policy or decryption policy rules, but it does not affect the decryption capacity or throughput56.

Encryption Algorithms,TLS Protocol Versions,Decryption Policy, PCNSE Study Guide (page 60)


Question 1346

Which configuration change will improve network reliability and ensure minimal disruption during tunnel failures?



Answer : B

For IPsec VPN reliability, Option B enhances failover speed by adding a backup tunnel and tuning tunnel monitoring. Reducing the interval (e.g., to 2 seconds) and threshold (e.g., to 3 retries) ensures quick detection and failover to the backup tunnel, minimizing disruption.

Option A (HA and rekey interval) addresses session continuity, not tunnel failure detection. Option C (disable monitoring) risks missing real failures. Option D (Fail Over profile) helps but lacks the proactive tuning of B. Documentation recommends this approach.


Question 1347

Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?



Answer : D


Question 1348

A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)



Answer : B, C, D


Question 1349

An engineer is configuring a firewall with three interfaces:

* MGT connects to a switch with internet access.

* Ethernet1/1 connects to an edge router.

* Ethernet1/2 connects to a visualization network.

The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic. What should be configured in Setup > Services > Service Route Configuration to allow this traffic?



Answer : A

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0


Question 1350

Which CLI command displays the physical media that are connected to ethernet1/8?



Answer : B

The CLI command 'show system state filter-pretty sys.sl.p8.phy' is used to display detailed physical layer information, which would include the physical media connected to a specific interface such as ethernet1/8. This command is designed to filter the output to show relevant physical layer information for the specified interface.

For more information on Palo Alto Networks CLI commands and their outputs, refer to the 'PAN-OS CLI Reference Guide'.


Question 1351

A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.

Which set of steps should the engineer take to accomplish this objective?



Answer : C

In Palo Alto Networks firewalls, the processing of NAT rules occurs in a top-down fashion, similar to security policies. To exclude a specific IP address from a broader source NAT rule, a more specific NAT rule must be placed above the broader rule.

C . Place a more specific NAT rule above the broader one:

Create a source NAT rule (NAT-Rule-1) to translate the broader network range (10.0.0.0/23) with dynamic IP and port translation. This rule allows the majority of the subnet to access the internet through NAT.

Create another NAT rule (NAT-Rule-2) with the source IP address in the original packet set specifically to the IP address that should not be translated (10.0.0.10/32). In this rule, set the source translation to none, indicating that this traffic should not be translated and thus not allowed to access the internet.

Place NAT-Rule-2 above NAT-Rule-1 in the NAT policy list. This ensures that the more specific rule (NAT-Rule-2) is evaluated first. If traffic matches NAT-Rule-2, it will not be translated or allowed to the internet, effectively excluding the specific server from internet access.

This configuration leverages the principle of specificity and the order of operation in NAT policies to exclude a specific IP address from source NAT translation, thereby preventing it from accessing the internet.


Question 1352

A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is configure an applications and Threats update schedule with a new App-ID threshold of 48 hours. Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.)



Answer : B, C


Question 1353

A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.

Which action is the most operationally efficient for the security engineer to find and implement the exception?



Answer : D


Question 1354

A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours.

Which two steps are likely to mitigate the issue? (Choose TWO)



Answer : A, C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW


Question 1355

Refer to the exhibit.

An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panoram

a. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?

A)

B)

C)

D)



Question 1356

Which feature can provide NGFWs with User-ID mapping information?



Answer : C


Question 1357

You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.

For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)



Answer : B, C, E

https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile

The Palo Alto Networks Best Practices for Anti-Spyware Profiles recommend enabling single-packet captures (PCAP) for medium, high, and critical severity threats. This allows for capturing the first packet of the malicious traffic for further analysis and investigation.PCAP should not be enabled for low and informational severity threats, as they generate a relatively high volume of traffic and are not particularly useful compared to potential threats2.Reference:Create the Data Center Best Practice Anti-Spyware Profile,Security Profile: Anti-Spyware, PCNSE Study Guide (page 57)


Question 1358

As a best practice, logging at session start should be used in which case?



Answer : A


Question 1359

Refer to exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.

How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?



Question 1360

A firewall engineer needs to patch the company's Palo Alto Network firewalls to the latest version of PAN-OS. The company manages its firewalls by using panoram

a. Logs are forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire appliances for analysis. What must the engineer consider when planning deployment?



Answer : B


Question 1361

During a routine security audit, the risk and compliance team notices a series of WildFire logs that contain a "malicious" verdict and the action "allow." Upon further inspection, the team confirms that these same threats are automatically blocked by the firewalls the following day. How can the existing configuration be adjusted to ensure that new threats are blocked within minutes instead of having to wait until the following day?



Answer : B

WildFire logs showing a 'malicious' verdict with an 'allow' action indicate that the initial traffic wasn't blocked in real-time, likely because the Antivirus profile isn't configured to act immediately on WildFire verdicts. By default, WildFire submits files for analysis, and signatures may take up to 24 hours to propagate globally unless real-time blocking is enabled. Configuring the Antivirus security profile (Option B) to 'block' on malicious WildFire verdicts ensures that threats are blocked within minutes once the verdict is returned (typically 5-15 minutes), leveraging WildFire's real-time signature updates.

Option A (WildFire analysis profile) defines what files are sent to WildFire but doesn't control blocking actions. Option C (File Blocking profile) manages file type blocking, not threat verdicts. Option D (file size limits) affects submission eligibility, not blocking behavior. The Antivirus profile is the key to real-time WildFire enforcement, as per Palo Alto Networks documentation.


Question 1362

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?



Answer : D

Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


Question 1363

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?



Answer : B

https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG


Question 1364

An administrator is troubleshooting intermittent connectivity problems with a user's GlobalProtect connection. Packet captures at the firewall reveal missing UDP packets, suggesting potential packet loss on the connection. The administrator aims to resolve the issue by enforcing an SSL tunnel over TCP specifically for this user.

What configuration change is necessary to implement this troubleshooting solution for the user?



Answer : C


Question 1365

An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.

Which priority is correct for the passive firewall?



Answer : D


Question 1366

Exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms The network team has reported excessive traffic on the corporate WAN How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?



Answer : D


Question 1367

After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?



Answer : D


Question 1368

A company wants to add threat prevention to the network without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)



Answer : A, D

A and D are the best practice deployment modes for the firewall if the company wants to add threat prevention to the network without redesigning the network routing.This is because these modes allow the firewall to act as a transparent device that does not affect the existing network topology or routing1.

A: VirtualWire mode allows the firewall to be inserted into any existing network segment without changing the IP addressing or routing of that segment2. The firewall inspects traffic between two interfaces that are configured as a pair, called a virtual wire.The firewall applies security policies to the traffic and forwards it to the same interface from which it was received2.

D: Layer 2 mode allows the firewall to act as a switch that forwards traffic based on MAC addresses3. The firewall inspects traffic between interfaces that are configured as Layer 2 interfaces and belong to the same VLAN.The firewall applies security policies to the traffic and forwards it to the appropriate interface based on the MAC address table3.

Verified Reference:

1: https://www.garlandtechnology.com/blog/whats-your-palo-alto-ngfw-deployment-plan

2: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure-interfaces/virtual-wire.html

3: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure-interfaces/layer-2.html


Question 1369

What is the best definition of the Heartbeat Interval?



Answer : C

The firewalls exchange hello messages and heartbeats at configurable intervals to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer. A response from the peer indicates that the firewalls are connected and responsive.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUcCAK

'A 'heartbeat-interval' CLI command was added to the election settings for HA, this interval has a 1000ms minimum for all Palo Alto Networks platforms and is an ICMP ping to the other device through the HA control link.' https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMaCAK


Question 1370

An administrator troubleshoots an issue that causes packet drops.

Which log type will help the engineer verify whether packet buffer protection was activated?



Answer : C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNGFCA4


Question 1371

A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make.

How does the firewall identify the New App-ID characteristic?



Answer : B

The New App-ID characteristic enables the firewall to monitor new applications on the network, so that the engineer can better assess the security policy updates they might want to make. The New App-ID characteristic always matches to only the new App-IDs in the most recently installed content releases. When a new content release is installed, the New App-ID characteristic automatically begins to match only to the new App-IDs in that content release version. This way, the engineer can see how the newly-categorized applications might impact security policy enforcement and make any necessary adjustments.Reference:Monitor New App-IDs


Question 1372

Four configuration choices are listed, and each could be used to block access to a specific URL.

If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?



Answer : C


Question 1373

Which are valid ACC GlobalProtect Activity tab widgets? (Choose two.)



Answer : B, D


Question 1374

What can the Log Forwarding built-in action with tagging be used to accomplish?



Answer : B

The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.

This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.

For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.


Question 1375

An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)



Answer : A, B, D


Question 1376

An engineer is troubleshooting a traffic-routing issue.

What is the correct packet-flow sequence?



Answer : C

The correct packet-flow sequence is C. PBF > Static route > Security policy enforcement. This sequence describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic based on the source and destination addresses, application, user, or service. PBF is evaluated before the static route lookup, which is the default method of forwarding traffic based on the destination address and the longest prefix match.Security policy enforcement is the stage where the firewall applies the security policy rules to allow or block traffic based on various criteria, such as zone, address, port, user, application, etc12.Reference:Policy-Based Forwarding,Packet Flow Sequence in PAN-OS


Question 1377

The UDP-4501 protocol-port is to between which two GlobalProtect components?



Answer : B


Question 1378

An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks.

Which sessions does Packet Buffer Protection apply to?



Answer : A

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/packet-buffer-protection


Question 1379

How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?



Question 1380

Which configuration change will improve network reliability and ensure minimal disruption during tunnel failures?



Answer : B

For IPsec VPN reliability, Option B enhances failover speed by adding a backup tunnel and tuning tunnel monitoring. Reducing the interval (e.g., to 2 seconds) and threshold (e.g., to 3 retries) ensures quick detection and failover to the backup tunnel, minimizing disruption.

Option A (HA and rekey interval) addresses session continuity, not tunnel failure detection. Option C (disable monitoring) risks missing real failures. Option D (Fail Over profile) helps but lacks the proactive tuning of B. Documentation recommends this approach.


Question 1381

What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three



Answer : B, C, E


Question 1382

An administrator is tasked to provide secure access to applications running on a server in the company's on-premises datacenter.

What must the administrator consider as they prepare to configure the decryption policy?



Answer : B


Question 1383

An engineer needs to collect User-ID mappings from the company's existing proxies.

What two methods can be used to pull this data from third party proxies? (Choose two.)



Answer : B, C

To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.

Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies.

For further details, refer to the Palo Alto Networks documentation on User-ID integration and the 'PAN-OS Administrator's Guide'.


Question 1384

A customer requires that virtual systems with separate virtual routers can communicate with one another within a Palo Alto Networks firewall. In addition to confirming Security policies, which three configurations will accomplish this goal? (Choose three)



Answer : B, C, D


Question 1385

How can a firewall engineer bypass App-ID and content inspection features on a Palo Alto Networks firewall when troubleshooting?



Answer : B

An application override (Option B) bypasses App-ID and content inspection by forcing the firewall to classify traffic as the custom app, skipping deeper analysis. The custom app's properties (e.g., ports) define the match, and no security profiles are applied.

Option A (no scanning options) still processes App-ID. Option C (no profiles) skips inspection but not App-ID. Option D (disable SRI) only limits server response checks. Documentation confirms overrides for bypassing.


Question 1386

Users are intermittently being cut off from local resources whenever they connect to GlobalProtect. After researching, it is determined that this is caused by an incorrect setting on one of the NGFWs. Which action will resolve this issue?



Answer : C

The 'No direct access to local network' setting in the GlobalProtect Gateway's Client Settings under Split Tunnel (Option C) prevents local resource access when enabled. Disabling it allows split tunneling to permit local traffic, resolving the issue.

Option A (Network Services) is a mispath. Option B (Satellite) applies to different configs. Option D (Portal App) doesn't control this behavior. Documentation confirms this Gateway setting.


Question 1387

Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)



Answer : B, D

The two key exchange algorithms that consume the most resources when decrypting SSL traffic are ECDHE and DHE. These are both Diffie-Hellman based algorithms that enable perfect forward secrecy (PFS), which means that they generate a new and unique session key for each SSL/TLS session, and do not reuse any previous keys. This enhances the security of the encrypted communication, but also increases the computational cost and complexity of the key exchange process. ECDHE stands for Elliptic Curve Diffie-Hellman Ephemeral, which uses elliptic curve cryptography (ECC) to generate the session key. DHE stands for Diffie-Hellman Ephemeral, which uses modular arithmetic to generate the session key.Both ECDHE and DHE require more CPU and memory resources than RSA, which is a non-PFS algorithm that uses public and private keys to encrypt and decrypt the session key123.Reference:Key Exchange Algorithms,Best Practices for Enabling SSL Decryption, PCNSE Study Guide (page 60)


Question 1388

A customer would like to support Apple Bonjour in their environment for ease of configuration.

Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?



Answer : C


Question 1389

Refer to the exhibit.

An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panoram

a. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?

A)

B)

C)

D)



Question 1390

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK


Question 1391

A company configures its WildFire analysis profile to forward any file type to the WildFire public cloud. A company employee receives an email containing an unknown link that downloads a malicious Portable Executable (PE) file.

What does Advanced WildFire do when the link is clicked?



Answer : B

Advanced WildFire analyzes both the webpage linked by the URL and any files (like PE files) that are downloaded as a result of clicking that link. This includes checking the linked webpage for malicious content and sending any downloaded files for further analysis to determine their behavior and potential malicious intent.

The PCNSA Study Guide outlines that WildFire inspects and analyzes both content downloaded and webpages involved when integrated into the organization's security profile. This dual-layered approach ensures comprehensive protection against threats from both the webpage and its payloads.

Step-by-Step Explanation

Link Clicked and File Download Triggered:

When the user clicks the link, their action initiates the download of a file, in this case, a Portable Executable (PE) file.

URL Inspection by WildFire:

The URL is immediately inspected for potential threats. This involves analyzing the webpage associated with the link to detect:

Known malicious indicators.

Suspicious elements like embedded scripts, links, or calls to external resources.

Forwarding the PE File for Analysis:

The PE file downloaded as a result of clicking the link is sent to the WildFire cloud or on-premises appliance for detailed behavior-based analysis.

Dynamic and Static Analysis:

Static Analysis: WildFire examines the PE file's attributes without executing it, looking for:

Suspicious code patterns.

Known malicious signatures.

Anomalous PE header details (e.g., timestamp irregularities, unexpected sections).

Dynamic Analysis: The file is executed in a controlled virtual environment to observe:

Behavioral anomalies, like privilege escalation attempts.

Network communication, such as connections to Command and Control (C2) servers.

File system modifications or registry changes indicative of malicious intent.

Threat Verdict:

Based on its findings, WildFire classifies the URL and PE file into one of the following categories:

Benign.

Grayware.

Malware.

Phishing.

Automated Response:

If either the webpage or the PE file is deemed malicious, the firewall takes predefined actions:

Blocking access to the webpage.

Quarantining or blocking the downloaded file.

Generating a detailed alert or log entry for administrators.

Signature Update:

WildFire automatically creates a signature for the detected threat and distributes it globally. This ensures that other systems in the WildFire network are protected against the same threat.

Advanced WildFire Configuration and Behavior

Forwarding File Types:

The WildFire analysis profile must be configured to forward relevant file types. In this case:

PE files are commonly forwarded by default since they are a known vector for malware.

Administrators can define custom forwarding rules based on file type and traffic.

Integration with the Security Profile:

WildFire integrates with other security profiles (e.g., Antivirus, Anti-Spyware, URL Filtering).

URL Filtering ensures that the link itself is categorized and blocked if malicious.

WildFire's output informs and updates the threat prevention database dynamically.

Why the Answer is B?

WildFire performs dual analysis:

The linked webpage is checked for malicious scripts or phishing attempts.

The PE file downloaded is analyzed for malware through both static and dynamic methods.

This layered analysis ensures robust protection against modern threats, which often combine malicious webpages with harmful payloads.

Document Reference:

PCNSA Study Guide: Domain 4, Section 4.1.5 ('WildFire Analysis') explains the WildFire analysis process in detail, emphasizing its role in inspecting files and URLs for malicious behavior.

Palo Alto Networks WildFire Admin Guide:

This guide details file forwarding configurations, supported file types, and the global signature distribution process.

PAN-OS Admin Guide:

Sections on Security Profiles and URL Filtering elaborate on how WildFire integrates with other threat prevention mechanisms.


Question 1392

A threat intelligence team has requested more than a dozen Short signatures to be deployed on all perimeter Palo Alto Networks firewalls. How does the firewall engineer fulfill this request with the least time to implement?



Answer : C


Question 1393

A security engineer needs firewall management access on a trusted interface.

Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)



Answer : A, B, D

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile


Question 1394

When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)



Answer : A, D


Question 1395

Which operation will impact the performance of the management plane?



Answer : B

TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK

TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD---PART 2:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU4CAK


Question 1396

Which tool can gather information about the application patterns when defining a signature for a custom application?



Answer : C

Wireshark (Option C) is a packet capture tool that provides detailed application traffic patterns (e.g., ports, protocols, payloads), essential for defining custom application signatures in PAN-OS.

Option A (Policy Optimizer) analyzes existing rules, not raw traffic. Option B (Data Filtering Log) shows data patterns, not app behavior. Option D (Expedition) is for migration, not signature creation. Documentation recommends packet captures for this task.


Question 1397

An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.

What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?



Answer : B

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS


Question 1398

In which two scenarios is it necessary to use Proxy IDs when configuring site-to-site VPN tunnels? (Choose two.)



Answer : A, C


Question 1399

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?



Answer : B


Question 1400

Which sessions does Packet Buffer Protection apply to when used on ingress zones to protect against single-session DoS attacks?



Answer : D


Question 1401

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)



Answer : A, C, D

ttps://www.kareemccie.com/2021/05/palo-alto-firewall-packet-flow.html


Question 1402

An administrator configures a preemptive active-passive high availability (HA) pair of firewalls and configures the HA election settings on firewall-02 with a device priority value of 100, and firewall-01 with a device priority value of 90.

When firewall-01 is rebooted, is there any action taken by the firewalls?



Answer : C


Question 1403

A firewall engineer needs to patch the company's Palo Alto Network firewalls to the latest version of PAN-OS. The company manages its firewalls by using panoram

a. Logs are forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire appliances for analysis. What must the engineer consider when planning deployment?



Answer : B


Question 1404

An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?



Answer : B

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0

A device group is a logical grouping of firewalls that share the same security policy rules. A device group can contain multiple vsys and firewalls, including multi-vsys firewalls. A multi-vsys firewall can have each vsys in a different device group, depending on the desired security policy for each vsys.This allows for granular control and flexibility in managing multi-vsys firewalls with Panorama1.Reference:Device Group Push to a Multi-VSYS Firewall,Configure Virtual Systems, PCNSE Study Guide (page 50)


Question 1405

A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.

What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?



Answer : B

Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.

B . The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:

First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.

Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.

Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.

This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.


Question 1406

Which three statements accurately describe Decryption Mirror? (Choose three.)



Answer : B, D, E

Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.

Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.

The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' 'PAN-OS Administrator's Guide' and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.


Question 1407

Which new PAN-OS 11.0 feature supports IPv6 traffic?



Answer : A

https://docs.paloaltonetworks.com/compatibility-matrix/ipv6-support-by-feature/ipv6-support-by-feature-table


Question 1408

An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.

Which two actions could an administrator take to troubleshoot this issue? (Choose two.)



Answer : A, D

A: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-virtual-routers/more-runtime-stats-for-a-logical-router#id5628a5e4-e908-457e-a2fd-270a476ab752

D: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking


Question 1409

An enterprise network security team is deploying VM-Series firewalls in a multi-cloud environment. Some firewalls are deployed in VMware NSX-V, while others are in AWS, and all are centrally managed using Panorama with the appropriate plugins installed. The team wants to streamline policy management by organizing the firewalls into device groups in which the AWS-based firewalls act as a parent device group, while the NSX-V firewalls are configured as a child device group to inherit Security policies. However, after configuring the device group hierarchy and attempting to push configurations, the team receives errors, and policy inheritance is not functioning as expected. What is the most likely cause of this issue?



Answer : D

Panorama's device group hierarchy supports policy inheritance, but it does not support inheritance across groups with firewalls on different hypervisors (e.g., AWS and NSX-V) when managed by multiple plugins (Option D). AWS and NSX-V firewalls use distinct plugins (e.g., AWS Plugin, NSX Plugin), and Panorama restricts cross-hypervisor inheritance due to differing configurations and contexts, causing errors when pushing policies.

Option A (plugin versions) is unrelated to inheritance. Option B (object overrides) isn't a requirement for this issue. Option C (command) is fictional. Documentation confirms this limitation.


Question 1410

A company configures its WildFire analysis profile to forward any file type to the WildFire public cloud. A company employee receives an email containing an unknown link that downloads a malicious Portable Executable (PE) file.

What does Advanced WildFire do when the link is clicked?



Answer : B

Advanced WildFire analyzes both the webpage linked by the URL and any files (like PE files) that are downloaded as a result of clicking that link. This includes checking the linked webpage for malicious content and sending any downloaded files for further analysis to determine their behavior and potential malicious intent.

The PCNSA Study Guide outlines that WildFire inspects and analyzes both content downloaded and webpages involved when integrated into the organization's security profile. This dual-layered approach ensures comprehensive protection against threats from both the webpage and its payloads.

Step-by-Step Explanation

Link Clicked and File Download Triggered:

When the user clicks the link, their action initiates the download of a file, in this case, a Portable Executable (PE) file.

URL Inspection by WildFire:

The URL is immediately inspected for potential threats. This involves analyzing the webpage associated with the link to detect:

Known malicious indicators.

Suspicious elements like embedded scripts, links, or calls to external resources.

Forwarding the PE File for Analysis:

The PE file downloaded as a result of clicking the link is sent to the WildFire cloud or on-premises appliance for detailed behavior-based analysis.

Dynamic and Static Analysis:

Static Analysis: WildFire examines the PE file's attributes without executing it, looking for:

Suspicious code patterns.

Known malicious signatures.

Anomalous PE header details (e.g., timestamp irregularities, unexpected sections).

Dynamic Analysis: The file is executed in a controlled virtual environment to observe:

Behavioral anomalies, like privilege escalation attempts.

Network communication, such as connections to Command and Control (C2) servers.

File system modifications or registry changes indicative of malicious intent.

Threat Verdict:

Based on its findings, WildFire classifies the URL and PE file into one of the following categories:

Benign.

Grayware.

Malware.

Phishing.

Automated Response:

If either the webpage or the PE file is deemed malicious, the firewall takes predefined actions:

Blocking access to the webpage.

Quarantining or blocking the downloaded file.

Generating a detailed alert or log entry for administrators.

Signature Update:

WildFire automatically creates a signature for the detected threat and distributes it globally. This ensures that other systems in the WildFire network are protected against the same threat.

Advanced WildFire Configuration and Behavior

Forwarding File Types:

The WildFire analysis profile must be configured to forward relevant file types. In this case:

PE files are commonly forwarded by default since they are a known vector for malware.

Administrators can define custom forwarding rules based on file type and traffic.

Integration with the Security Profile:

WildFire integrates with other security profiles (e.g., Antivirus, Anti-Spyware, URL Filtering).

URL Filtering ensures that the link itself is categorized and blocked if malicious.

WildFire's output informs and updates the threat prevention database dynamically.

Why the Answer is B?

WildFire performs dual analysis:

The linked webpage is checked for malicious scripts or phishing attempts.

The PE file downloaded is analyzed for malware through both static and dynamic methods.

This layered analysis ensures robust protection against modern threats, which often combine malicious webpages with harmful payloads.

Document Reference:

PCNSA Study Guide: Domain 4, Section 4.1.5 ('WildFire Analysis') explains the WildFire analysis process in detail, emphasizing its role in inspecting files and URLs for malicious behavior.

Palo Alto Networks WildFire Admin Guide:

This guide details file forwarding configurations, supported file types, and the global signature distribution process.

PAN-OS Admin Guide:

Sections on Security Profiles and URL Filtering elaborate on how WildFire integrates with other threat prevention mechanisms.


Question 1411

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67



Answer : C

https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD


Question 1412

A company has recently migrated their branch office's PA-220S to a centralized Panoram

a. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama

They notice that commit times have drastically increased for the PA-220S after the migration

What can they do to reduce commit times?



Answer : A

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS


Question 1413

Which statement applies to HA timer settings?



Answer : D

High Availability (HA) timer settings in PAN-OS control failover speed and stability. The Recommended profile (Option D) is the default and provides balanced timers (e.g., 1000ms heartbeat interval) suitable for typical deployments, ensuring reliable failover without excessive sensitivity.

Option A (Critical profile) uses faster timers (e.g., 100ms) for critical environments, not typical ones. Option B (Moderate) isn't a predefined profile. Option C (Aggressive) uses fast timers (e.g., 200ms), not slower ones. Documentation specifies 'Recommended' for standard use.


Question 1414

Which three items must be configured to implement application override? (Choose three )



Answer : A, B, C

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/policies/policies-application-override

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPDrCAO


Question 1415

Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application?



Answer : B


Question 1416

Which operation will impact the performance of the management plane?



Answer : B

TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK

TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD---PART 2:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU4CAK


Question 1417

How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?



Answer : B

To block users dynamically based on threat log activity, dynamic user groups (DUGs) with tagging provide an automated solution. Option B configures a DUG with a 'malicious' tag, a Log Forwarding profile to tag users in the threat log (e.g., via threat intelligence), and a Security policy to block the tagged group. This leverages User-ID and is ideal for user-based blocking.

Option A uses dynamic address groups (DAGs), which block IPs, not users. Option C (security profiles) can block traffic but not dynamically tag/block users without additional configuration. Documentation supports DUGs for this use case.


Question 1418

You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.

For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)



Answer : B, C, E

https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile

The Palo Alto Networks Best Practices for Anti-Spyware Profiles recommend enabling single-packet captures (PCAP) for medium, high, and critical severity threats. This allows for capturing the first packet of the malicious traffic for further analysis and investigation.PCAP should not be enabled for low and informational severity threats, as they generate a relatively high volume of traffic and are not particularly useful compared to potential threats2.Reference:Create the Data Center Best Practice Anti-Spyware Profile,Security Profile: Anti-Spyware, PCNSE Study Guide (page 57)


Question 1419

Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)



Question 1420

An administrator configures two VPN tunnels to provide for failover and uninterrupted VPN service. What should an administrator configure to enable automatic failover to the backup tunnel?



Answer : C


Question 1421

An administrator needs to gather information about the CPU utilization on both the management plane and the data plane. Where does the administrator view the desired data?



Answer : C


Question 1422

An administrator has purchased WildFire subscriptions for 90 firewalls globally.

What should the administrator consider with regards to the WildFire infra-structure?



Answer : C

https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts

Each WildFire cloud---global (U.S.), regional, and private---analyzes samples and generates WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data. https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html


Question 1423

An engineer needs to collect User-ID mappings from the company's existing proxies. What two methods can be used to pull this data from third-party proxies? (Choose two)



Answer : B, D

Palo Alto firewalls can gather User-ID mappings from proxies via Syslog (Option B), parsing log messages with user-IP data, and XFF Headers (Option D), extracting user info from HTTP headers (X-Forwarded-For) if the proxy supports it.

Option A (Client Probing) queries clients, not proxies. Option C (Server Monitoring) targets servers like AD, not proxies. Documentation lists these methods for proxy integration.


Question 1424

An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection?



Answer : A


Question 1425

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.

Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)



Answer : A, D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG2CAK


Question 1426

Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?



Answer : A


Question 1427

When configuring explicit proxy on a firewall, which interface should be selected under the Listening interface option?



Answer : D


Question 1428

Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-mapping/globalprotect.html

GlobalProtect is a VPN solution that provides secure remote access to corporate networks. When a user connects to GlobalProtect, their identity is verified against an LDAP server. This ensures that all IP address-to-user mappings are explicitly known.


Question 1429

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?



Answer : B

https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG


Question 1430

A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks.

The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.

What else should the administrator do to stop packet buffers from being overflowed?



Answer : C


Question 1431

If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?



Answer : A


Question 1432

A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)



Answer : B, D

The two attributes that a forward trust certificate should have for SSL Forward Proxy decryption are:

B: A private key. This is the key that the firewall uses to sign the certificates that it generates for the decrypted sessions.The private key must be securely stored on the firewall and not shared with anyone1.

D: A certificate authority (CA) certificate. This is the certificate that the firewall uses to issue the certificates for the decrypted sessions.The CA certificate must be trusted by the client browsers and devices that receive the certificates from the firewall1.


Question 1433

An engineer is troubleshooting a traffic-routing issue.

What is the correct packet-flow sequence?



Answer : C

The correct packet-flow sequence is C. PBF > Static route > Security policy enforcement. This sequence describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic based on the source and destination addresses, application, user, or service. PBF is evaluated before the static route lookup, which is the default method of forwarding traffic based on the destination address and the longest prefix match.Security policy enforcement is the stage where the firewall applies the security policy rules to allow or block traffic based on various criteria, such as zone, address, port, user, application, etc12.Reference:Policy-Based Forwarding,Packet Flow Sequence in PAN-OS


Question 1434

How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?



Question 1435

A company wants to add threat prevention to the network without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)



Answer : A, D

A and D are the best practice deployment modes for the firewall if the company wants to add threat prevention to the network without redesigning the network routing.This is because these modes allow the firewall to act as a transparent device that does not affect the existing network topology or routing1.

A: VirtualWire mode allows the firewall to be inserted into any existing network segment without changing the IP addressing or routing of that segment2. The firewall inspects traffic between two interfaces that are configured as a pair, called a virtual wire.The firewall applies security policies to the traffic and forwards it to the same interface from which it was received2.

D: Layer 2 mode allows the firewall to act as a switch that forwards traffic based on MAC addresses3. The firewall inspects traffic between interfaces that are configured as Layer 2 interfaces and belong to the same VLAN.The firewall applies security policies to the traffic and forwards it to the appropriate interface based on the MAC address table3.

Verified Reference:

1: https://www.garlandtechnology.com/blog/whats-your-palo-alto-ngfw-deployment-plan

2: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure-interfaces/virtual-wire.html

3: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure-interfaces/layer-2.html


Question 1436

Which operation will impact the performance of the management plane?



Answer : B

TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK

TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD---PART 2:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU4CAK


Question 1437

An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.

Which two actions could an administrator take to troubleshoot this issue? (Choose two.)



Answer : A, D

A: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-virtual-routers/more-runtime-stats-for-a-logical-router#id5628a5e4-e908-457e-a2fd-270a476ab752

D: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking


Question 1438

After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.

The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.

The engineer reviews the following CLI output for ethernet1/1.

Which setting should be modified on ethernet1/1 to remedy this problem?



Answer : D


Question 1439

You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.

For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.)



Answer : B, C, E

https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile

The Palo Alto Networks Best Practices for Anti-Spyware Profiles recommend enabling single-packet captures (PCAP) for medium, high, and critical severity threats. This allows for capturing the first packet of the malicious traffic for further analysis and investigation.PCAP should not be enabled for low and informational severity threats, as they generate a relatively high volume of traffic and are not particularly useful compared to potential threats2.Reference:Create the Data Center Best Practice Anti-Spyware Profile,Security Profile: Anti-Spyware, PCNSE Study Guide (page 57)


Question 1440

A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known

What can the administrator configure to establish the VPN connection?



Answer : B

When the peer device will act as the initiator and none of the peer addresses are known, the administrator can enable Passive Mode to establish the VPN connection. Passive Mode tells the firewall to wait for the peer device to initiate the VPN connection. The other options are incorrect. Option A, setting up certificate authentication, would require the administrator to know the peer device's certificate. Option C, using the Dynamic IP address type, would require the administrator to know the peer device's dynamic IP address. Option D, configuring the peer address as an FQDN, would require the administrator to know the peer device's fully qualified domain name.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0


Question 1441

Which active-passive HA firewall state describes the firewall that is currently processing traffic?



Answer : C


Question 1442

Which Panorama feature protects logs against data loss if a Panorama server fails?



Answer : B

https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-log-collection/manage-collector-groups/configure-a-collector-group

'Log redundancy is available only if each Log Collector has the same number of logging disks.' (Recommended) Enable log redundancy across collectors if you are adding multiple Log Collectors to a single Collector group. Redundancy ensures that no logs are lost if any one Log Collector becomes unavailable. Each log will have two copies and each copy will reside on a different Log Collector. For example, if you have two Log Collectors in the collector group the log is written to both Log Collectors. Enabling redundancy creates more logs and therefore requires more storage capacity, reducing storage capability in half. When a Collector Group runs out of space, it deletes older logs. Redundancy also doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives.


Question 1443

An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls.

What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict?



Answer : B

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS


Question 1444

What is the benefit of the Artificial Intelligence Operations (AIOps) Plugin for Panorama?



Answer : B

The AIOps Plugin for Panorama enhances security management by proactively validating commits against best practices (Option B). It analyzes policies, provides recommendations (e.g., unused rules, misconfigurations), and advises administrators before pushing changes, improving security posture without automatic enforcement.

Option A (auto-push) overstates its role; it advises, not pushes. Option C (auto-correct) is inaccurate; it suggests, not fixes. Option D (retroactive checks) misaligns with its proactive design. Documentation highlights its advisory function.


Question 1445

A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.)



Answer : B, D

The two attributes that a forward trust certificate should have for SSL Forward Proxy decryption are:

B: A private key. This is the key that the firewall uses to sign the certificates that it generates for the decrypted sessions.The private key must be securely stored on the firewall and not shared with anyone1.

D: A certificate authority (CA) certificate. This is the certificate that the firewall uses to issue the certificates for the decrypted sessions.The CA certificate must be trusted by the client browsers and devices that receive the certificates from the firewall1.


Question 1446

Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.

What part of the configuration should the engineer verify?



Answer : C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS https://live.paloaltonetworks.com/t5/general-topics/phase-2-tunnel-is-not-up/td-p/424789


Question 1447

A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.

Which action is the most operationally efficient for the security engineer to find and implement the exception?



Answer : D


Question 1448

What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three



Answer : B, C, E


Question 1449

A company wants to implement threat prevention to take action without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)



Answer : B, D


Question 1450

An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity.

Which two objects can Dynamic User Groups use as match conditions for group membership? (Choose two.)



Answer : B, C


Question 1451

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.

What must be configured in order to select users and groups for those rules from Panorama?



Answer : D

When building Security rules in a Device Group that need to allow traffic to specific users and groups defined in Active Directory, it's essential to have user and group information available in Panorama to select these entities for the rules.

D . A master device with Group Mapping configured must be set in the device group where the Security rules are configured:

The concept of a 'master device' in Panorama refers to a specific firewall that is designated to provide certain settings or information, such as user and group mappings from Active Directory, to Panorama. This information can then be used across other firewalls within the same device group.

By configuring Group Mapping on a master device, Panorama can leverage this information to populate user and group objects. These objects can then be used in Security rules within the device group, allowing for the creation of policies that are based on user identity and group membership, as defined in Active Directory.

This setup ensures that Panorama has the necessary context to apply user- and group-based policies accurately across the managed firewalls, facilitating centralized management and consistency in policy enforcement.


Question 1452

An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?



Answer : B


Question 1453

What is the best description of the Cluster Synchronization Timeout (min)?



Answer : A

The best description of the Cluster Synchronization Timeout (min) is the maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing. This is a parameter that can be configured in an HA cluster, which is a group of firewalls that share session state and provide high availability and scalability. The Cluster Synchronization Timeout (min) determines how long the local firewall will wait for the cluster to reach a stable state before it decides to become Active and process traffic. A stable state means that all cluster members are either Active or Passive, and have synchronized their sessions with each other. If there is another cluster member that is in an unknown or unstable state, such as Initializing, Non-functional, or Suspended, then it may prevent the cluster from fully synchronizing and cause a delay in traffic processing. The Cluster Synchronization Timeout (min) can be set to a value between 0 and 30 minutes, with a default of 0. If it is set to 0, then the local firewall will not wait for any other cluster member and will immediately go to Active state.If it is set to a positive value, then the local firewall will wait for that amount of time before going to Active state, unless the cluster reaches a stable state earlier12.Reference:Configure HA Clustering, PCNSE Study Guide (page 53)


Question 1454

Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?



Answer : D


Question 1455

A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)



Answer : A, B


Question 1456

Why would a traffic log list an application as "not-applicable''?



Answer : A

traffic log would list an application as ''not-applicable'' if the firewall denied the traffic before the application match could be performed.This can happen if the traffic matches a security rule that is set to deny based on any parameter other than the application, such as source, destination, port, service, etc1.In this case, the firewall does not inspect the application data and discards the traffic, resulting in a ''not-applicable'' entry in the application field of the traffic log1.


Question 1457

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?



Answer : A


Question 1458

A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?



Answer : B


Question 1459

An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?



Answer : A


Question 1460

Which two profiles should be configured when sharing tags from threat logs with a User-ID agent? (Choose two.)



Answer : A, D


Question 1461

Which feature can provide NGFWs with User-ID mapping information?



Answer : C


Question 1462

When using certificate authentication for firewall administration, which method is used for authorization?



Answer : A

When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.


Question 1463

A network security engineer is going to enable Zone Protection on several security zones How can the engineer ensure that Zone Protection events appear in the firewall's logs?



Answer : A


Question 1464

The vulnerability protection profile of an on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and it has been determined to be a false positive. The issue causes an outage of a critical service. When the vulnerability protection profile is opened to add the exception, the Threat ID is missing. Which action will most efficiently find and implement the exception?



Answer : B

When a Threat ID isn't visible in the Vulnerability Protection profile's Exceptions tab, selecting 'Show all signatures' (Option B) reveals all available threat signatures, including those not recently triggered, allowing the administrator to add an exception efficiently. This is the fastest way to resolve false positives without external assistance.

Option A (system logs) may explain the absence but doesn't implement the fix. Option C (traffic logs) allows rule-based workarounds, not profile exceptions. Option D (support case) is slower and unnecessary. Documentation confirms this method.


Question 1465

An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.

Which three dynamic routing protocols support BFD? (Choose three.)



Answer : A, B, C

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/bfd/bfd-overview/bfd-for-dynamic-routing-protocols


Question 1466

A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known

What can the administrator configure to establish the VPN connection?



Answer : B

When the peer device will act as the initiator and none of the peer addresses are known, the administrator can enable Passive Mode to establish the VPN connection. Passive Mode tells the firewall to wait for the peer device to initiate the VPN connection. The other options are incorrect. Option A, setting up certificate authentication, would require the administrator to know the peer device's certificate. Option C, using the Dynamic IP address type, would require the administrator to know the peer device's dynamic IP address. Option D, configuring the peer address as an FQDN, would require the administrator to know the peer device's fully qualified domain name.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0


Question 1467

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?



Answer : B

When a local configuration override occurs on a firewall managed by Panorama, the administrator can enforce Panorama's centralized management by pushing the template configuration with the 'Force Template Values' option. This option overwrites any local changes on the firewall, ensuring that the Panorama-defined configuration (e.g., interface settings) takes precedence and prevents further overrides unless explicitly allowed.

Option A (device-group commit push) applies to policies and objects, not templates. Option C (commit force from CLI) reinforces local changes, not Panorama's control. Option D (reload running config) is disruptive and doesn't enforce Panorama's template. The 'Force Template Values' option is the documented method for this use case.


Question 1468

Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)



Answer : A, D


Question 1469

A customer would like to support Apple Bonjour in their environment for ease of configuration.

Which type of interface in needed on their PA-3200 Series firewall to enable Bonjour Reflector in a segmented network?



Answer : C


Question 1470

Based on the image, what caused the commit warning?



Answer : D


Question 1471

What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)



Answer : A, B


Question 1472

An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed.

Which Panorama tool can provide a solution?



Answer : B


Question 1473

An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.

What could an administrator do to troubleshoot the issue?



Answer : B

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF4CAK


Question 1474

Which protocol is natively supported by GlobalProtect Clientless VPN?



Answer : C


Question 1475

An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?



Answer : B

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0

A device group is a logical grouping of firewalls that share the same security policy rules. A device group can contain multiple vsys and firewalls, including multi-vsys firewalls. A multi-vsys firewall can have each vsys in a different device group, depending on the desired security policy for each vsys.This allows for granular control and flexibility in managing multi-vsys firewalls with Panorama1.Reference:Device Group Push to a Multi-VSYS Firewall,Configure Virtual Systems, PCNSE Study Guide (page 50)


Question 1476

A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:

threat type: spyware category: dns-c2 threat ID: 1000011111

Which set of steps should the administrator take to configure an exception for this signature?



Answer : A

When dealing with a false positive, particularly for a spyware threat detected through DNS queries (as indicated by the category 'dns-c2'), the correct course of action involves creating an exception in the Anti-Spyware profile, not the Vulnerability Protection profile. This is because the Anti-Spyware profile in Palo Alto Networks firewalls is designed to detect and block spyware threats, which can include command and control (C2) activities often signaled by DNS queries.

The steps to configure an exception for this specific spyware signature (threat ID: 1000011111) are as follows:

Navigate to Objects > Security Profiles > Anti-Spyware. This is where all the Anti-Spyware profiles are listed.

Select the related Anti-Spyware profile that is currently applied to the security policy which is generating the false positive.

Within the profile, go to the DNS Exceptions tab. This tab allows you to specify exceptions based on DNS signatures.

Search for the related threat ID (in this case, 1000011111) and click enable to create an exception for it. By doing this, you instruct the firewall to bypass the detection for this specific signature, effectively treating it as a false positive.

Commit the changes to make the exception active.

By following these steps, the administrator can effectively address the false positive without disabling the overall spyware protection capabilities of the firewall.


Question 1477

How can a firewall be set up to automatically block users as soon as they are found to exhibit malicious behavior via a threat log?



Answer : B

To block users dynamically based on threat log activity, dynamic user groups (DUGs) with tagging provide an automated solution. Option B configures a DUG with a 'malicious' tag, a Log Forwarding profile to tag users in the threat log (e.g., via threat intelligence), and a Security policy to block the tagged group. This leverages User-ID and is ideal for user-based blocking.

Option A uses dynamic address groups (DAGs), which block IPs, not users. Option C (security profiles) can block traffic but not dynamically tag/block users without additional configuration. Documentation supports DUGs for this use case.


Question 1478

Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)



Answer : B, D

The two key exchange algorithms that consume the most resources when decrypting SSL traffic are ECDHE and DHE. These are both Diffie-Hellman based algorithms that enable perfect forward secrecy (PFS), which means that they generate a new and unique session key for each SSL/TLS session, and do not reuse any previous keys. This enhances the security of the encrypted communication, but also increases the computational cost and complexity of the key exchange process. ECDHE stands for Elliptic Curve Diffie-Hellman Ephemeral, which uses elliptic curve cryptography (ECC) to generate the session key. DHE stands for Diffie-Hellman Ephemeral, which uses modular arithmetic to generate the session key.Both ECDHE and DHE require more CPU and memory resources than RSA, which is a non-PFS algorithm that uses public and private keys to encrypt and decrypt the session key123.Reference:Key Exchange Algorithms,Best Practices for Enabling SSL Decryption, PCNSE Study Guide (page 60)


Question 1479

An administrator has purchased WildFire subscriptions for 90 firewalls globally.

What should the administrator consider with regards to the WildFire infra-structure?



Answer : C

https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts

Each WildFire cloud---global (U.S.), regional, and private---analyzes samples and generates WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data. https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html


Question 1480

As a best practice, logging at session start should be used in which case?



Answer : A


Question 1481

A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)



Answer : A, B


Question 1482

An administrator configures a preemptive active-passive high availability (HA) pair of firewalls and configures the HA election settings on firewall-02 with a device priority value of 100, and firewall-01 with a device priority value of 90.

When firewall-01 is rebooted, is there any action taken by the firewalls?



Answer : C


Question 1483

A company wants to implement threat prevention to take action without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)



Answer : B, D


Question 1484

An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.

The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.

Which profile is the engineer configuring?



Answer : D

The engineer is configuring a DoS Protection profile to defend specific endpoints and resources against malicious activity. A DoS Protection profile is a feature that enables the firewall to detect and prevent denial-of-service (DoS) attacks that attempt to overwhelm network resources or disrupt services. A DoS Protection profile can provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet, such as web servers, DNS servers, or VPN gateways.A DoS Protection profile can be applied to a security policy rule that matches the traffic to and from the protected systems, and can specify the thresholds and actions for different types of flood attacks, such as SYN, UDP, ICMP, or other IP floods12.Reference:DoS Protection, PCNSE Study Guide (page 58)


Question 1485

How can a firewall engineer bypass App-ID and content inspection features on a Palo Alto Networks firewall when troubleshooting?



Answer : B

An application override (Option B) bypasses App-ID and content inspection by forcing the firewall to classify traffic as the custom app, skipping deeper analysis. The custom app's properties (e.g., ports) define the match, and no security profiles are applied.

Option A (no scanning options) still processes App-ID. Option C (no profiles) skips inspection but not App-ID. Option D (disable SRI) only limits server response checks. Documentation confirms overrides for bypassing.


Question 1486

After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?



Answer : D


Question 1487

Which source is the most reliable for collecting User-ID user mapping?



Answer : D


Question 1488

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?



Answer : D

Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


Question 1489

Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)



Answer : A, C


Question 1490

An administrator needs to gather information about the CPU utilization on both the management plane and the data plane. Where does the administrator view the desired data?



Answer : C


Question 1491

What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection'?



Answer : A


Question 1492

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?



Answer : B


Question 1493

How does Panorama prompt VMWare NSX to quarantine an infected VM?



Answer : A


Question 1494

An administrator is troubleshooting why video traffic is not being properly classified.

If this traffic does not match any QoS classes, what default class is assigned?



Answer : D

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/qos-concepts/qos-classes


Question 1495

While troubleshooting an issue, a firewall administrator performs a packet capture with a specific filter. The administrator sees drops for packets with a source IP address of 10.1.1.1.

How can the administrator further investigate these packet drops by looking at the global counters for this packet capture filter?



Answer : A


Question 1496

An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.

What could an administrator do to troubleshoot the issue?



Answer : B

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF4CAK


Question 1497

A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panoram

a. In which section is this configured?



Answer : D


Question 1498

A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall

What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)



Answer : B, C

For HIP match logs to be visible on the data center firewall, the following conditions must be met:

HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.

User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.

The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.


Question 1499

An engineer is troubleshooting a traffic-routing issue.

What is the correct packet-flow sequence?



Answer : C

The correct packet-flow sequence is C. PBF > Static route > Security policy enforcement. This sequence describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic based on the source and destination addresses, application, user, or service. PBF is evaluated before the static route lookup, which is the default method of forwarding traffic based on the destination address and the longest prefix match.Security policy enforcement is the stage where the firewall applies the security policy rules to allow or block traffic based on various criteria, such as zone, address, port, user, application, etc12.Reference:Policy-Based Forwarding,Packet Flow Sequence in PAN-OS


Question 1500

Which statement applies to HA timer settings?



Answer : D

High Availability (HA) timer settings in PAN-OS control failover speed and stability. The Recommended profile (Option D) is the default and provides balanced timers (e.g., 1000ms heartbeat interval) suitable for typical deployments, ensuring reliable failover without excessive sensitivity.

Option A (Critical profile) uses faster timers (e.g., 100ms) for critical environments, not typical ones. Option B (Moderate) isn't a predefined profile. Option C (Aggressive) uses fast timers (e.g., 200ms), not slower ones. Documentation specifies 'Recommended' for standard use.


Question 1501

An existing log forwarding profile is currently configured to forward all threat logs to Panoram

a. The firewall engineer wants to add syslog as an additional log forwarding method. The requirement is to forward only medium or higher severity threat logs to syslog. Forwarding to Panorama must not be changed.

Which set of actions should the engineer take to achieve this goal?



Answer : C


Question 1502

When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)



Answer : A, D


Question 1503

A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates.

What must occur to have Antivirus signatures update?



Answer : D


Question 1504

In which two scenarios would it be necessary to use Proxy IDs when configuring site-to-site VPN Tunnels? (Choose two.)



Answer : A, B


Question 1505

An administrator needs to gather information about the CPU utilization on both the management plane and the data plane. Where does the administrator view the desired data?



Answer : C


Question 1506

An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama.

However, pre-existing logs from the firewalls are not appearing in Panorama.

Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?



Question 1507

A company wants to implement threat prevention to take action without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)



Answer : B, D


Question 1508

What can the Log Forwarding built-in action with tagging be used to accomplish?



Answer : B

The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.

This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.

For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.


Question 1509

Which rule type controls end user SSL traffic to external websites?



Answer : B

The SSL Forward Proxy rule type is designed to control and inspect SSL traffic from internal users to external websites. When an internal user attempts to access an HTTPS site, the Palo Alto Networks firewall, acting as an SSL Forward Proxy, intercepts the SSL request. It then establishes an SSL connection with the requested website on behalf of the user. Simultaneously, the firewall establishes a separate SSL connection with the user. This setup allows the firewall to decrypt and inspect the traffic for threats and compliance with security policies before re-encrypting and forwarding the traffic to its destination.

This process is transparent to the end user and ensures that potentially harmful content delivered over encrypted SSL connections can be identified and blocked. SSL Forward Proxy is a critical component of a comprehensive security strategy, allowing organizations to enforce security policies and protect against threats in encrypted traffic.


Question 1510

An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.

What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)



Answer : C, D

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy


Question 1511

Which three sessions are created by a NGFW for web proxy? (Choose three.)



Answer : A, B, C


Question 1512

An administrator is troubleshooting why video traffic is not being properly classified.

If this traffic does not match any QoS classes, what default class is assigned?



Answer : D

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/qos-concepts/qos-classes


Question 1513

A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories

Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?



Answer : A

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/prevent-credential-phishing/set-up-credential-phishing-prevention#idc77030dc-6022-4458-8c50-1dc0fe7cffe4

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/prevent-credential-phishing/set-up-credential-phishing-prevention


Question 1514

How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?



Question 1515

A company configures its WildFire analysis profile to forward any file type to the WildFire public cloud. A company employee receives an email containing an unknown link that downloads a malicious Portable Executable (PE) file.

What does Advanced WildFire do when the link is clicked?



Answer : B

Advanced WildFire analyzes both the webpage linked by the URL and any files (like PE files) that are downloaded as a result of clicking that link. This includes checking the linked webpage for malicious content and sending any downloaded files for further analysis to determine their behavior and potential malicious intent.

The PCNSA Study Guide outlines that WildFire inspects and analyzes both content downloaded and webpages involved when integrated into the organization's security profile. This dual-layered approach ensures comprehensive protection against threats from both the webpage and its payloads.

Step-by-Step Explanation

Link Clicked and File Download Triggered:

When the user clicks the link, their action initiates the download of a file, in this case, a Portable Executable (PE) file.

URL Inspection by WildFire:

The URL is immediately inspected for potential threats. This involves analyzing the webpage associated with the link to detect:

Known malicious indicators.

Suspicious elements like embedded scripts, links, or calls to external resources.

Forwarding the PE File for Analysis:

The PE file downloaded as a result of clicking the link is sent to the WildFire cloud or on-premises appliance for detailed behavior-based analysis.

Dynamic and Static Analysis:

Static Analysis: WildFire examines the PE file's attributes without executing it, looking for:

Suspicious code patterns.

Known malicious signatures.

Anomalous PE header details (e.g., timestamp irregularities, unexpected sections).

Dynamic Analysis: The file is executed in a controlled virtual environment to observe:

Behavioral anomalies, like privilege escalation attempts.

Network communication, such as connections to Command and Control (C2) servers.

File system modifications or registry changes indicative of malicious intent.

Threat Verdict:

Based on its findings, WildFire classifies the URL and PE file into one of the following categories:

Benign.

Grayware.

Malware.

Phishing.

Automated Response:

If either the webpage or the PE file is deemed malicious, the firewall takes predefined actions:

Blocking access to the webpage.

Quarantining or blocking the downloaded file.

Generating a detailed alert or log entry for administrators.

Signature Update:

WildFire automatically creates a signature for the detected threat and distributes it globally. This ensures that other systems in the WildFire network are protected against the same threat.

Advanced WildFire Configuration and Behavior

Forwarding File Types:

The WildFire analysis profile must be configured to forward relevant file types. In this case:

PE files are commonly forwarded by default since they are a known vector for malware.

Administrators can define custom forwarding rules based on file type and traffic.

Integration with the Security Profile:

WildFire integrates with other security profiles (e.g., Antivirus, Anti-Spyware, URL Filtering).

URL Filtering ensures that the link itself is categorized and blocked if malicious.

WildFire's output informs and updates the threat prevention database dynamically.

Why the Answer is B?

WildFire performs dual analysis:

The linked webpage is checked for malicious scripts or phishing attempts.

The PE file downloaded is analyzed for malware through both static and dynamic methods.

This layered analysis ensures robust protection against modern threats, which often combine malicious webpages with harmful payloads.

Document Reference:

PCNSA Study Guide: Domain 4, Section 4.1.5 ('WildFire Analysis') explains the WildFire analysis process in detail, emphasizing its role in inspecting files and URLs for malicious behavior.

Palo Alto Networks WildFire Admin Guide:

This guide details file forwarding configurations, supported file types, and the global signature distribution process.

PAN-OS Admin Guide:

Sections on Security Profiles and URL Filtering elaborate on how WildFire integrates with other threat prevention mechanisms.


Question 1516

What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three



Answer : B, C, E


Question 1517

When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?



Answer : C

The additional options of Browser and Satellite enable you to specify the authentication profile to use for specific scenarios. Select Browser to specify the authentication profile to use to authenticate a user accessing the portal from a web browser with the intent of downloading the GlobalProtect agent (Windows and Mac). Select Satellite to specify the authentication profile to use to authenticate the satellite.

Reference https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/globalprotect/network-globalprotect-portals


Question 1518

A firewall engineer is migrating port-based rules to application-based rules by using the Policy Optimizer. The engineer needs to ensure that the new application-based rules are future-proofed, and that they will continue to match if the existing signatures for a specific application are expanded with new child applications. Which action will meet the requirement while ensuring that traffic unrelated to the specific application is not matched?



Answer : D

Using Policy Optimizer to migrate to application-based rules, adding the container application (Option D) ensures future-proofing. Container apps (e.g., 'web-browsing') include child apps (e.g., specific web services) as signatures evolve, maintaining rule accuracy without over-matching unrelated traffic.

Option A (custom app with ports) reverts to port-based logic, losing App-ID benefits. Option B (application filter) risks overbroad matching (e.g., by category). Option C (specific apps) lacks flexibility for new child apps. Documentation supports container apps for this purpose.


Question 1519

A firewall administrator has confirm reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail? (Choose three.)



Answer : C, D, E


Question 1520

Exhibit.

Review the screenshots and consider the following information

1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC

2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups

Which IP address will be pushed to the firewalls inside Address Object Server-1?



Answer : A

Device Group Hierarchy

Shared

DATACENTER_DG

DC_FW_DG

REGIONAL_DG

OFFICE_FW_DG

FW-1_DG

Analysis

Considerations:

FW-1 is assigned to the FW-1_DG device group.

FW-2 is assigned to the OFFICE_FW_DG device group.

There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.

The address object Server-1 appears in multiple device groups with different IP addresses. The device groups have a hierarchy, which means objects can be inherited from parent groups unless overridden in the child group.

FW-1_DG:

Server-1 has IP 4.4.4.4, which will be pushed to FW-1 because it is in the FW-1_DG device group.

OFFICE_FW_DG (for FW-2):

Since there are no objects in OFFICE_FW_DG and REGIONAL_DG, FW-2 will inherit from Shared.

In the Shared group, Server-1 has IP 1.1.1.1.


Question 1521

A customer wants to deploy User-ID on a Palo Alto Network NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. the customer uses Windows



Answer : A


Question 1522

An engineer configures a destination NAT policy to allow inbound access to an internal server in the DMZ. The NAT policy is configured with the following values:

- Source zone: Outside and source IP address 1.2.2.2

- Destination zone: Outside and destination IP address 2.2.2.1

The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone.

Which destination IP address and zone should the engineer use to configure the security policy?



Answer : C


Question 1523

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?



Answer : A


Question 1524

An administrator is using Panorama to manage multiple firewalls. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to Panorama.

However, pre-existing logs from the firewalls are not appearing in Panorama.

Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?



Question 1525

An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.

Which three settings can be configured in this template? (Choose three.)



Answer : B, D, E

A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama.A template can include settings from the Device and Network tabs on the firewall web interface, such as login banner, SSL decryption exclusion, and dynamic updates4. These settings can be configured in a template named ''Global'' and included in all template stacks.A template stack is a group of templates that Panorama pushes to managed firewalls in an ordered hierarchy4.Reference:Manage Templates and Template Stacks, PCNSE Study Guide (page 50)


Question 1526

When an engineer configures an active/active high availability pair, which two links can they use? (Choose two)



Answer : C, D

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha/prerequisites-for-activeactive-ha

These are the two links that can be used to configure an active/active high availability pair.An active/active high availability pair consists of two firewalls that are both active and share the traffic load between them1.To configure an active/active high availability pair, the following links are required2:

HA1: This is the control link that is used for exchanging heartbeat messages and configuration synchronization between the firewalls. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy.

HA2: This is the data link that is used for forwarding sessions from one firewall to another in case of failover or load balancing. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy.

HA3: This is the session owner synchronization link that is used for synchronizing session information between the firewalls in different virtual systems. It can be a dedicated interface or a subinterface. It is only required for active/active high availability pairs, not for active/passive pairs.


Question 1527

Users have reported an issue when they are trying to access a server on your network. The requests aren't taking the expected route. You discover that there are two different static routes on the firewall for the server. What is used to determine which route has priority?



Answer : B

In Palo Alto Networks firewalls, when multiple static routes exist for the same destination, the firewall uses the administrative distance (AD) to determine route priority. The AD is a metric that indicates the trustworthiness of a route, with lower values indicating higher priority. For static routes, the default AD is 10, but this can be manually adjusted. The route with the lowest AD is preferred and added to the routing table. If AD values are equal, the firewall then considers the metric (default 10), but AD is the primary differentiator.

Option A (first route installed) is incorrect, as route installation order does not determine priority. Option C (Bidirectional Forwarding Detection) is a protocol for detecting link failures, not route priority. Option D (highest AD) is the opposite of the correct behavior. This aligns with standard routing principles and Palo Alto's implementation.


Question 1528

Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?



Answer : C


Question 1529

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory. What must be configured in order to select users and groups for those rules from Panorama? The Security rules must be targeted to a firewall in the device group and have Group Mapping configured.



Answer : A

To create Security rules in Panorama that reference specific users and groups from Active Directory (AD), the Panorama-managed firewalls need access to user-to-group mapping information. This is achieved through Group Mapping, which relies on User-ID functionality. In a Panorama-managed environment, a 'master device' must be designated within the device group to provide this Group Mapping data. The master device is a firewall that retrieves user and group information from AD (via LDAP or User-ID agent) and shares it with other firewalls in the device group. This ensures consistent user-based policies across all devices in the group.

Option B (User-ID Redistribution) is incorrect because redistribution is used to share IP-to-user mappings, not group mappings, and is typically configured between firewalls or via Panorama's User-ID redistribution feature, not a requirement for selecting users/groups in rules. Option C (User-ID Certificate profile) is unrelated, as it pertains to certificate-based authentication, not AD group mapping. Official documentation specifies that a master device with Group Mapping configured is essential for this scenario.


Question 1530

Refer to the exhibit.

Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?



Answer : B

Hover over an attribute in the table below the chart and click the arrow icon to the right of the attribute. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-the-application-command-center/interact-with-the-acc#id5cc39dae-04cf-4936-9916-1a4b0f3179b9


Question 1531

An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an internal syslog server.

Where can the firewall engineer define the data to be added into each forwarded log?



Answer : A

To facilitate the integration with external log parsing systems, the firewall allows you to customize the log format; it also allows you to add custom Key: Value attribute pairs. Custom message formats can be configured under DeviceServer ProfilesSyslogSyslog Server ProfileCustom Log Format. https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/custom-logevent-format

Step-by-Step

Understanding Log Forwarding in PAN-OS:

Palo Alto Networks firewalls allow forwarding logs to external systems like syslog servers, SNMP servers, or email systems for external analysis or compliance.

Traffic logs can be customized to include additional information that meets the audit or operational requirements.

Syslog Server Profiles:

Syslog Server Profiles specify the format and destination of the log data sent to the syslog server.

These profiles allow customization through the Custom Log Format option, where the firewall engineer can add or modify log fields (e.g., source address, destination address, URL category).

Custom Log Format:

Navigate to Device > Server Profiles > Syslog.

Within the Syslog Server Profile, define a Custom Log Format for traffic logs.

Using this feature, the engineer can include additional fields requested by the internal audit team, such as threat severity, application details, or user ID.

Field Specification:

In the Custom Log Format, fields are defined using variables corresponding to the log fields in PAN-OS.

Example:

$receive_time,$src,$dst,$app,$action,$rule

The engineer can include specific details as requested by the audit team.

Comparison of Other Options:

Option B: Built-in Actions within Objects > Log Forwarding Profile

Log Forwarding Profiles are used to specify what logs are forwarded based on security policy matches. However, they do not control the format of logs.

Log Forwarding Profiles define actions (e.g., forwarding to syslog, SNMP), but customization of log data happens within Syslog Server Profiles.

Option C: Logging and Reporting Settings within Device > Setup > Management

These settings control general logging behavior and settings but do not allow customization of log data for syslog forwarding.

Option D: Data Patterns within Objects > Custom Objects

Data Patterns are used for identifying sensitive data or patterns in data filtering. They are unrelated to log customization.

Why A is Correct?

The Custom Log Format under Device > Server Profiles > Syslog is the only place where additional information can be defined and added to forwarded traffic logs.

This flexibility allows the firewall engineer to meet specific compliance or audit requirements.

Documentation Reference:

PCNSA Study Guide: Logging and Monitoring section discusses Syslog Server Profiles and log forwarding configurations.

PAN-OS Admin Guide: Covers Custom Log Format configuration under the Syslog Server Profile.


Question 1532

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.

The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?



Answer : C


Question 1533

Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)



Question 1534

Which protocol is supported by GlobalProtect Clientless VPN?



Answer : D

Virtual Desktop Infrastructure (VDI) and Virtual Machine (VM) environments, such as Citrix XenApp and XenDesktop or VMWare Horizon and Vcenter, support access natively through HTML5. You can RDP, VNC, or SSH to these machines through Clientless VPN without requiring additional third-party middleware. In environments that do not include native support for HTML5 or other web application technologies supported by Clientless VPN, you can use third-party vendors, such as Thinfinity, to RDP through Clientless VPN. Reference: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vpn/supported-technologies

https://networkwiki.blogspot.com/2017/03/palo-alto-networks-clientless-vpn-and.html


Question 1535

An administrator needs to identify which NAT policy is being used for internet traffic.

From the Monitor tab of the firewall GUI, how can the administrator identify which NAT policy is in use for a traffic flow?



Answer : A

Traffic view in the Monitor tab of the firewall GUI can display the information about the NAT policy that is in use for a traffic flow, if the Source or Destination NAT columns are included and reviewed in the detailed log view1.The Source NAT column shows the translated source IP address and port, and the Destination NAT column shows the translated destination IP address and port2. These columns can help the administrator identify which NAT policy is applied to the traffic flow based on the pre-NAT and post-NAT addresses and ports.


Question 1536

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed.

What is one way the administrator can meet this requirement?



Answer : B

The best way for the administrator to meet the requirement of managing all configuration from Panorama and preventing local overrides isB: Perform a template commit push from Panorama using the ''Force Template Values'' option.This option allows the administrator to overwrite any local configuration on the firewall with the values defined in the template1. This way, the administrator can ensure that the interface configuration and any other


Question 1537

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?



Answer : A


Question 1538

Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)



Answer : B, C

>Threat logs, create a log forwarding profile to define how you want the firewall or Panorama to handle logs. >Configure an HTTP server profile to forward logs to a remote User-ID agent. > Select the log forwarding profile you created then select this server profile as the HTTP server profile https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions


Question 1539

An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.

Which priority is correct for the passive firewall?



Answer : D


Question 1540

A network security administrator has been tasked with deploying User-ID in their organization.

What are three valid methods of collecting User-ID information in a network? (Choose three.)



Answer : A, B, C

User-ID is a feature that allows the firewall to identify and classify users and groups on the network based on their usernames, IP addresses, and other attributes1. User-ID information can be collected from various sources, such as:

A: Windows User-ID agent: A software agent that runs on a Windows server and collects user information from Active Directory domain controllers, Exchange servers, or eDirectory servers2.The agent then sends the user information to the firewall or Panorama for user mapping2.

B: GlobalProtect: A software agent that runs on the endpoints and provides secure VPN access to the network3.GlobalProtect also collects user information from the endpoints and sends it to the firewall or Panorama for user mapping4.

C: XMLAPI: An application programming interface that allows external systems or scripts to send user information to the firewall or Panorama in XML format. The XMLAPI can be used to integrate with third-party systems, such as identity providers, captive portals, or custom applications.


Question 1541

Which statement explains the difference between using the PAN-OS integrated User-ID agent and the standalone User-ID agent when using Active Directory for user-to-IP mapping?



Answer : C

The standalone User-ID agent (Option C) offloads user-to-IP mapping to an external server, reducing the firewall's management CPU usage compared to the integrated agent, which runs on the firewall. Option A is false; neither requires domain membership. Option B is incorrect; the integrated agent uses more resources. Option D is false; the standalone agent can run on any server. The original answer (B) was incorrect, contributing to the 83% Core Concepts score.


Question 1542

Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?



Answer : D

https://live.paloaltonetworks.com/t5/general-topics/wildfire-submission-entries-with-severity-high-showing-action/td-p/143516


Question 1543

Which translated port number should be used when configuring a NAT rule for a transparent proxy?



Answer : C

A transparent proxy operates by intercepting traffic without client configuration, typically redirecting HTTP (port 80) or HTTPS (port 443) to a proxy port on the firewall. In Palo Alto Networks NGFWs, when configuring a NAT rule for a transparent proxy, the standard translated port is 8080 (Option C), commonly used for proxy services. This port is where the firewall redirects client traffic for processing (e.g., URL filtering or decryption) before forwarding it to the destination.

Option A (80) is the original HTTP port, not a proxy port. Option B (443) is for HTTPS, not transparent proxy redirection. Option D (4443) is non-standard and unrelated. Documentation and best practices confirm 8080 for this use case.


Question 1544

What should an engineer consider when setting up the DNS proxy for web proxy?



Answer : A


Question 1545

Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus?



Answer : A


Question 1546

An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.

Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?



Answer : C

Decryption can be resource-intensive, and in scenarios where the firewall is nearing its resource limits, optimizing decryption practices is crucial. One way to do this is by choosing more efficient encryption algorithms that require less computational power.

C . Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority:

Elliptic Curve Digital Signature Algorithm (ECDSA) is known for requiring smaller key sizes compared to RSA for a comparable level of security. This translates to less computational overhead during the encryption and decryption processes.

By using ECDSA for traffic that isn't sensitive or high-priority, the administrator can reduce the processing load associated with decryption on the firewall. This is particularly beneficial in scenarios where resource optimization is necessary.

It's important to note that this approach does not compromise the security of encrypted traffic. Instead, it offers a more resource-efficient way to manage decryption, thus helping to maintain firewall performance even when system resources are under significant demand.

By judiciously applying this strategy, administrators can manage the decryption workload on the firewall, ensuring continued protection and inspection of encrypted traffic without overburdening the firewall's resources.


Question 1547

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK


Question 1548

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed.

What is one way the administrator can meet this requirement?



Answer : B

The best way for the administrator to meet the requirement of managing all configuration from Panorama and preventing local overrides isB: Perform a template commit push from Panorama using the ''Force Template Values'' option.This option allows the administrator to overwrite any local configuration on the firewall with the values defined in the template1. This way, the administrator can ensure that the interface configuration and any other


Question 1549

During a routine security audit, the risk and compliance team notices a series of WildFire logs that contain a "malicious" verdict and the action "allow." Upon further inspection, the team confirms that these same threats are automatically blocked by the firewalls the following day. How can the existing configuration be adjusted to ensure that new threats are blocked within minutes instead of having to wait until the following day?



Answer : B

WildFire logs showing a 'malicious' verdict with an 'allow' action indicate that the initial traffic wasn't blocked in real-time, likely because the Antivirus profile isn't configured to act immediately on WildFire verdicts. By default, WildFire submits files for analysis, and signatures may take up to 24 hours to propagate globally unless real-time blocking is enabled. Configuring the Antivirus security profile (Option B) to 'block' on malicious WildFire verdicts ensures that threats are blocked within minutes once the verdict is returned (typically 5-15 minutes), leveraging WildFire's real-time signature updates.

Option A (WildFire analysis profile) defines what files are sent to WildFire but doesn't control blocking actions. Option C (File Blocking profile) manages file type blocking, not threat verdicts. Option D (file size limits) affects submission eligibility, not blocking behavior. The Antivirus profile is the key to real-time WildFire enforcement, as per Palo Alto Networks documentation.


Question 1550

An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.

Which three settings can be configured in this template? (Choose three.)



Answer : B, D, E

A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama.A template can include settings from the Device and Network tabs on the firewall web interface, such as login banner, SSL decryption exclusion, and dynamic updates4. These settings can be configured in a template named ''Global'' and included in all template stacks.A template stack is a group of templates that Panorama pushes to managed firewalls in an ordered hierarchy4.Reference:Manage Templates and Template Stacks, PCNSE Study Guide (page 50)


Question 1551

An engineer reviews high availability (HA) settings to understand a recent HA failover event Review the screenshot below.

Which tuner determines how long the passive firewall will wart before taking over as the active firewall after losing communications with the HA peer?



Answer : B


Question 1552

An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?



Answer : D

Palo Alto NetworksPanorama 7.0 Administrator's Guide *77Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.

https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management


Question 1553

What are three prerequisites for credential phishing prevention to function? (Choose three.)



Answer : A, D, E


Question 1554

Which rule type controls end user SSL traffic to external websites?



Answer : B

The SSL Forward Proxy rule type is designed to control and inspect SSL traffic from internal users to external websites. When an internal user attempts to access an HTTPS site, the Palo Alto Networks firewall, acting as an SSL Forward Proxy, intercepts the SSL request. It then establishes an SSL connection with the requested website on behalf of the user. Simultaneously, the firewall establishes a separate SSL connection with the user. This setup allows the firewall to decrypt and inspect the traffic for threats and compliance with security policies before re-encrypting and forwarding the traffic to its destination.

This process is transparent to the end user and ensures that potentially harmful content delivered over encrypted SSL connections can be identified and blocked. SSL Forward Proxy is a critical component of a comprehensive security strategy, allowing organizations to enforce security policies and protect against threats in encrypted traffic.


Question 1555

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK


Question 1556

An administrator plans to install the Windows User-ID agent on a domain member system.

What is a best practice for choosing where to install the User-ID agent?



Answer : C


Question 1557

Which three split tunnel methods are supported by a globalProtect gateway? (Choose three.)



Answer : A, B, C


Question 1558

Which new PAN-OS 11.0 feature supports IPv6 traffic?



Answer : A

https://docs.paloaltonetworks.com/compatibility-matrix/ipv6-support-by-feature/ipv6-support-by-feature-table


Question 1559

As a best practice, which URL category should you target first for SSL decryption?



Answer : B

Palo Alto Networks recommends starting SSL decryption with High Risk categories (Option B) because they're more likely to contain threats (e.g., malware, phishing) that require visibility for inspection, balancing security and resource use.

Options A, C, and D (Online Storage, Health, Financial) are less risky or privacy-sensitive, making them lower priorities. Best practice guides prioritize High Risk for initial decryption.


Question 1560

A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories

Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall?



Answer : A

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/prevent-credential-phishing/set-up-credential-phishing-prevention#idc77030dc-6022-4458-8c50-1dc0fe7cffe4

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/prevent-credential-phishing/set-up-credential-phishing-prevention


Question 1561

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?



Answer : A


Question 1562

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections

What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?



Answer : B

Cisco TrustSec technology uses Security Group Tags (SGTs) to enforce access controls on Layer 2 traffic. When implementing Zone Protection on a Palo Alto Networks firewall in an environment with Cisco TrustSec, you should configure Ethernet SGT Protection. This setting ensures that the firewall can recognize SGTs in Ethernet frames and apply the appropriate actions based on the configured policies.

The use of Ethernet SGT Protection in conjunction with TrustSec is covered in advanced firewall configuration documentation and in interoperability guides between Palo Alto Networks and Cisco systems.


Question 1563

An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?



Answer : D

Palo Alto NetworksPanorama 7.0 Administrator's Guide *77Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.

https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management


Question 1564

Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.)



Question 1565

Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.)



Answer : B, D

The two key exchange algorithms that consume the most resources when decrypting SSL traffic are ECDHE and DHE. These are both Diffie-Hellman based algorithms that enable perfect forward secrecy (PFS), which means that they generate a new and unique session key for each SSL/TLS session, and do not reuse any previous keys. This enhances the security of the encrypted communication, but also increases the computational cost and complexity of the key exchange process. ECDHE stands for Elliptic Curve Diffie-Hellman Ephemeral, which uses elliptic curve cryptography (ECC) to generate the session key. DHE stands for Diffie-Hellman Ephemeral, which uses modular arithmetic to generate the session key.Both ECDHE and DHE require more CPU and memory resources than RSA, which is a non-PFS algorithm that uses public and private keys to encrypt and decrypt the session key123.Reference:Key Exchange Algorithms,Best Practices for Enabling SSL Decryption, PCNSE Study Guide (page 60)


Question 1566

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)



Answer : A, D

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy


Question 1567

The vulnerability protection profile of an on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and it has been determined to be a false positive. The issue causes an outage of a critical service. When the vulnerability protection profile is opened to add the exception, the Threat ID is missing. Which action will most efficiently find and implement the exception?



Answer : B

When a Threat ID isn't visible in the Vulnerability Protection profile's Exceptions tab, selecting 'Show all signatures' (Option B) reveals all available threat signatures, including those not recently triggered, allowing the administrator to add an exception efficiently. This is the fastest way to resolve false positives without external assistance.

Option A (system logs) may explain the absence but doesn't implement the fix. Option C (traffic logs) allows rule-based workarounds, not profile exceptions. Option D (support case) is slower and unnecessary. Documentation confirms this method.


Question 1568

Exhibit.

Review the screenshots and consider the following information

1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC

2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups

Which IP address will be pushed to the firewalls inside Address Object Server-1?



Answer : A

Device Group Hierarchy

Shared

DATACENTER_DG

DC_FW_DG

REGIONAL_DG

OFFICE_FW_DG

FW-1_DG

Analysis

Considerations:

FW-1 is assigned to the FW-1_DG device group.

FW-2 is assigned to the OFFICE_FW_DG device group.

There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.

The address object Server-1 appears in multiple device groups with different IP addresses. The device groups have a hierarchy, which means objects can be inherited from parent groups unless overridden in the child group.

FW-1_DG:

Server-1 has IP 4.4.4.4, which will be pushed to FW-1 because it is in the FW-1_DG device group.

OFFICE_FW_DG (for FW-2):

Since there are no objects in OFFICE_FW_DG and REGIONAL_DG, FW-2 will inherit from Shared.

In the Shared group, Server-1 has IP 1.1.1.1.


Question 1569

Which log type is supported in the Log Forwarding profile?



Answer : C


Question 1570

An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management.

Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?



Answer : A


Question 1571

An administrator plans to install the Windows-Based User-ID Agent to prevent credential phishing.

Which installer package file should the administrator download from the support site?



Answer : A


Question 1572

An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration.

What type of service route can be used for this configuration?



Answer : A


Question 1573

An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0.

What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.)



Answer : C, D

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/explicit-proxy/explicit-proxy-how-it-works

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy


Question 1574

Which action can be taken to immediately remediate the issue of application traffic with a valid use case triggering the decryption log message, "Received fatal alert UnknownCA from client"?



Answer : B

The 'Received fatal alert UnknownCA from client' log indicates the client rejects the firewall's decryption certificate because it doesn't trust the CA. For a valid use case, adding the certificate's Common Name (CN) to the SSL Decryption Exclusion List (Option B) bypasses decryption for that site, allowing traffic to proceed without interruption. This is an immediate fix within the firewall's control.

Option A (revocation checking) addresses different issues. Option C (check expired certificates) is diagnostic, not immediate. Option D (contact site admin) is external and slow. Documentation recommends exclusions for such errors.


Question 1575

A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.

What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?



Answer : B

Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.

B . The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:

First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.

Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.

Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.

This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.


Question 1576

Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration.

What part of the configuration should the engineer verify?



Answer : C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS https://live.paloaltonetworks.com/t5/general-topics/phase-2-tunnel-is-not-up/td-p/424789


Question 1577

A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks.

The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.

What else should the administrator do to stop packet buffers from being overflowed?



Answer : C


Question 1578

As a best practice, logging at session start should be used in which case?



Answer : A


Question 1579

A network security engineer needs to ensure that virtual systems can communicate with one another within a Palo Alto Networks firewall. Separate virtual routers (VRs) are created for each virtual system.

In addition to confirming security policies, which three configuration details should the engineer focus on to ensure communication between virtual systems? (Choose three.)



Answer : A, D, E

For virtual systems (vSys) on a Palo Alto Networks firewall to communicate with each other, especially when separate virtual routers (VRs) are used for each vSys, the configuration must facilitate proper routing and security policy enforcement. The key aspects to focus on include:

A . External zones with the virtual systems added:

External zones are special types of zones that are used to facilitate traffic flow between virtual systems within the same physical firewall. By adding virtual systems to an external zone, you enable them to communicate with each other, effectively bypassing the need for traffic to exit and re-enter the firewall.

D . Add a route with next hop next-vr by using the VR configured in the virtual system:

When using separate VRs for each vSys, it's essential to configure inter-VR routing. This is done by adding routes in each VR with the next hop set to 'next-vr', specifying the VR of the destination vSys. This setup enables traffic to be routed from one virtual system's VR to another, facilitating communication between them.

E . Ensure the virtual systems are visible to one another:

Visibility between virtual systems is a prerequisite for inter-vSys communication. This involves configuring the virtual systems in a way that they are aware of each other's existence. This is typically managed in the vSys settings, where you can specify which virtual systems can communicate with each other.

By focusing on these configuration details, the network security engineer can ensure that the virtual systems can communicate effectively, maintaining the necessary isolation while allowing the required traffic flow.


Question 1580

A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.

Which set of steps should the engineer take to accomplish this objective?



Answer : C

In Palo Alto Networks firewalls, the processing of NAT rules occurs in a top-down fashion, similar to security policies. To exclude a specific IP address from a broader source NAT rule, a more specific NAT rule must be placed above the broader rule.

C . Place a more specific NAT rule above the broader one:

Create a source NAT rule (NAT-Rule-1) to translate the broader network range (10.0.0.0/23) with dynamic IP and port translation. This rule allows the majority of the subnet to access the internet through NAT.

Create another NAT rule (NAT-Rule-2) with the source IP address in the original packet set specifically to the IP address that should not be translated (10.0.0.10/32). In this rule, set the source translation to none, indicating that this traffic should not be translated and thus not allowed to access the internet.

Place NAT-Rule-2 above NAT-Rule-1 in the NAT policy list. This ensures that the more specific rule (NAT-Rule-2) is evaluated first. If traffic matches NAT-Rule-2, it will not be translated or allowed to the internet, effectively excluding the specific server from internet access.

This configuration leverages the principle of specificity and the order of operation in NAT policies to exclude a specific IP address from source NAT translation, thereby preventing it from accessing the internet.


Question 1581

After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?



Answer : D


Question 1582

A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?



Answer : B


Question 1583

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?



Answer : B

Set the Action to take when matching a packet:

Forward---Directs the packet to the specified Egress Interface.

Forward to VSYS (On a firewall enabled for multiple virtual systems)---Select the virtual system to which to forward the packet.

Discard---Drops the packet.

No PBF---Excludes packets that match the criteria for source, destination, application, or service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the redirected port.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/policy-based-forwarding/create-a-policy-based-forwarding-rule#ideca3cc65-03d7-449d-b47a-90fabee5293c


Question 1584

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?



Answer : B

https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG


Question 1585

Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)



Answer : A, B


Question 1586

Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?



Answer : D


Question 1587

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67



Answer : C

https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD


Question 1588

An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.

The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.

Which profile is the engineer configuring?



Answer : D

The engineer is configuring a DoS Protection profile to defend specific endpoints and resources against malicious activity. A DoS Protection profile is a feature that enables the firewall to detect and prevent denial-of-service (DoS) attacks that attempt to overwhelm network resources or disrupt services. A DoS Protection profile can provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet, such as web servers, DNS servers, or VPN gateways.A DoS Protection profile can be applied to a security policy rule that matches the traffic to and from the protected systems, and can specify the thresholds and actions for different types of flood attacks, such as SYN, UDP, ICMP, or other IP floods12.Reference:DoS Protection, PCNSE Study Guide (page 58)


Question 1589

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing.

What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?



Answer : D

https://live.paloaltonetworks.com/t5/blogs/what-is-application-dependency/ba-p/344330

To create an application-based Security policy rule to allow Evernote, the administrator only needs to add the Evernote application to the Security policy rule. The Evernote application is a predefined App-ID that identifies the traffic generated by the Evernote client or web interface. The Evernote application implicitly uses SSL and web browsing as dependencies, which means that the firewall automatically allows these applications when the Evernote application is allowed. Therefore, there is no need to add HTTP, SSL, or web browsing applications to the same Security policy rule.Adding these applications would broaden the scope of the rule and potentially allow unwanted traffic12.Reference:App-ID Overview,Create a Security Policy Rule


Question 1590

An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes?



Answer : C

When an administrator needs to evaluate recent policy changes that were committed and pushed to a firewall device group in Panorama, the most direct approach is to use the 'Preview Changes' feature.

A . Click Preview Changes under Push Scope:

The 'Preview Changes' option is available under the 'Push Scope' in Panorama. This feature allows administrators to see a detailed comparison of the changes that are about to be pushed to the managed firewalls or that have been recently pushed. It highlights the differences between the current configuration and the previous one, making it easier to identify exactly what changes were made, including modifications to policies, objects, and other settings.

This is particularly useful for auditing and verifying that the intended changes match the actual changes being deployed, enhancing transparency and reducing the risk of unintended configuration modifications.

This approach provides a clear and concise way to review configuration changes before and after they are applied, ensuring that policy modifications are intentional and accurately reflect the administrator's objectives.


Question 1591

A firewall administrator to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply security rules on segment X after getting the visibility. There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes. What is the best option for the administrator to take?



Answer : D


Question 1592

An administrator wants to configure the Palo Alto Networks Windows User-D agent to map IP addresses to u: 'The company uses four Microsoft Active 'servers and two Microsoft Exchange servers, which can provide logs for login events. All six servers have IP addresses assigned from the following subnet: 192.168.28.32/27. The Microsoft Active Directory in 192.168.28.22/128, and the Microsoft Exchange reside in 192,168.28 48/28. What the 0 the User



Answer : D


Question 1593

What can the Log Forwarding built-in action with tagging be used to accomplish?



Answer : B

The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.

This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.

For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.


Question 1594

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)



Question 1595

A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall

What are two reasons why the administrator is not seeing HIP match logs on the data center firewall? (Choose two.)



Answer : B, C

For HIP match logs to be visible on the data center firewall, the following conditions must be met:

HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.

User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.

The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.


Question 1596

A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?



Answer : B


Question 1597

All firewall at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a sylog server and forward all firewall logs to the syslog server and to the log collectors. There is known logging peak time during the day, and the security team has asked the firewall engineer to determined how many logs per second the current Palo Alto Networking log processing at that particular time. Which method is the most time-efficient to complete this task?



Answer : A


Question 1598

Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)



Answer : B, D


Question 1599

Which tool will allow review of the policy creation logic to verify that unwanted traffic is not allowed?



Answer : B

The Test Policy Match tool in PAN-OS allows administrators to simulate traffic against the current security policy set to verify how it will be handled. By inputting source/destination IPs, ports, protocols, and other parameters, it shows which rule matches and whether the traffic is allowed or denied, making it ideal for ensuring unwanted traffic is blocked.

Option A (Managed Devices Health) monitors device status, not policy logic. Option C (Preview Changes) shows configuration diffs, not traffic matching. Option D (Policy Optimizer) helps refine rules but doesn't test specific traffic scenarios. Test Policy Match is the documented tool for this purpose.


Question 1600

An engineer is designing a deployment of multi-vsys firewalls.

What must be taken into consideration when designing the device group structure?



Answer : B

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0

A device group is a logical grouping of firewalls that share the same security policy rules. A device group can contain multiple vsys and firewalls, including multi-vsys firewalls. A multi-vsys firewall can have each vsys in a different device group, depending on the desired security policy for each vsys.This allows for granular control and flexibility in managing multi-vsys firewalls with Panorama1.Reference:Device Group Push to a Multi-VSYS Firewall,Configure Virtual Systems, PCNSE Study Guide (page 50)


Question 1601

Which protocol is natively supported by GlobalProtect Clientless VPN?



Answer : C


Question 1602

An engineer reviews high availability (HA) settings to understand a recent HA failover event Review the screenshot below.

Which tuner determines how long the passive firewall will wart before taking over as the active firewall after losing communications with the HA peer?



Answer : B


Question 1603

In the following image from Panorama, why are some values shown in red?



Answer : C


Question 1604

An engineer is configuring a Protection profile to defend specific endpoints and resources against malicious activity.

The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.

Which profile is the engineer configuring?



Answer : D

The engineer is configuring a DoS Protection profile to defend specific endpoints and resources against malicious activity. A DoS Protection profile is a feature that enables the firewall to detect and prevent denial-of-service (DoS) attacks that attempt to overwhelm network resources or disrupt services. A DoS Protection profile can provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet, such as web servers, DNS servers, or VPN gateways.A DoS Protection profile can be applied to a security policy rule that matches the traffic to and from the protected systems, and can specify the thresholds and actions for different types of flood attacks, such as SYN, UDP, ICMP, or other IP floods12.Reference:DoS Protection, PCNSE Study Guide (page 58)


Question 1605

Which translated port number should be used when configuring a NAT rule for a transparent proxy?



Answer : C

A transparent proxy operates by intercepting traffic without client configuration, typically redirecting HTTP (port 80) or HTTPS (port 443) to a proxy port on the firewall. In Palo Alto Networks NGFWs, when configuring a NAT rule for a transparent proxy, the standard translated port is 8080 (Option C), commonly used for proxy services. This port is where the firewall redirects client traffic for processing (e.g., URL filtering or decryption) before forwarding it to the destination.

Option A (80) is the original HTTP port, not a proxy port. Option B (443) is for HTTPS, not transparent proxy redirection. Option D (4443) is non-standard and unrelated. Documentation and best practices confirm 8080 for this use case.


Question 1606

An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below.

Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)



Question 1607

A network security engineer is going to enable Zone Protection on several security zones How can the engineer ensure that Zone Protection events appear in the firewall's logs?



Answer : A


Question 1608

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing.

What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?



Answer : D

https://live.paloaltonetworks.com/t5/blogs/what-is-application-dependency/ba-p/344330

To create an application-based Security policy rule to allow Evernote, the administrator only needs to add the Evernote application to the Security policy rule. The Evernote application is a predefined App-ID that identifies the traffic generated by the Evernote client or web interface. The Evernote application implicitly uses SSL and web browsing as dependencies, which means that the firewall automatically allows these applications when the Evernote application is allowed. Therefore, there is no need to add HTTP, SSL, or web browsing applications to the same Security policy rule.Adding these applications would broaden the scope of the rule and potentially allow unwanted traffic12.Reference:App-ID Overview,Create a Security Policy Rule


Question 1609

Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs?



Answer : C


Question 1610

An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy

Which PAN-OS proxy method should be configured to maintain this type of traffic flow?



Answer : D

For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP). https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy


Question 1611

A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.

What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?



Answer : B

Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.

B . The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:

First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.

Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.

Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.

This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.


Question 1612

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?



Answer : B

To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls in an HA pair to synchronize their configurations and maintain consistency. However, when you import the configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until you verify and commit the imported configuration on Panorama.Therefore, you should disable config sync before importing the configuration, and re-enable it after committing the changes on Panorama12.Reference:Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page 50)


Question 1613

An administrator needs to gather information about the CPU utilization on both the management plane and the data plane. Where does the administrator view the desired data?



Answer : C


Question 1614

An administrator has been tasked with configuring decryption policies,

Which decryption best practice should they consider?



Answer : A

The best decryption best practice that the administrator should consider isA: Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted.This is because decryption involves intercepting and inspecting encrypted traffic, which may raise privacy and compliance issues depending on the jurisdiction and the type of traffic1.Therefore, the administrator should be aware of the local, legal, and regulatory implications and how they affect which traffic can be decrypted, and follow the appropriate guidelines and policies to ensure that decryption is done in a lawful and ethical manner1.


Question 1615

An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.

Which three parts of a template an engineer can configure? (Choose three.)



Answer : A, C, D

A, C, and D are the correct answers because they are the parts of a template that an engineer can configure in Panorama.A template is a collection of device and network settings that can be pushed to multiple firewalls from Panorama1.A template can contain settings such as2:

A: NTP Server Address: This is the address of the Network Time Protocol server that synchronizes the time on the firewall.

C: Authentication Profile: This is the profile that defines how the firewall authenticates users and administrators.

D: Service Route Configuration: This is the configuration that specifies which interface and source IP address the firewall uses to access external services, such as DNS, email, syslog, etc.


Question 1616

An organization wants to begin decrypting guest and BYOD traffic.

Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?



Answer : A

An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An authentication portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet. The authentication portal can be customized to include a welcome message, a login prompt, a disclaimer, a certificate download link, and a logout button.The authentication portal can also be configured to use different authentication methods, such as local database, RADIUS, LDAP, Kerberos, or SAML1.By using an authentication portal, the firewall can redirect BYOD users to a web page where they can learn about the decryption policy, download and install the CA certificate, and agree to the terms of use before accessing the network or the internet2.

An SSL decryption profile is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption profile is a set of options that define how the firewall handles SSL/TLS traffic that it decrypts.An SSL decryption profile can include settings such as certificate verification, unsupported protocol handling, session caching, session resumption, algorithm selection, etc3. An SSL decryption profile does not provide any user identification or notification functions.

An SSL decryption policy is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption policy is a set of rules that determine which traffic the firewall decrypts based on various criteria, such as source and destination zones, addresses, users, applications, services, etc.An SSL decryption policy can also specify which type of decryption to apply to the traffic, such as SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy4. An SSL decryption policy does not provide any user identification or notification functions.

Comfort pages are not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. Comfort pages are web pages that the firewall displays to users when it blocks or fails to decrypt certain traffic due to security policy or technical reasons.Comfort pages can include information such as the reason for blocking or failing to decrypt the traffic, the URL of the original site, the firewall serial number, etc5. Comfort pages do not provide any user identification or notification functions before decrypting the traffic.

Configure an Authentication Portal,Redirect Users Through an Authentication Portal,SSL Decryption Profile,Decryption Policy,Comfort Pages


Question 1617

Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?



Answer : C

Palo Alto Networks Device Telemetry data, collected from firewalls with a device certificate installed, is stored on Palo Alto Networks Update Servers. This telemetry data includes information about threats, device health, and other operational metrics that are crucial for the continuous improvement of security services and threat intelligence. The collected data is anonymized and securely transmitted to Palo Alto Networks, where it is used to enhance the overall effectiveness of threat identification and prevention capabilities across all deployed devices. This collaborative approach helps in keeping the security ecosystem updated and resilient against emerging threats.


Question 1618

An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when the link failed?



Answer : C


Question 1619

What are three prerequisites for credential phishing prevention to function? (Choose three.)



Answer : A, D, E


Question 1620

An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy

Which PAN-OS proxy method should be configured to maintain this type of traffic flow?



Answer : D

For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP). https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy


Question 1621

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK


Question 1622

If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?



Answer : A


Question 1623

Which two components are required to configure certificate-based authentication to the web UI when firewall access is needed on a trusted interface? (Choose two.)



Answer : B, D


Question 1624

Which log type is supported in the Log Forwarding profile?



Answer : C


Question 1625

An organization uses the User-ID agent to control access to sensitive internal resources. A firewall engineer adds Security policies to ensure only User A has access to a specific resource. User A was able to access the resource without issue before the updated policies, but now is having intermittent connectivity issues. What is the most likely resolution to this issue?



Answer : A


Question 1626

An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic?



Answer : B


Question 1627

An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an interal syslog server. Where can the firewall engineer define the data to be added into each forwarded log?



Answer : B


Question 1628

An administrator wants to configure the Palo Alto Networks Windows User-D agent to map IP addresses to u: 'The company uses four Microsoft Active 'servers and two Microsoft Exchange servers, which can provide logs for login events. All six servers have IP addresses assigned from the following subnet: 192.168.28.32/27. The Microsoft Active Directory in 192.168.28.22/128, and the Microsoft Exchange reside in 192,168.28 48/28. What the 0 the User



Answer : D


Question 1629

How can a firewall engineer bypass App-ID and content inspection features on a Palo Alto Networks firewall when troubleshooting?



Answer : B

An application override (Option B) bypasses App-ID and content inspection by forcing the firewall to classify traffic as the custom app, skipping deeper analysis. The custom app's properties (e.g., ports) define the match, and no security profiles are applied.

Option A (no scanning options) still processes App-ID. Option C (no profiles) skips inspection but not App-ID. Option D (disable SRI) only limits server response checks. Documentation confirms overrides for bypassing.


Question 1630

A firewall administrator to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply security rules on segment X after getting the visibility. There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes. What is the best option for the administrator to take?



Answer : D


Question 1631

Which log type would provide information about traffic blocked by a Zone Protection profile?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhzCAC

D is the correct answer because the threat log type would provide information about traffic blocked by a Zone Protection profile.This is because Zone Protection profiles are used to protect the network from attacks, including common flood, reconnaissance attacks, and other packet-based attacks1.These attacks are classified as threats by the firewall and are logged in the threat log2.The threat log displays information such as the source and destination IP addresses, ports, zones, applications, threat types, actions, and severity of the threats2.

Verified Reference:

1:Zone protection profiles - Palo Alto Networks Knowledge Base

2:Threat Log Fields - Palo Alto Networks


Question 1632

An organization wants to begin decrypting guest and BYOD traffic.

Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?



Answer : A

An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An authentication portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet. The authentication portal can be customized to include a welcome message, a login prompt, a disclaimer, a certificate download link, and a logout button.The authentication portal can also be configured to use different authentication methods, such as local database, RADIUS, LDAP, Kerberos, or SAML1.By using an authentication portal, the firewall can redirect BYOD users to a web page where they can learn about the decryption policy, download and install the CA certificate, and agree to the terms of use before accessing the network or the internet2.

An SSL decryption profile is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption profile is a set of options that define how the firewall handles SSL/TLS traffic that it decrypts.An SSL decryption profile can include settings such as certificate verification, unsupported protocol handling, session caching, session resumption, algorithm selection, etc3. An SSL decryption profile does not provide any user identification or notification functions.

An SSL decryption policy is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption policy is a set of rules that determine which traffic the firewall decrypts based on various criteria, such as source and destination zones, addresses, users, applications, services, etc.An SSL decryption policy can also specify which type of decryption to apply to the traffic, such as SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy4. An SSL decryption policy does not provide any user identification or notification functions.

Comfort pages are not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. Comfort pages are web pages that the firewall displays to users when it blocks or fails to decrypt certain traffic due to security policy or technical reasons.Comfort pages can include information such as the reason for blocking or failing to decrypt the traffic, the URL of the original site, the firewall serial number, etc5. Comfort pages do not provide any user identification or notification functions before decrypting the traffic.

Configure an Authentication Portal,Redirect Users Through an Authentication Portal,SSL Decryption Profile,Decryption Policy,Comfort Pages


Question 1633

ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?



Answer : B

Schedule content updates so that they download-and-install automatically. Then, set a Threshold that determines the amount of time the firewall waits before installing the latest content. In a security-first network, schedule a six to twelve hour threshold. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-content-and-threat-content-updates/best-practices-security-first.html#id184AH00F06E

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/software-and-content-updates/best-practices-for-app-and-threat-content-updates/best-practices-security-first


Question 1634

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?



Answer : C

The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.

C . It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:

If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.

This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.


Question 1635

Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)



Answer : A, C


Question 1636

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory.

What must be configured in order to select users and groups for those rules from Panorama?



Answer : D

When building Security rules in a Device Group that need to allow traffic to specific users and groups defined in Active Directory, it's essential to have user and group information available in Panorama to select these entities for the rules.

D . A master device with Group Mapping configured must be set in the device group where the Security rules are configured:

The concept of a 'master device' in Panorama refers to a specific firewall that is designated to provide certain settings or information, such as user and group mappings from Active Directory, to Panorama. This information can then be used across other firewalls within the same device group.

By configuring Group Mapping on a master device, Panorama can leverage this information to populate user and group objects. These objects can then be used in Security rules within the device group, allowing for the creation of policies that are based on user identity and group membership, as defined in Active Directory.

This setup ensures that Panorama has the necessary context to apply user- and group-based policies accurately across the managed firewalls, facilitating centralized management and consistency in policy enforcement.


Question 1637

An engineer is deploying multiple firewalls with common configuration in Panorama.

What are two benefits of using nested device groups? (Choose two.)



Answer : A, D

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy


Question 1638

After importing a pre-configured firewall configuration to Panorama, what step is required to ensure a commit/push is successful without duplicating local configurations?



Answer : C

https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-to-panorama-management Push the configuration bundle from Panorama to the newly added firewall to remove all policy rules and objects from its local configuration. This step is necessary to prevent duplicate rule or object names, which would cause commit errors when you push the device group configuration from Panorama to the firewall in the next step.


Question 1639

An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?



Answer : A


Question 1640

An administrator is troubleshooting application traffic that has a valid business use case, and observes the following decryption log message: "Received fatal alert UnknownCA from client."

How should the administrator remediate this issue?



Answer : C


Question 1641

When creating a Policy-Based Forwarding (PBF) policy, which two components can be used? (Choose two.)



Answer : A, D


Question 1642

An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy

Which PAN-OS proxy method should be configured to maintain this type of traffic flow?



Answer : D

For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP). https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy


Question 1643

When using certificate authentication for firewall administration, which method is used for authorization?



Answer : A

When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.


Question 1644

An administrator is attempting to create policies tor deployment of a device group and template stack. When creating the policies, the zone drop down list does not include the required zone.

What must the administrator do to correct this issue?



Answer : C

In order to see what is in a template, the device-group needs the template referenced. Even if you add the firewall to both the template and device-group, the device-group will not see what is in the template. The following link has a video that demonstrates that B is the correct answer. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNfeCAG


Question 1645

A firewall engineer needs to patch the company's Palo Alto Network firewalls to the latest version of PAN-OS. The company manages its firewalls by using panoram

a. Logs are forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire appliances for analysis. What must the engineer consider when planning deployment?



Answer : B


Question 1646

When creating a Policy-Based Forwarding (PBF) rule, which two components can be used? (Choose two.)



Answer : C, D


Question 1647

An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group.

What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules?



Answer : B

https://live.paloaltonetworks.com/t5/general-topics/what-is-a-master-device-in-device-groups/td-p/15032

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMtpCAG


Question 1648

Users have reported an issue when they are trying to access a server on your network. The requests aren't taking the expected route. You discover that there are two different static routes on the firewall for the server. What is used to determine which route has priority?



Answer : B

In Palo Alto Networks firewalls, when multiple static routes exist for the same destination, the firewall uses the administrative distance (AD) to determine route priority. The AD is a metric that indicates the trustworthiness of a route, with lower values indicating higher priority. For static routes, the default AD is 10, but this can be manually adjusted. The route with the lowest AD is preferred and added to the routing table. If AD values are equal, the firewall then considers the metric (default 10), but AD is the primary differentiator.

Option A (first route installed) is incorrect, as route installation order does not determine priority. Option C (Bidirectional Forwarding Detection) is a protocol for detecting link failures, not route priority. Option D (highest AD) is the opposite of the correct behavior. This aligns with standard routing principles and Palo Alto's implementation.


Question 1649

An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?



Answer : D

Palo Alto NetworksPanorama 7.0 Administrator's Guide *77Manage FirewallsManage Device GroupsManage Device GroupsAdd a Device GroupCreate a Device Group HierarchyCreate Objects for Use in Shared or Device Group PolicyRevert to Inherited Object ValuesManage Unused Shared ObjectsManage Precedence of Inherited ObjectsMove or Clone a Policy Rule or Object to a Different Device GroupSelect a URL Filtering Vendor on PanoramaPush a Policy Rule to a Subset of FirewallsManage the Rule HierarchyAdd a Device GroupAfter adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device Groups (up to 256), as follows. Be sure to assign both firewalls in an active-passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. #############PAN-OS doesn't synchronize pushed rules across HA peers.######### To manage rules and objects at different administrative levels in your organization, Create a Device Group Hierarchy.

https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management


Question 1650

The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong?



Answer : D


Question 1651

What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 10.1 version?



Answer : A


Question 1652

An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?



Answer : C

The Exceptions settings allows you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The Exception tab supports filtering functions.

If you not believed, then login the firewall go to Vulnerability > Exceptions and select 'Show all signatures'. From there you will see all threat information including specific actions.

More detail: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC


Question 1653

What happens when an A/P firewall pair synchronizes IPsec tunnel security associations (SAs)?



Answer : B

In a High Availability (HA) setup with Palo Alto Networks firewalls, the synchronization of IPsec tunnel Security Associations (SAs) is an important aspect to ensure seamless failover and continued secure communication. Specifically, for Phase 2 SAs, they are synchronized over the HA2 links. The HA2 link is dedicated to synchronizing sessions, forwarding tables, IPSec SA, ARP tables, and other critical information between the active and passive firewalls in an HA pair. This ensures that the passive unit can immediately take over in case the active unit fails, without the need for re-establishing IPsec tunnels, thereby maintaining secure communications without interruption. It's important to note that Phase 1 SAs, which are responsible for establishing the secure tunnel itself, are not synchronized between the HA pair, as these need to be re-established upon failover to ensure secure key exchange.


Question 1654

A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)



Answer : A, B


Question 1655

Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake?



Answer : D


Question 1656

In which two scenarios is it necessary to use Proxy IDs when configuring site-to-site VPN tunnels? (Choose two.)



Answer : A, C


Question 1657

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?



Answer : B

The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.


Question 1658

A firewall engineer creates a source NAT rule to allow the company's internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule.

Which set of steps should the engineer take to accomplish this objective?



Answer : C

In Palo Alto Networks firewalls, the processing of NAT rules occurs in a top-down fashion, similar to security policies. To exclude a specific IP address from a broader source NAT rule, a more specific NAT rule must be placed above the broader rule.

C . Place a more specific NAT rule above the broader one:

Create a source NAT rule (NAT-Rule-1) to translate the broader network range (10.0.0.0/23) with dynamic IP and port translation. This rule allows the majority of the subnet to access the internet through NAT.

Create another NAT rule (NAT-Rule-2) with the source IP address in the original packet set specifically to the IP address that should not be translated (10.0.0.10/32). In this rule, set the source translation to none, indicating that this traffic should not be translated and thus not allowed to access the internet.

Place NAT-Rule-2 above NAT-Rule-1 in the NAT policy list. This ensures that the more specific rule (NAT-Rule-2) is evaluated first. If traffic matches NAT-Rule-2, it will not be translated or allowed to the internet, effectively excluding the specific server from internet access.

This configuration leverages the principle of specificity and the order of operation in NAT policies to exclude a specific IP address from source NAT translation, thereby preventing it from accessing the internet.


Question 1659

A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known

What can the administrator configure to establish the VPN connection?



Answer : B

When the peer device will act as the initiator and none of the peer addresses are known, the administrator can enable Passive Mode to establish the VPN connection. Passive Mode tells the firewall to wait for the peer device to initiate the VPN connection. The other options are incorrect. Option A, setting up certificate authentication, would require the administrator to know the peer device's certificate. Option C, using the Dynamic IP address type, would require the administrator to know the peer device's dynamic IP address. Option D, configuring the peer address as an FQDN, would require the administrator to know the peer device's fully qualified domain name.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0


Question 1660

An administrator configures HA on a customer's Palo Alto Networks firewalls with path monitoring by using the default configuration values.

What are the default values for ping interval and ping count before a failover is triggered?



Answer : C

Ping Interval---Specify the interval between pings that are sent to the destination IP address (range is 200 to 60,000ms; default is 200ms).

Ping Count---Specify the number of failed pings before declaring a failure (range is 3 to 10; default is 10).


Question 1661

The UDP-4501 protocol-port is to between which two GlobalProtect components?



Answer : B


Question 1662

A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks.

The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate.

What else should the administrator do to stop packet buffers from being overflowed?



Answer : C


Question 1663

An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?



Answer : B

When a local configuration override occurs on a firewall managed by Panorama, the administrator can enforce Panorama's centralized management by pushing the template configuration with the 'Force Template Values' option. This option overwrites any local changes on the firewall, ensuring that the Panorama-defined configuration (e.g., interface settings) takes precedence and prevents further overrides unless explicitly allowed.

Option A (device-group commit push) applies to policies and objects, not templates. Option C (commit force from CLI) reinforces local changes, not Panorama's control. Option D (reload running config) is disruptive and doesn't enforce Panorama's template. The 'Force Template Values' option is the documented method for this use case.


Question 1664

What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 10.1 version?



Answer : A


Question 1665

Which three methods are supported for split tunneling in the GlobalProtect Gateway? (Choose three.)



Answer : C, D, E


Question 1666

A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules.

What is the engineer's next step?



Answer : B


Question 1667

Which statement applies to HA timer settings?



Answer : D

High Availability (HA) timer settings in PAN-OS control failover speed and stability. The Recommended profile (Option D) is the default and provides balanced timers (e.g., 1000ms heartbeat interval) suitable for typical deployments, ensuring reliable failover without excessive sensitivity.

Option A (Critical profile) uses faster timers (e.g., 100ms) for critical environments, not typical ones. Option B (Moderate) isn't a predefined profile. Option C (Aggressive) uses fast timers (e.g., 200ms), not slower ones. Documentation specifies 'Recommended' for standard use.


Question 1668

A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following:

threat type: spyware category: dns-c2 threat ID: 1000011111

Which set of steps should the administrator take to configure an exception for this signature?



Answer : A

When dealing with a false positive, particularly for a spyware threat detected through DNS queries (as indicated by the category 'dns-c2'), the correct course of action involves creating an exception in the Anti-Spyware profile, not the Vulnerability Protection profile. This is because the Anti-Spyware profile in Palo Alto Networks firewalls is designed to detect and block spyware threats, which can include command and control (C2) activities often signaled by DNS queries.

The steps to configure an exception for this specific spyware signature (threat ID: 1000011111) are as follows:

Navigate to Objects > Security Profiles > Anti-Spyware. This is where all the Anti-Spyware profiles are listed.

Select the related Anti-Spyware profile that is currently applied to the security policy which is generating the false positive.

Within the profile, go to the DNS Exceptions tab. This tab allows you to specify exceptions based on DNS signatures.

Search for the related threat ID (in this case, 1000011111) and click enable to create an exception for it. By doing this, you instruct the firewall to bypass the detection for this specific signature, effectively treating it as a false positive.

Commit the changes to make the exception active.

By following these steps, the administrator can effectively address the false positive without disabling the overall spyware protection capabilities of the firewall.


Question 1669

What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?



Answer : B

Set the Action to take when matching a packet:

Forward---Directs the packet to the specified Egress Interface.

Forward to VSYS (On a firewall enabled for multiple virtual systems)---Select the virtual system to which to forward the packet.

Discard---Drops the packet.

No PBF---Excludes packets that match the criteria for source, destination, application, or service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the redirected port.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/policy-based-forwarding/create-a-policy-based-forwarding-rule#ideca3cc65-03d7-449d-b47a-90fabee5293c


Question 1670

Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?



Answer : C

Palo Alto Networks Device Telemetry data, collected from firewalls with a device certificate installed, is stored on Palo Alto Networks Update Servers. This telemetry data includes information about threats, device health, and other operational metrics that are crucial for the continuous improvement of security services and threat intelligence. The collected data is anonymized and securely transmitted to Palo Alto Networks, where it is used to enhance the overall effectiveness of threat identification and prevention capabilities across all deployed devices. This collaborative approach helps in keeping the security ecosystem updated and resilient against emerging threats.


Question 1671

A company CISO updates the business Security policy to identify vulnerable assets and services and deploy protection for quantum-related attacks. As a part of this update, the firewall team is reviewing the cryptography used by any devices they manage. The firewall architect is reviewing the Palo Alto Networks NGFWs for their VPN tunnel configurations. It is noted in the review that the NGFWs are running PAN-OS 11.2. Which two NGFW settings could the firewall architect recommend to deploy protections per the new policy? (Choose two)



Answer : B, C

Quantum-related attack protection requires cryptography resistant to quantum computing, such as post-quantum algorithms. In PAN-OS 11.2, IKEv2 with Hybrid Key Exchange (Option B) combines classical and quantum-resistant algorithms for key exchange, enhancing VPN security. IKEv2 with Post-Quantum Pre-shared Keys (PPK) (Option C) uses pre-shared keys designed to resist quantum attacks, supported in IKEv2 configurations.

Option A (IKEv1 only) weakens security by avoiding PFS and modern cryptography. Option D (IPsec with Hybrid ID exchange) is not a valid PAN-OS feature. Documentation confirms IKEv2 enhancements for quantum resistance.


Question 1672

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?



Answer : A


Question 1673

An engineer configures a destination NAT policy to allow inbound access to an internal server in the DMZ. The NAT policy is configured with the following values:

- Source zone: Outside and source IP address 1.2.2.2

- Destination zone: Outside and destination IP address 2.2.2.1

The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone.

Which destination IP address and zone should the engineer use to configure the security policy?



Answer : C


Question 1674

An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two.)



Answer : C, D


Question 1675

An engineer needs to collect User-ID mappings from the company's existing proxies.

What two methods can be used to pull this data from third party proxies? (Choose two.)



Answer : B, C

To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.

Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies.

For further details, refer to the Palo Alto Networks documentation on User-ID integration and the 'PAN-OS Administrator's Guide'.


Question 1676

Which two profiles should be configured when sharing tags from threat logs with a User-ID agent? (Choose two.)



Answer : A, D


Question 1677

Where can a service route be configured for a specific destination IP?



Answer : C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0


Question 1678

A security engineer needs firewall management access on a trusted interface.

Which three settings are required on an SSL/TLS Service Profile to provide secure Web UI authentication? (Choose three.)



Answer : A, B, D

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile


Question 1679

A security engineer is informed that the vulnerability protection profile of their on-premises Palo Alto Networks firewall is triggering on a common Threat ID, and which has been determined to be a false positive. The engineer is asked to resolve the issue as soon as possible because it is causing an outage for a critical service The engineer opens the vulnerability protection profile to add the exception, but the Threat ID is missing.

Which action is the most operationally efficient for the security engineer to find and implement the exception?



Answer : D


Question 1680

A firewall administrator needs to check which egress interface the firewall will use to route the IP 10.2.5.3.

Which command should they use?



Answer : D

To determine the egress interface a Palo Alto Networks firewall will use to route a specific IP address, the appropriate command is test routing fib-lookup ip 10.2.5.3 virtual-router default. This command performs a Forwarding Information Base (FIB) lookup for the specified IP address within the context of the specified virtual router, which in this case is the default virtual router. The FIB lookup process checks the routing table and the associated forwarding information to determine the next-hop and the egress interface for the given IP address. This command is instrumental for troubleshooting and verifying routing decisions made by the firewall to ensure that traffic is routed as expected through the network infrastructure.


Question 1681

An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when the link failed?



Answer : C


Question 1682

An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?



Answer : A


Question 1683

An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors. What is the recommended order of operational steps when upgrading?



Answer : C

Palo Alto Networks best practices dictate upgrading Panorama-managed environments in this order: Panorama first, then log collectors, and finally firewalls. Panorama must be on the latest (or compatible) version to manage upgraded devices and push configurations. Log collectors follow to ensure log compatibility, and firewalls last to maintain operational continuity.

Options A, B, and D risk version mismatches or management issues. This sequence minimizes downtime and ensures compatibility, as per official upgrade guidelines.


Question 1684

An administrator plans to install the Windows User-ID agent on a domain member system.

What is a best practice for choosing where to install the User-ID agent?



Answer : C


Question 1685

Given the following snippet of a WildFire submission log, did the end user successfully download a file?



Answer : D

URL profile action alert.

File Profile action alert.

AV and Wildfire action Reset-both

Policy Action Allow.

The firewall inspects the content as per all the security profiles attached to the original matching rule. If it results in threat detection, then the corresponding security profile action is taken.


Question 1686

Refer to the exhibit.

Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet?



Answer : B

Hover over an attribute in the table below the chart and click the arrow icon to the right of the attribute. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-the-application-command-center/interact-with-the-acc#id5cc39dae-04cf-4936-9916-1a4b0f3179b9


Question 1687

Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates. Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?



Answer : C

When troubleshooting Palo Alto Networks services, such as dynamic updates, verifying the status of service routes is critical. Service routes determine how the firewall communicates with external services (e.g., Palo Alto Networks update servers, WildFire, DNS, etc.) from the Management Plane or data plane interfaces.

Why 'debug dataplane internal vif route 250' is Correct

Purpose of the Command:

This command allows administrators to view the service routes configured on the firewall and verify if they are installed correctly and actively working.

The number 250 specifically refers to service routes in the Management Plane.

Output:

The command displays detailed information about service routes, including routing decisions, source interfaces, and next-hop IPs.

Helps identify issues such as:

Incorrect interface configuration.

Invalid next-hop IPs.

Missing routes for specific services.

Analysis of Other Options

debug dataplane internal vif route 255

Incorrect:

The number 255 does not correspond to service routes but is used for internal route debugging unrelated to management plane service routes.

show routing route type management

Incorrect:

This command does not exist in PAN-OS CLI. It might be a misrepresentation of another command.

debug dataplane internal vif route 250

Correct:

As explained above, this is the correct command for verifying service routes in the Management Plane.

show routing route type service-route

Incorrect:

This is not a valid PAN-OS CLI command.

PAN-OS Documentation Reference

Service Routes in PAN-OS 11.0:

The configuration and verification of service routes are covered under the Device > Setup > Services section of the GUI.

For CLI, the debug dataplane internal vif route 250 command is specifically used for troubleshooting service routes in the Management Plane.

For more details, refer to:

PAN-OS 11.0 CLI Guide: Covers debugging tools and service route verification.

PCNSA Study Guide: Domain 1 includes service route configurations and their importance in maintaining connectivity for management services.


Question 1688

An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group. How should the administrator identify the configuration changes?



Answer : C

When an administrator needs to evaluate recent policy changes that were committed and pushed to a firewall device group in Panorama, the most direct approach is to use the 'Preview Changes' feature.

A . Click Preview Changes under Push Scope:

The 'Preview Changes' option is available under the 'Push Scope' in Panorama. This feature allows administrators to see a detailed comparison of the changes that are about to be pushed to the managed firewalls or that have been recently pushed. It highlights the differences between the current configuration and the previous one, making it easier to identify exactly what changes were made, including modifications to policies, objects, and other settings.

This is particularly useful for auditing and verifying that the intended changes match the actual changes being deployed, enhancing transparency and reducing the risk of unintended configuration modifications.

This approach provides a clear and concise way to review configuration changes before and after they are applied, ensuring that policy modifications are intentional and accurately reflect the administrator's objectives.


Question 1689

An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks.

Which three settings can be configured in this template? (Choose three.)



Answer : B, D, E

A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama.A template can include settings from the Device and Network tabs on the firewall web interface, such as login banner, SSL decryption exclusion, and dynamic updates4. These settings can be configured in a template named ''Global'' and included in all template stacks.A template stack is a group of templates that Panorama pushes to managed firewalls in an ordered hierarchy4.Reference:Manage Templates and Template Stacks, PCNSE Study Guide (page 50)


Question 1690

What are three prerequisites to enable Credential Phishing Prevention over SSL? (Choose three



Answer : B, C, E


Question 1691

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external,

public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?



Answer : D

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK


Question 1692

An administrator has purchased WildFire subscriptions for 90 firewalls globally.

What should the administrator consider with regards to the WildFire infra-structure?



Answer : C

https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts

Each WildFire cloud---global (U.S.), regional, and private---analyzes samples and generates WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data. https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html


Question 1693

A company has recently migrated their branch office's PA-220S to a centralized Panoram

a. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama

They notice that commit times have drastically increased for the PA-220S after the migration

What can they do to reduce commit times?



Answer : A

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS


Question 1694

When using certificate authentication for firewall administration, which method is used for authorization?



Answer : A

When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.


Question 1695

A firewall engineer at a company is researching the Device Telemetry feature of PAN-OS. Which two aspects of the feature require further action for the company to remain compliant with local laws regarding privacy and data storage? (Choose two.)



Answer : A, B


Question 1696

An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.

Which priority is correct for the passive firewall?



Answer : D


Question 1697

Exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms The network team has reported excessive traffic on the corporate WAN How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?



Answer : D


Question 1698

A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.

Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.)

Site A configuration:



Answer : C, D

The image shows an IKE Gateway configuration where Site B is set to IKEv1 only mode, and passive mode is not enabled. For dynamic peering to work when Site A is using a DHCP assigned address:

Passive mode on Site A needs to be disabled. In passive mode, the firewall will not initiate the IKE negotiation and will only respond to negotiation requests from the peer. Since Site A has a dynamic IP, it must be able to initiate the connection to Site B, which has a static IP.

Matching the IKE version between Site A and Site B is also necessary for successful IPSec tunnel establishment. Since Site B is set to IKEv1 only mode, Site A also needs to be configured to use IKEv1 to ensure that both sites are using the same version for the IKE negotiation process.

NAT Traversal is used when there are NAT devices between the two endpoints, but there's no indication that this is the case here. Additionally, local identification on Site A is not necessarily related to the issue with dynamic peering not working.


Question 1699

When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile?



Answer : C

The additional options of Browser and Satellite enable you to specify the authentication profile to use for specific scenarios. Select Browser to specify the authentication profile to use to authenticate a user accessing the portal from a web browser with the intent of downloading the GlobalProtect agent (Windows and Mac). Select Satellite to specify the authentication profile to use to authenticate the satellite.

Reference https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/globalprotect/network-globalprotect-portals


Question 1700

Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.)



Answer : B, D


Question 1701

Which sessions does Packet Buffer Protection apply to when used on ingress zones to protect against single-session DoS attacks?



Answer : D


Question 1702

An administrator is configuring a Panorama device group. Which two objects are configurable? (Choose two.)



Answer : C, D


Question 1703

What can the Log Forwarding built-in action with tagging be used to accomplish?



Answer : B

The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.

This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.

For a detailed explanation, the Palo Alto Networks' 'PAN-OS Administrator's Guide' provides information on log forwarding and automated actions.


Question 1704

Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services?



Answer : D


Question 1705

How can a firewall engineer bypass App-ID and content inspection features on a Palo Alto Networks firewall when troubleshooting?



Answer : B

An application override (Option B) bypasses App-ID and content inspection by forcing the firewall to classify traffic as the custom app, skipping deeper analysis. The custom app's properties (e.g., ports) define the match, and no security profiles are applied.

Option A (no scanning options) still processes App-ID. Option C (no profiles) skips inspection but not App-ID. Option D (disable SRI) only limits server response checks. Documentation confirms overrides for bypassing.


Question 1706

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs.



Answer : B


Question 1707

A network security engineer is attempting to peer a virtual router on a PAN-OS firewall with an external router using the BGP protocol. The peer relationship is not establishing. What command could the engineer run to see the current state of the BGP state between the two devices?



Answer : D


Question 1708

Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?



Answer : D


Question 1709

In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?



Answer : B

The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This helps the administrator to identify any new applications that are not explicitly defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured applications.The compare option also shows the usage statistics and risk levels of the applications, and provides suggestions for optimizing the rule by adding, removing, or replacing applications12.Reference:New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)


Question 1710

Refer to exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.

How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?



Question 1711

As a best practice, which URL category should you target first for SSL decryption?



Answer : B

Palo Alto Networks recommends starting SSL decryption with High Risk categories (Option B) because they're more likely to contain threats (e.g., malware, phishing) that require visibility for inspection, balancing security and resource use.

Options A, C, and D (Online Storage, Health, Financial) are less risky or privacy-sensitive, making them lower priorities. Best practice guides prioritize High Risk for initial decryption.


Question 1712

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?



Answer : B

To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls in an HA pair to synchronize their configurations and maintain consistency. However, when you import the configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until you verify and commit the imported configuration on Panorama.Therefore, you should disable config sync before importing the configuration, and re-enable it after committing the changes on Panorama12.Reference:Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page 50)


Question 1713

An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory. What must be configured in order to select users and groups for those rules from Panorama? The Security rules must be targeted to a firewall in the device group and have Group Mapping configured.



Answer : A

To create Security rules in Panorama that reference specific users and groups from Active Directory (AD), the Panorama-managed firewalls need access to user-to-group mapping information. This is achieved through Group Mapping, which relies on User-ID functionality. In a Panorama-managed environment, a 'master device' must be designated within the device group to provide this Group Mapping data. The master device is a firewall that retrieves user and group information from AD (via LDAP or User-ID agent) and shares it with other firewalls in the device group. This ensures consistent user-based policies across all devices in the group.

Option B (User-ID Redistribution) is incorrect because redistribution is used to share IP-to-user mappings, not group mappings, and is typically configured between firewalls or via Panorama's User-ID redistribution feature, not a requirement for selecting users/groups in rules. Option C (User-ID Certificate profile) is unrelated, as it pertains to certificate-based authentication, not AD group mapping. Official documentation specifies that a master device with Group Mapping configured is essential for this scenario.


Question 1714

What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 10.1 version?



Answer : A


Question 1715

An engineer has been given approval to upgrade their environment to the latest version of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama, and virtual log collectors. What is the recommended order of operational steps when upgrading?



Answer : C

Palo Alto Networks best practices dictate upgrading Panorama-managed environments in this order: Panorama first, then log collectors, and finally firewalls. Panorama must be on the latest (or compatible) version to manage upgraded devices and push configurations. Log collectors follow to ensure log compatibility, and firewalls last to maintain operational continuity.

Options A, B, and D risk version mismatches or management issues. This sequence minimizes downtime and ensures compatibility, as per official upgrade guidelines.


Question 1716

Which protocol is natively supported by GlobalProtect Clientless VPN?



Answer : C


Question 1717

Exhibit.

An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms The network team has reported excessive traffic on the corporate WAN How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?



Answer : D


Question 1718

After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.

The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.

The engineer reviews the following CLI output for ethernet1/1.

Which setting should be modified on ethernet1/1 to remedy this problem?



Answer : D


Question 1719

During a routine security audit, the risk and compliance team notices a series of WildFire logs that contain a "malicious" verdict and the action "allow." Upon further inspection, the team confirms that these same threats are automatically blocked by the firewalls the following day. How can the existing configuration be adjusted to ensure that new threats are blocked within minutes instead of having to wait until the following day?



Answer : B

WildFire logs showing a 'malicious' verdict with an 'allow' action indicate that the initial traffic wasn't blocked in real-time, likely because the Antivirus profile isn't configured to act immediately on WildFire verdicts. By default, WildFire submits files for analysis, and signatures may take up to 24 hours to propagate globally unless real-time blocking is enabled. Configuring the Antivirus security profile (Option B) to 'block' on malicious WildFire verdicts ensures that threats are blocked within minutes once the verdict is returned (typically 5-15 minutes), leveraging WildFire's real-time signature updates.

Option A (WildFire analysis profile) defines what files are sent to WildFire but doesn't control blocking actions. Option C (File Blocking profile) manages file type blocking, not threat verdicts. Option D (file size limits) affects submission eligibility, not blocking behavior. The Antivirus profile is the key to real-time WildFire enforcement, as per Palo Alto Networks documentation.


Question 1720

In which two scenarios would it be necessary to use Proxy IDs when configuring site-to-site VPN Tunnels? (Choose two.)



Answer : A, B


Question 1721

What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection'?



Answer : A


Question 1722

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?



Answer : B

The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.


Question 1723

In the following image from Panorama, why are some values shown in red?



Answer : C


Question 1724

How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?



Answer : A


Question 1725

A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6 12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.

What should the NAT rule destination zone be set to?



Answer : B

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping


Question 1726

A company uses GlobalProtect for its VPN and wants to allow access to users who have only an endpoint solution installed. Which sequence of configuration steps will allow access only for hosts that have antivirus or anti-spyware enabled?



Answer : D


Question 1727

An administrator is building Security rules within a device group to block traffic to and from malicious locations.

How should those rules be configured to ensure that they are evaluated with a high priority?



Answer : A

In Palo Alto Networks firewalls, the order of rule evaluation is critical for traffic enforcement. To ensure high priority evaluation, rules should be configured at the top of the rulebase so they are matched before others. The Security Pre-Rules are designed for shared policies across multiple device groups in Panorama, and by placing the block action rules at the top of the Pre-Rules, it guarantees that these rules are evaluated first, before any device-specific or post-rules.

For verification, please refer to the Palo Alto Networks 'PAN-OS Administrator's Guide' or the official configuration documentation for Panorama and device group rules.


Question 1728

A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is configure an applications and Threats update schedule with a new App-ID threshold of 48 hours. Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.)



Answer : B, C


Question 1729

Which statement accurately describes how web proxy is run on a firewall with multiple virtual systems?



Answer : A


Question 1730

Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?

Based on the images below, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?



Answer : C


Question 1731

SAML SLO is supported for which two firewall features? (Choose two.)



Answer : A, B


Question 1732

Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.)



Answer : B, C

To configure SSL Forward Proxy decryption on a Palo Alto Networks firewall, certain key components must be set up to ensure secure and effective decryption and inspection of SSL/TLS encrypted traffic:

B . Define a Forward Trust Certificate:

A Forward Trust Certificate is essential for SSL Forward Proxy decryption. This certificate is used by the firewall to dynamically generate certificates for SSL sites that are trusted. When the firewall decrypts and inspects the traffic and then re-encrypts it, the new certificate presented to the client comes from the Forward Trust Certificate authority. This certificate must be trusted by client devices, often requiring the Forward Trust CA certificate to be distributed and installed on client devices.

C . Configure SSL decryption rules:

SSL decryption rules are the policies that determine which traffic is to be decrypted. These rules specify the source, destination, service, and URL category, among other criteria. The rules define what traffic the SSL Forward Proxy will apply to, enabling selective decryption based on security and privacy requirements.

Together, these components form the basis of the SSL Forward Proxy decryption setup, allowing for the decryption, inspection, and re-encryption of SSL/TLS encrypted traffic to identify and prevent threats hidden within encrypted sessions.


Question 1733

A company wants to implement threat prevention to take action without redesigning the network routing.

What are two best practice deployment modes for the firewall? (Choose two.)



Answer : B, D


Question 1734

The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install.

When performing an upgrade on Panorama to PAN-OS. what is the potential cause of a failed install?



Answer : A

One of the potential causes of a failed install when upgrading Panorama to PAN-OS is having outdated plugins. Plugins are software extensions that enable Panorama to interact with Palo Alto Networks cloud services and third-party services.Plugins have dependencies on specific PAN-OS versions, so they must be updated before or after upgrading Panorama, depending on the plugin compatibility matrix2.If the plugins are not updated accordingly, the upgrade process may fail or cause issues with Panorama functionality3.Reference:Panorama Plugins Upgrade/Downgrade Considerations,Troubleshoot Your Panorama Upgrade, PCNSE Study Guide (page 54)


Question 1735

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?



Answer : B

The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.


Question 1736

A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)



Answer : A, B


Question 1737

In a template, which two objects can be configured? (Choose two.)



Answer : B, C

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-network-profiles/network-network-profiles-monitor.html


Question 1738

An administrator plans to install the Windows-Based User-ID Agent.

What type of Active Directory (AD) service account should the administrator use?



Answer : A


Question 1739

An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability.

What could an administrator do to troubleshoot the issue?



Answer : B

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF4CAK


Question 1740

In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?



Answer : B

The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This helps the administrator to identify any new applications that are not explicitly defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured applications.The compare option also shows the usage statistics and risk levels of the applications, and provides suggestions for optimizing the rule by adding, removing, or replacing applications12.Reference:New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)


Question 1741

A firewall engineer is managing a Palo Alto Networks NGFW that does not have the DHCP server on DHCP agent configuration. Which interface mode can the broadcast DHCP traffic?



Answer : B


Question 1742

A company has a PA-3220 NGFW at the edge of its network and wants to use active directory groups in its Security policy rules. There are 1500 groups in its active directory. An engineer has been provided 800 active directory groups to be used in the Security policy rules.

What is the engineer's next step?



Answer : B


Question 1743

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?



Answer : C

The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.

C . It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:

If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.

This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.


Question 1744

An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.)



Answer : A, B, D


Question 1745

An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.

Which three platforms support PAN-OS 10.2? (Choose three.)



Answer : A, B, E

https://docs.paloaltonetworks.com/compatibility-matrix/supported-os-releases-by-model/palo-alto-networks-next-gen-firewalls


Question 1746

An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy

Which PAN-OS proxy method should be configured to maintain this type of traffic flow?



Answer : D

For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP). https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy


Question 1747

Users have reported an issue when they are trying to access a server on your network. The requests aren't taking the expected route. You discover that there are two different static routes on the firewall for the server. What is used to determine which route has priority?



Answer : B

In Palo Alto Networks firewalls, when multiple static routes exist for the same destination, the firewall uses the administrative distance (AD) to determine route priority. The AD is a metric that indicates the trustworthiness of a route, with lower values indicating higher priority. For static routes, the default AD is 10, but this can be manually adjusted. The route with the lowest AD is preferred and added to the routing table. If AD values are equal, the firewall then considers the metric (default 10), but AD is the primary differentiator.

Option A (first route installed) is incorrect, as route installation order does not determine priority. Option C (Bidirectional Forwarding Detection) is a protocol for detecting link failures, not route priority. Option D (highest AD) is the opposite of the correct behavior. This aligns with standard routing principles and Palo Alto's implementation.


Question 1748

An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production.

Which three parts of a template an engineer can configure? (Choose three.)



Answer : A, C, D

A, C, and D are the correct answers because they are the parts of a template that an engineer can configure in Panorama.A template is a collection of device and network settings that can be pushed to multiple firewalls from Panorama1.A template can contain settings such as2:

A: NTP Server Address: This is the address of the Network Time Protocol server that synchronizes the time on the firewall.

C: Authentication Profile: This is the profile that defines how the firewall authenticates users and administrators.

D: Service Route Configuration: This is the configuration that specifies which interface and source IP address the firewall uses to access external services, such as DNS, email, syslog, etc.


Question 1749

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?



Answer : A


Question 1750

How is Perfect Forward Secrecy (PFS) enabled when troubleshooting a VPN Phase 2 mismatch?



Answer : A

Perfect Forward Secrecy (PFS) ensures unique session keys per VPN session, enabled under the IKE Gateway advanced options (Option A) by selecting a Diffie-Hellman (DH) group. This resolves Phase 2 mismatches if the peer requires PFS.

Option B (IPsec Tunnel) doesn't directly control PFS. Option C (DH Group in IPsec Crypto) is related but not the enablement point. Option D (authentication algorithm) is unrelated. Documentation specifies IKE Gateway for PFS.


Question 1751

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.)



Answer : A, C, D

ttps://www.kareemccie.com/2021/05/palo-alto-firewall-packet-flow.html


Question 1752

When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic?



Answer : B

To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls in an HA pair to synchronize their configurations and maintain consistency. However, when you import the configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until you verify and commit the imported configuration on Panorama.Therefore, you should disable config sync before importing the configuration, and re-enable it after committing the changes on Panorama12.Reference:Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page 50)


Question 1753

How does Panorama prompt VMWare NSX to quarantine an infected VM?



Answer : A


Question 1754

Which two scripting file types require direct upload to the Advanced WildFire portal/API for analysis? (Choose two.)



Answer : B, D


Question 1755

Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?



Answer : D

https://live.paloaltonetworks.com/t5/general-topics/wildfire-submission-entries-with-severity-high-showing-action/td-p/143516


Question 1756

Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?



Answer : B

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application


Question 1757

A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access.

What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x?



Answer : B

Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.

B . The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:

First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.

Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.

Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.

This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.


Question 1758

A network administrator configured a site-to-site VPN tunnel where the peer device will act as initiator None of the peer addresses are known

What can the administrator configure to establish the VPN connection?



Answer : B

When the peer device will act as the initiator and none of the peer addresses are known, the administrator can enable Passive Mode to establish the VPN connection. Passive Mode tells the firewall to wait for the peer device to initiate the VPN connection. The other options are incorrect. Option A, setting up certificate authentication, would require the administrator to know the peer device's certificate. Option C, using the Dynamic IP address type, would require the administrator to know the peer device's dynamic IP address. Option D, configuring the peer address as an FQDN, would require the administrator to know the peer device's fully qualified domain name.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0


Question 1759

An engineer troubleshoots a high availability (HA) link that is unreliable.

Where can the engineer view what time the interface went down?



Question 1760

An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing.

What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?



Answer : D

https://live.paloaltonetworks.com/t5/blogs/what-is-application-dependency/ba-p/344330

To create an application-based Security policy rule to allow Evernote, the administrator only needs to add the Evernote application to the Security policy rule. The Evernote application is a predefined App-ID that identifies the traffic generated by the Evernote client or web interface. The Evernote application implicitly uses SSL and web browsing as dependencies, which means that the firewall automatically allows these applications when the Evernote application is allowed. Therefore, there is no need to add HTTP, SSL, or web browsing applications to the same Security policy rule.Adding these applications would broaden the scope of the rule and potentially allow unwanted traffic12.Reference:App-ID Overview,Create a Security Policy Rule


Question 1761

An administrator is building Security rules within a device group to block traffic to and from malicious locations.

How should those rules be configured to ensure that they are evaluated with a high priority?



Answer : A

In Palo Alto Networks firewalls, the order of rule evaluation is critical for traffic enforcement. To ensure high priority evaluation, rules should be configured at the top of the rulebase so they are matched before others. The Security Pre-Rules are designed for shared policies across multiple device groups in Panorama, and by placing the block action rules at the top of the Pre-Rules, it guarantees that these rules are evaluated first, before any device-specific or post-rules.

For verification, please refer to the Palo Alto Networks 'PAN-OS Administrator's Guide' or the official configuration documentation for Panorama and device group rules.


Question 1762

An administrator plans to install the Windows-Based User-ID Agent.

What type of Active Directory (AD) service account should the administrator use?



Answer : A


Question 1763

An administrator notices interface ethernet1/2 failed on the active firewall in an active / passive firewall high availability (HA) pair Based on the image below what - if any - action was taken by the active firewall when the link failed?



Answer : C


Question 1764

A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any dat

a. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes.

Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application?



Answer : C

For an application that is currently identified as unknown-tcp and has sessions that often remain idle for long periods, creating a custom application and using an application override rule is the most time-efficient solution.

C . The process involves:

Creating a custom application in the Palo Alto Networks firewall and configuring it with specific timeouts to accommodate the application's idle session behavior. This step ensures that the firewall does not prematurely close the application's sessions due to inactivity.

Next, creating an application override rule that references the custom application. This rule directs the firewall to identify traffic matching the rule criteria (such as source, destination, and port information) as the custom application, bypassing the App-ID engine's regular identification process.

This approach allows for the quick implementation of a solution that ensures the application is properly identified in traffic logs without undergoing threat scanning, meeting the requirements for both identification and reporting.


Question 1765

Which protocol is natively supported by GlobalProtect Clientless VPN?



Answer : C


Question 1766

In which two scenarios is it necessary to use Proxy IDs when configuring site-to-site VPN tunnels? (Choose two.)



Answer : A, C


Question 1767

Which sessions does Packet Buffer Protection apply to when used on ingress zones to protect against single-session DoS attacks?



Answer : D


Question 1768

An engineer is monitoring an active/active high availability (HA) firewall pair.

Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?



Answer : B

In an active/active high availability (HA) firewall pair, when a firewall experiences a failure of a monitored path, it enters the ''Tentative'' state1. This state indicates that the firewall is synchronizing sessions and configurations from its peer due to a failure or a change in monitored objects such as a link or path. The firewall in this state is not fully functional but is working towards resuming normal operations by syncing with its peer. Therefore, the correct answer is B. Tentative.


Question 1769

Based on the images below, and with no configuration inside the Template Stack itself, what access will the device permit on its management port?



Answer : D


Question 1770

When creating a Policy-Based Forwarding (PBF) rule, which two components can be used? (Choose two.)



Answer : C, D


Question 1771

Which statement is correct given the following message from the PanGPA log on the GlobalProtect app?

Failed to connect to server at port:47 67



Answer : C

https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD


Page:    1 / 14   
Total 374 questions